TIBCO JasperReports Server Vulnerability - 20230104002

Overview

The Spring web flows of several TIBCO Software Inc.'s products contain a vulnerability which may allow any authenticated user read-only access to the contents of the web application, including key configuration files.

The impact includes the possible read-only access by authenticated users to web application configuration files that contain the credentials used by the server. Those credentials could then be used to affect external systems accessed by the JasperReports Server.

What is the vulnerability ?

CVE-2018-5430 - CVSS v3 Base Score: 7.7

What is vulnerable?

The vulnerability exists in the spring web flows component on the following products:

• TIBCO JasperReports Server versions 6.2.4 and below
• TIBCO JasperReports Server versions 6.3.0, 6.3.2, and 6.3.3
• TIBCO JasperReports Server versions 6.4.0 and 6.4.2
• TIBCO JasperReports Server Community Edition versions 6.4.2 and below
• TIBCO JasperReports Server for ActiveMatrix BPM versions 6.4.2 and below
• TIBCO Jaspersoft for AWS with Multi-Tenancy versions 6.4.2 and below
• TIBCO Jaspersoft Reporting and Analytics for AWS versions 6.4.2 and below

What has been observed ?

CISA has listed this vulnerabilty in their Known Exploited Vulnerabilties catalog.

Recommendation

Due to the report of active exploitation, it is strongly recommended to patch this vulnerability within 2 weeks across all affected platforms as per vendor instructions: https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5430