Is commons-jxpath security vulnerability fixed in BIRT release 4.15 and higher ?

[devamitkochar]

Hi ,
After upgrading our project to use BIRT 4.15 version, we are facing a critical security issue related to commons-jxpath jar present in BIRT jars. Is the security issue fixed in newer BIRT versions ?
If it is not fixed ,Are there any plans to fix it in future releases ?
The security issue is described in Jxpath Issue.
Is there any alternative for this issue in BIRT 4.15 ?

[merks]

It's marked as rejected here:

https://nvd.nist.gov/vuln/detail/CVE-2022-41852

To which jar specifically do you refer to by "BIRT Jars". There are a bunch of downloads and many of the zips have various nested jars and wars, so being specific would be helpful. I'd suggest looking at the 4.17 release instead of the 4.15 release because the runtimes were significantly pruned down during the most recent release cycle, especially strange UI dependencies which might resolve the issue for you.

In any case, the dependencies of the Designer IDE product on jxpath come from the Platform:

eclipse-platform/eclipse.platform.ui#423

So that cannot be fixed by BIRT. But I don't expect that dependency to creep into any of the runtimes that you might be using on servers. It's simply not needed and not used except in the Eclipse IDE itself...

Not only that, for what it's worth, the Platform uses of jxpath to look up model elements in the EMF representation of the in-memory UI models so that does not expose anyone or anything to the supposed vulnerabilities involved.

[devamitkochar]

Thanks for the update . We are observing jxpath issue in EMF related jars hence not able to remove dependency in overall.

[merks]

This is the one and only dependency:

https://github.com/eclipse-platform/eclipse.platform.ui/blob/88b1d36762e64098fc43a17fb2440cbe96a9b439/bundles/org.eclipse.e4.emf.xpath/META-INF/MANIFEST.MF#L7

And yes, it can't be removed from the IDE without breaking the IDE.

[devamitkochar]

Hi,
As per suggestions , we have updated to BIRT 4.17 version , but after update we are facing issue with PDF and XLSX generation. The files are generated but it seems these are corrupt or malformed so we are not able to open these files. We are observing following errors :
Oct 04, 2024 8:03:11 AM org.eclipse.birt.report.engine.api.impl.EngineTask handleFatalExceptions
SEVERE: Error happened while running the report.
java.lang.NoSuchMethodError: 'java.lang.String org.eclipse.birt.report.model.api.ReportDesignHandle.getPdfVersion()'
at org.eclipse.birt.report.engine.emitter.pdf.PDFPageDevice.getReportDesignConfiguration(PDFPageDevice.java:928)
at org.eclipse.birt.report.engine.emitter.pdf.PDFPageDevice.setPdfVersion(PDFPageDevice.java:651)
at org.eclipse.birt.report.engine.emitter.pdf.PDFPageDevice.(PDFPageDevice.java:209)
at org.eclipse.birt.report.engine.emitter.pdf.PDFRender.createPageDevice(PDFRender.java:79)
at org.eclipse.birt.report.engine.layout.emitter.PageDeviceRender.start(PageDeviceRender.java:144)
at org.eclipse.birt.report.engine.layout.emitter.PageEmitter.start(PageEmitter.java:70)
at org.eclipse.birt.report.engine.nLayout.LayoutEngine.start(LayoutEngine.java:263)
at org.eclipse.birt.report.engine.api.impl.RenderTask$PageRangeRender.render(RenderTask.java:531)
at org.eclipse.birt.report.engine.api.impl.RenderTask.render(RenderTask.java:278)
at org.eclipse.birt.report.service.ReportEngineService.renderReport(ReportEngineService.java:1263)
at org.eclipse.birt.report.service.BirtViewerReportService.renderReport(BirtViewerReportService.java:303)
at org.eclipse.birt.report.service.actionhandler.BirtRenderReportActionHandler.__execute(BirtRenderReportActionHandler.java:63)
at org.eclipse.birt.report.service.actionhandler.AbstractBaseActionHandler.execute(AbstractBaseActionHandler.java:88)
at org.eclipse.birt.report.presentation.aggregation.layout.FramesetFragment.doService(FramesetFragment.java:190)
at org.eclipse.birt.report.presentation.aggregation.layout.FramesetFragment.service(FramesetFragment.java:80)
at org.eclipse.birt.report.servlet.ViewerServlet.__doGet(ViewerServlet.java:167)
at org.eclipse.birt.report.servlet.BirtSoapMessageDispatcherServlet.doPost(BirtSoapMessageDispatcherServlet.java:233)
at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:590)
at org.apache.axis.transport.http.AxisServletBase.service(AxisServletBase.java:332)
at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658)
at org.eclipse.birt.report.servlet.BirtSoapMessageDispatcherServlet.service(BirtSoapMessageDispatcherServlet.java:115)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:195)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
at org.eclipse.birt.report.filter.ViewerFilter.doFilter(ViewerFilter.java:71)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
at com.carreker.reportviewer.common.RequestFilter.doFilter(RequestFilter.java:411)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
at com.carreker.reportviewer.common.SecureEAMLoggerFilter.doFilter(SecureEAMLoggerFilter.java:200)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
at org.owasp.csrfguard.http.FilterChainWrapper.doFilter(FilterChainWrapper.java:42)
at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:174)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
at com.carreker.reportviewer.action.ApplicationFilter.doFilter(ApplicationFilter.java:48)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
at com.carreker.reportviewer.common.ExceptionFilter.doFilter(ExceptionFilter.java:105)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:115)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:663)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:389)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:896)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1741)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1190)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
at java.base/java.lang.Thread.run(Thread.java:1583)

[merks]

The error suggests you have a mixture of older and newer jars because the call and the method method called were added by the same commit in August.

cb87646

[speckyspooky]

I confirm currently there are no known issues with Excel & PDF generation based on BIRT 4.17 tested for the designer and runtime.
If you have a specialied test report without external dependencies then we can test it.