Other official information and services: www.belgium.be

WARNING: RCE IN TIBCO JASPERREPORTS SERVER

Reference:

Advisory #2024-58

Version:

1.0

Affected software:

TIBCO JasperReports Server

Versions 8.0.4 and below

Versions 8.2.0 and below

Type:

Remote Code Execution (RCE)

CVE/CVSS:

CVE-2024-3326: CVSS 9.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

Date:

19/04/2024

Sources

https://community.tibco.com/advisories/tibco-security-advisory-april-9-2...

Risks

CVE-2024-3326 allows an authenticated remote attacker with administrator privileges to execute arbitrary code on the JasperReports Server. A successful RCE attack can be an entry point leading to subsequent attacks. The major impact(s) could be privilege escalation, network compromise, Denial of Service, and or ransomware attack. Consequently this affects the availability, confidentiality, and integrity highly.

Description

The TIBCO JasperReports Server standalone and embeddable BI platform is a reporting server which enables scheduled or real-time delivery of information.

CVE-2024-3326 is a vulnerability in JDBC URL Validation. The code execution can be exploited by a remote authenticated attacker with admin privileges even without prior access to the system. In its security advisory TIBCO claims successful execution is equivalent to a full compromise of the affected system or application. RCE executes malicious code and takes over an affected system. After gaining access to the system, this vulnerability could be utilized to elevate privileges from user level to admin. The vendor is not aware of exploitation in the wild.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing:

TIBCO JasperReports Server below 8.0.4 to be upgraded to 8.0.4 with latest hotfix
TIBCO JasperReports Server below 8.2.0 to be upgraded to 8.2.0 with latest hotfix

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

When applying patches to systems that have been vulnerable to an RCE exploit, a proactive threat assessment should be performed to verify no exploitation occurred in the time between a patch becoming available and being applied.