Background
About Tibco JasperSoft... basically I have no idea what it is and why it exists :) Some kind of Business Intelligence solution. Read it from their web, if needed.
Why I don't know - I "met" this software in the beginning of one pen-test case, found the problem described below, reported it to client and immediate decision was made to remove access to it and from pen-test scope. No further investigations made.
CVE-2018-18809 Proof-of-Concept on JasperSoft demo site mobiledemo.jaspersoft.com
Vulnerability is in reportresource/reportresource/ service and in resource parameter.
There is "defence" - value for resource param must start with net/sf/jasperreports/. It's clearly not enough but probably prefix requirement was able to fool scanners.
Preconditions
There are no preconditions for authentication or authorisation.
Proof-of-Concepts on JasperSoft own demo site on 2019-04-21 (notified 2018-10-11, fix is published from 2019-03-06).
File listing
Showing file listing from application root folder.
net/sf/jasperreports/../../../../
Reading file
As an example - reading database configuration file js.jdbc.properties from application root folder.
net/sf/jasperreports/../../../../js.jdbc.properties
Critical impact
Impact - non-authenticated remote attacker can read file listing and file content from target site.
In own TIBCO Security Advisory Tibco measure the risk based on CVSS v3 9.9:
CVSS v3 Base Score: 9.9 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
Only point which was missing from maxiumum is "Privileges required" with value "Low". Not sure why it wasn't "None".
Suggestion
Follow TIBCO Security Advisory: March 6, 2019 - TIBCO JasperReports Library - 2018-18809 "Solution" section.
Vulnerability Disclosure Timeline
Timezone for dates: Tallinn/Europe
- 2018-10-15 | me > Tibco | Notification to security@tibco.com
- 2018-10-15 | Tibco > me | Thanks for PoC
.. 2 weeks silence ..
- 2018-10-29 | me > Tibco | How is going? No fixes even for their own site.
- 2018-10-15 | Tibco > me | Explanation of policy that they threat everyone equally and as no fix available for their customer, they can not fix their own site also.
.. loooooong silence ..
- 2019-01-11 | Tibco > me | Issue is still under investigation. Issue discovery credits and publishing details coordination for future.
- 2019-01-11 | me > Tibco | Response, agreement with credits.
.. and fix is already available ..
- 2019-03-06 | Tibco > me | "We published security advisories"
- 2019-03-06 | Tibco | "TIBCO Security Advisory: March 6, 2019 - TIBCO JasperReports Library - 2018-18809"
.. ok, I'll write the Full Disclose finally. Went to recheck Tibco JasperSoft demo site - still vulnerable ..
- 2019-04-21 | me > Tibco | I'm going to write Full Disclosure, but your own demo site is still vulnerable.
- 2019-04-22 | Tibco > me | "Software still vulnerable or demo site still vulnerable?"
- 2019-04-22 | me > Tibco | I haven't retested software, but demo site is still vulnerable.
- 2019-04-26 | Tibco > me | Demo site fixed/updated now.
.. ouch, it's 2019-09-07 and what I found.. not published blog post :)
- 2019-09-07 | me | Full Disclosure on security.elarlang.eu
Conclusion - I personally really don't share the attitude to keep own environment vulnerable just because no fix is available for clients.
Communication was friendly and professional - no unnecessary emotions or conflicts.
References
- [1] - Tibco JasperSoft https://www.jaspersoft.com/
- [2] - TIBCO Security Advisory: March 6, 2019 - TIBCO JasperReports Library - 2018-18809 https://www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-library-2018-18809
Comments
comments powered by Disqus