CVE-2022-22963 & CVE-2022-22965 - Are Clarity, Jaspersoft & ODATA Vulnerable ?

book

Article ID: 238263

calendar_today

Updated On:

Products

Clarity PPM On Premise Clarity PPM SaaS

Issue/Introduction

Are Clarity, Jaspersoft and ODATA Vulnerable to CVE-2022-22963?

Cause

Environment

Release : All Supported Clarity Release 

Component : Clarity Security Integration

Resolution

Table of Contents

 

Clarity

 

OData

 

Jaspersoft

Jaspersoft is vulnerable. Tibco's response can be accessed here.

Following steps can be taken to mitigate it:

  1. Stop tomcat service. Uninstall if configured as service
  2. Take a backup of the existing Tomcat folder.
  3. Install a new version of Tomcat(9.0.62), attached with this document
  4. Copy the older reportservice directory $TOMCAT_OLD_HOME/webapps/reportservice to new tomcat folder $TOMCAT_NEW_HOME/webapps.
  5. Copy the .jaspersoft folder from older directory and move it to new installed Tomcat directory i.e. $TOMCAT_NEW_HOME/
  6. Navigate to newly installed Tomcat  $TOMCAT_NEW_HOME/.jaspersoft and edit the file called “default_master.properties” and look for appServerDir property and update the new tomcat_home

    Sample entry looks as below
    # Enter Apache Tomcat 9.0.37 Directory
    appServerDir=C:\\TOMCAT_NEW_HOME
  7. Navigate to $TOMCAT_OLD_HOME/lib and copy the drivers file to $TOMCAT_NEW_HOME/lib.
    1. Oracle Customers - Please copy ojdbc8-19.8.0.0.0.jar
    2. MS SQL Customers - Please copy mssql-jdbc-8.2.1.jre11.jar
    3. PostgreSQL Customers - Please copy postgresql-42.2.5.jar & postgresql-42.2.6.jar
  8. Copy the server.xml  from $TOMCAT_OLD_HOME/conf directory to $TOMCAT_NEW_HOME/conf
  9. Reconfigure the memory parameters 
    1. Windows - If you have installed as service, uninstall as service and reinstall again by following the document, else Navigate to $TOMCAT_OLD_HOME/bin/setenv.bat and adjust the memory parameters 
    2. Linux - Navigate to $TOMCAT_OLD_HOME/bin/setenv.sh and adjust the JAVA_OPTS value 
  10. Startup tomcat in new version and validate 

Note: There are no changes needed for Jaspersoft Studio.

Additional Information

Reference: 

Document History

  • March 31, 2022: Initial review of Clarity published 
  • April 1, 2022: Updated Information pertaining to Jaspersoft on CVE-2022-22963.
  • April 5, 2022: Updated information about HDP ODATA
  • April 12, 2022 : Mitigation for Jaspersoft vulnerability and CVE-2022-22965

Install Issues pertaining to Jaspersoft

Attachments

apache-tomcat-9.0.62.tar_1649767997732.gz get_app
apache-tomcat-9.0.62-windows-x64_1649767935921.zip get_app