CVE-2022-22963 & CVE-2022-22965 - Are Clarity, Jaspersoft & ODATA Vulnerable ?
search cancel

CVE-2022-22963 & CVE-2022-22965 - Are Clarity, Jaspersoft & ODATA Vulnerable ?


Article ID: 238263


Updated On:


Clarity PPM On Premise Clarity PPM SaaS


Are Clarity, Jaspersoft and ODATA Vulnerable to CVE-2022-22963?


Release : All Supported Clarity Release 

Component : Clarity Security Integration



Table of Contents







Jaspersoft is vulnerable. Tibco's response can be accessed here.

Following steps can be taken to mitigate it:

  1. Stop tomcat service. Uninstall if configured as service
  2. Take a backup of the existing Tomcat folder.
  3. Install a new version of Tomcat(9.0.62), attached with this document
  4. Copy the older reportservice directory $TOMCAT_OLD_HOME/webapps/reportservice to new tomcat folder $TOMCAT_NEW_HOME/webapps.
  5. Copy the .jaspersoft folder from older directory and move it to new installed Tomcat directory i.e. $TOMCAT_NEW_HOME/
  6. Navigate to newly installed Tomcat  $TOMCAT_NEW_HOME/.jaspersoft and edit the file called “” and look for appServerDir property and update the new tomcat_home

    Sample entry looks as below
    # Enter Apache Tomcat 9.0.37 Directory
  7. Navigate to $TOMCAT_OLD_HOME/lib and copy the drivers file to $TOMCAT_NEW_HOME/lib.
    1. Oracle Customers - Please copy ojdbc8-
    2. MS SQL Customers - Please copy mssql-jdbc-8.2.1.jre11.jar
    3. PostgreSQL Customers - Please copy postgresql-42.2.5.jar & postgresql-42.2.6.jar
  8. Copy the server.xml  from $TOMCAT_OLD_HOME/conf directory to $TOMCAT_NEW_HOME/conf
  9. Reconfigure the memory parameters 
    1. Windows - If you have installed as service, uninstall as service and reinstall again by following the document, else Navigate to $TOMCAT_OLD_HOME/bin/setenv.bat and adjust the memory parameters 
    2. Linux - Navigate to $TOMCAT_OLD_HOME/bin/ and adjust the JAVA_OPTS value 
  10. Startup tomcat in new version and validate 

Note: There are no changes needed for Jaspersoft Studio.

Additional Information


Document History

  • March 31, 2022: Initial review of Clarity published 
  • April 1, 2022: Updated Information pertaining to Jaspersoft on CVE-2022-22963.
  • April 5, 2022: Updated information about HDP ODATA
  • April 12, 2022 : Mitigation for Jaspersoft vulnerability and CVE-2022-22965

Install Issues pertaining to Jaspersoft


apache-tomcat-9.0.62.tar_1649767997732.gz get_app get_app