Are Clarity, Jaspersoft and ODATA Vulnerable to CVE-2022-22963?

Release : All Supported Clarity Release 

Component : Clarity Security Integration

• CVE-2022-22963
• CVE-2022-22965

Clarity

• Clarity is not vulnerable to CVE-2022-22963 & CVE-2022-22965 as clarity doesn't use Spring Framework

OData

• HDP ODATA SaaS is not vulnerable to CVE-2022-22963 & CVE-2022-22965 as ODATA SaaS uses Java 8 

Jaspersoft

Jaspersoft is vulnerable. Tibco's response can be accessed here.

Following steps can be taken to mitigate it:

1. Stop tomcat service. Uninstall if configured as service
2. Take a backup of the existing Tomcat folder.
3. Install a new version of Tomcat(9.0.62), attached with this document
4. Copy the older reportservice directory $TOMCAT_OLD_HOME/webapps/reportservice to new tomcat folder $TOMCAT_NEW_HOME/webapps.
5. Copy the .jaspersoft folder from older directory and move it to new installed Tomcat directory i.e. $TOMCAT_NEW_HOME/
6. Navigate to newly installed Tomcat  $TOMCAT_NEW_HOME/.jaspersoft and edit the file called “default_master.properties” and look for appServerDir property and update the new tomcat_home
   
   Sample entry looks as below
   

   # Enter Apache Tomcat 9.0.37 Directory
   appServerDir=C:\\TOMCAT_NEW_HOME
   

7. Navigate to $TOMCAT_OLD_HOME/lib and copy the drivers file to $TOMCAT_NEW_HOME/lib.
   1. Oracle Customers - Please copy ojdbc8-19.8.0.0.0.jar
   2. MS SQL Customers - Please copy mssql-jdbc-8.2.1.jre11.jar
   3. PostgreSQL Customers - Please copy postgresql-42.2.5.jar & postgresql-42.2.6.jar
8. Copy the server.xml  from $TOMCAT_OLD_HOME/conf directory to $TOMCAT_NEW_HOME/conf
9. Reconfigure the memory parameters 
   1. Windows - If you have installed as service, uninstall as service and reinstall again by following the document, else Navigate to $TOMCAT_OLD_HOME/bin/setenv.bat and adjust the memory parameters 
   2. Linux - Navigate to $TOMCAT_OLD_HOME/bin/setenv.sh and adjust the JAVA_OPTS value 
10. Startup tomcat in new version and validate 

Note: There are no changes needed for Jaspersoft Studio.

Reference: 

• https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html
• https://www.cyberkendra.com/2022/03/spring4shell-details-and-exploit-code.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963
• CVE-2022-22963
• CVE-2022-22965

Document History

• March 31, 2022: Initial review of Clarity published 
• April 1, 2022: Updated Information pertaining to Jaspersoft on CVE-2022-22963.
• April 5, 2022: Updated information about HDP ODATA
• April 12, 2022 : Mitigation for Jaspersoft vulnerability and CVE-2022-22965

Install Issues pertaining to Jaspersoft

• Cannot find app server tag in default_master.properties