Jaspersoft CVE-2020-1938 "GhostCat" vulnerability and IGA

book

Article ID: 185905

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

Is CABI Jaspersoft vulnerable by CVE-2020-1938 "GhostCat" vulnerability?

Environment

Release : 14.2
Jasper 6.1, 7.1.1 and above

Component : IGA suite

Resolution

Out of the box, CABI Jaspersoft is vulnerable by this GhostCat vulnerability.
However, this is only due to TIBCO leaving the connector on - though it is not used.

The AJP Connector can be commented out / removed from the server.xml file for CABI Jaspersoft without affecting the product and its integration with Identity Suite.

Additional Information

https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487

https://www.chaitin.cn/en/ghostcat

6.1.0 Jasper is no longer supported by Jasper.  It is also recommended you upgrade to Jasper 7.1.1.

Download 7.1.1

https://knowledge.broadcom.com/external/article/143004

PSM Updates for Identity Suite - CA Business Intelligence JasperReports Server 7.1.1

https://community.broadcom.com/enterprisesoftware/blogs/budit02/2020/01/10/psm-updates-for-identity-suite-jaspersoft-711?CommunityKey=783a8a1e-bb2b-473a-a0c3-7be7b1d92c60&tab=recentcommunityblogsdashboard