TIBCO JasperReports Server Vulnerability

Article Id: 16496

Status: Published

Updated On: 14-02-2018 07:51

Legacy Id: TEC1937087

Products:

CLARITY PPM FOR ITG , CA Project & Portfolio Management , CLARITY PPM FEDERAL , CA Project & Portfolio Management SAAS , STARTER PACK-CLARITY PPM

Issue/Introduction:

Security vulnerabilities for JasperReports Server 6.2.1

CVE-2017-5529 and CVE-2017-5528.

Jaspersoft Server 6.2.1 is vulnerable to these two vulnerabilities, CVE-2017-5529 and CVE-2017-5528.

Based on the Jaspersoft security bulletins, both of these are resolved in Jaspersoft 6.2.3.

https://www.tibco.com/support/advisories/2017/06/tibco-security-advisory-june-28-2017-tibco-jasperreports-server-2017-0

https://www.tibco.com/support/advisories/2017/06/tibco-security-advisory-june-28-2017-tibco-jasperreports-server-2017

Have these security vulnerabilities been addressed by the recent Jaspersoft 6.2.1 cumulative patch?

Environment:

Release: 451-101-15.3-Clarity-Creator User License
Component:

Resolution:

All the security vulnerabilities that Jaspersoft fixed related CSRF, XXS and XXE in JSFT 6.2.3, have been back-ported to JSFT 6.2.1 through JaaS Patch 6.2.1_5.2.1.4.

This patch is titled, JASPERSOFT SERVER CUMULATIVE PATCH 6.2.1_5.2.1.4 FOR CA PPM 14.3, 14.4,15.1,15.2 AND 15.3, and is available for download from support.ca.com.