search cancel

CVE-2022-42889 impact on Clarity Jaspersoft & ODATA

book

Article ID: 252493

calendar_today

Updated On:

Products

Clarity PPM On Premise Clarity PPM SaaS

Issue/Introduction

A critical vulnerability within the Apache Commons Text CVE-2022-42889 was published in the National Vulnerability Database on 13 October, 2022

How it impacts with Clarity, Jaspersoft, and ODATA (Clarity SaaS)?

Environment

All Supported Clarity, Jaspersoft & ODATA (SaaS Only) 

Cause

The vulnerability is caused with the use of Apache Commons Text 1.5 through 1.9

Resolution

Clarity & HDP(ODATA) is not vulnerable

  • Clarity is not vulnerable to CVE-2022-42889 as it doesn't use the vulnerable API (StringSubstitutor). Clarity still users commons-text.jar (1.9) file, however clarity doesn't use the vulnerable API as mentioned in the CVE-2022-42889
  • The CVE-2022-42889 is reported against the Apache Commons Text library, HDP ODATA does not ship/use this library and is un-affected.

Jaspersoft is vulnerable

  • Broadcom SaaS has implemented the remediation in all Non Production Jaspersoft instance via CHG1043162
  • Broadcom SaaS has implemented the remediation for all Production Jaspersoft Region wise 
    • Asia Pacific Production Jaspersoft Text4Shell Patching CHG1043278
    • Europe Production Jaspersoft Text4Shell Patching CHG1043298
    • United States & Canada Production Jaspersoft Text4Shell Patching CHG1043315

On Premise Customers can remediate using the below information

  • The CVE-2022-42889 is reported against the Apache Commons Text library, Jaspersoft 7.8 ship this library and its impacted, follow the below steps to remediate
    • Stop Jaspersoft  services 
    • Navigate to Jaspersoft_home\webapps\reportservice\WEB-INF\lib
    • Look for file commons-text-1.8.jar under Jaspersoft_home\webapps\reportservice\WEB-INF\lib
    • Take a backup and delete the file commons-text-1.8.jar 
    • Replace old commons-text-1.8.jar with commons-text-1.10.0.jar (attached to this article)
      • Note: Rename the attached jar file to commons-text-1.10.0.jar
    • Restart the Jaspersoft services 

 

Additional Information

Change Log: 

  • 2022-10-19: Broadcom is currently reviewing this defect and checking if Clarity, Jaspersoft & ODATA is impacted or not.  Please check back in this article regularly for updates.
  • 2022-10-20: Broadcom Engineering has reviewed and confirmed that vulnerable API (StringSubstitutor) is not used in Clarity code path. Jaspersoft is still being reviewed by Tibco. HDP (ODATA) has been reviewed and its not vulnerable
  • 2022-10-22: Tibco has confirmed that Jaspersoft is impacted and provided remediation 
  • 2022-10-23: The article has been updated with the Jaspersoft remediation and Broadcom Non Production Jaspersoft Instances remediation has been applied

Attachments

commons-text-1.10.0_1666509315048.jar get_app