CVE-2018-18815 : What You Need to Know
Critical vulnerability in TIBCO JasperReports Server and related products allows unauthorized users to bypass authorization checks, potentially leading to user information disclosure. Learn how to mitigate and prevent this issue.
TIBCO JasperReports Server User Information Disclosure is a critical vulnerability affecting various TIBCO Software Inc. products, potentially allowing unauthorized users to bypass authorization checks.
Understanding CVE-2018-18815
What is CVE-2018-18815?
The vulnerability lies in the REST API of TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS.
The Impact of CVE-2018-18815
The vulnerability could lead to unauthorized users bypassing authorization checks for parts of the HTTP interface of the JasperReports Server, potentially resulting in user information disclosure.
Technical Details of CVE-2018-18815
Vulnerability Description
The REST API component of various TIBCO Software Inc. products contains a vulnerability that could allow unauthenticated users to bypass authorization checks.
Affected Systems and Versions
- TIBCO JasperReports Server versions 6.4.0 to 7.1.0
- TIBCO JasperReports Server Community Edition versions up to and including 7.1.0
- TIBCO JasperReports Server for ActiveMatrix BPM versions up to and including 6.4.3
- TIBCO Jaspersoft for AWS with Multi-Tenancy versions up to and including 7.1.0
- TIBCO Jaspersoft Reporting and Analytics for AWS versions up to and including 7.1.0
Exploitation Mechanism
The vulnerability theoretically allows unauthenticated users to access the host system's contents by bypassing authorization checks.
Mitigation and Prevention
Immediate Steps to Take
- Update affected components to the following versions:
- TIBCO JasperReports Server versions 6.4.0 to 6.4.3: Update to version 6.4.4 or higher
- TIBCO JasperReports Server version 7.1.0: Update to version 7.1.1 or higher
- TIBCO JasperReports Server Community Edition versions up to 7.1.0: Update to version 7.1.1 or higher
- TIBCO JasperReports Server for ActiveMatrix BPM versions up to 6.4.3: Update to version 6.4.4 or higher
- TIBCO Jaspersoft for AWS with Multi-Tenancy versions up to 7.1.0: Update to version 7.1.1 or higher
- TIBCO Jaspersoft Reporting and Analytics for AWS versions up to 7.1.0: Update to version 7.1.1 or higher
Long-Term Security Practices
- Regularly update software components to the latest versions
- Implement strong authentication and authorization mechanisms
- Conduct regular security assessments and audits
Patching and Updates
Ensure timely application of security patches and updates provided by TIBCO to address the vulnerability.