CVE-2017-5528, CVE-2017-5529 and CVE-2017-5532 JasperReports Server Vulnerability Issues

Document ID : KB000094522
Last Modified Date : 04/05/2018
Show Technical Document Details
Issue:
I am aware about the following TIBCO Security Advisory.

1. CVE-2017-5528: TIBCO JasperReports Server cross-site vulnerabilities
    https://www.tibco.com/support/advisories/2017/06/tibco-security-advisory-june-28-2017-tibco-jasperreports-server-2017
2. CVE-2017-5529: TIBCO JasperReports Library Information Disclosure
    https://www.tibco.com/support/advisories/2017/06/tibco-security-advisory-june-28-2017-tibco-jasperreports-server-2017-0
3. CVE-2017-5532: TIBCO JasperReports persistent cross site scripting
    https://www.tibco.com/support/advisories/2017/11/tibco-security-advisory-november-15-2017-tibco-jasperreports-2017-5532

I have installed CA Business Intelligence (CABI) JasperReports Server for Spectrum reporting. Is my CABI JasperReports Server affected?
Environment:
Spectrum 10.2 onward with CABI JasperReports Server
Resolution:
These security vulnerability issues are addressed from CABI JasperReports Server 6.4.2 onward. If you are installing older version of CABI JasperReports Server then you should upgrade to 6.4.2 to address these issues.

CABI JasperReports Server 6.4.2 is supported to integrate with Spectrum from version 10.2.3 onward. However, for Spectrum 10.2.3 you need to apply PTF 10.02.03.PTF_10.2.316. Please refer to KB000092749.
Additional Information:
Please refer to below documentation about how to upgrade 
   https://docops.ca.com/ca-business-intelligence/6-4-2/en/upgrading-ca-business-intelligence-jasperreports-server

Please contact CA Support to obtain patch PTF 10.02.03.PTF_10.2.316.