Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Are there plans to update the Spring framework within Crystal Reports

Go to solution
tbingeman
Explorer

on ‎2024 Apr 04 6:37 PM

0 Likes
2,184

Are there plans to update the Spring framework within Crystal Reports to mitigate CVE-2022-2296?  The software is continually flagged by scanning systems to be vulnerable to this CVE especially if Java 9+ is installed on the system that CR 2020 is installed on.

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (1)

Accepted Solutions (1)

DonWilliams
Active Contributor
‎2024 Apr 09 12:02 AM

EDIT:

I'll get R&D to look into this but be aware SAP has it's own version of Java, not the one belonging to Oracle.

A quick search finds no KBA's on that CVE.

Crystal Reports itself uses Java Scripts and doesn't use the Java engine itself.

In CR Designer click on Help... About and the more info button. You will see if only uses 2 Java processes and not java.exe.

R&D looked at the number and it's related to Chrome browser... not an issue.

Did you mean this one?

CVE-2022-22965

If so that one is on the schedule to be fixed...

And confirm with customer that CVE was flagged in browsing.war?

 

 

Show replies
Show replies
tbingeman
Explorer
‎2024 Apr 12 1:01 AM
0 Likes
CVE-2022-22965 is what was supposed to be in the original question.
DonWilliams
Active Contributor
‎2024 Apr 12 11:06 PM
0 Likes
Thanks, need you to confirm this also - "And confirm with customer that CVE was flagged in browsing.war?"
tbingeman
Explorer
‎2024 Apr 12 11:07 PM
0 Likes
Yes the CVE was flagged in browsing.war
tbingeman
Explorer
‎2024 Apr 19 7:45 PM
0 Likes
Can you tell me when the CVE will be fixed?
DonWilliams
Active Contributor
‎2024 Apr 26 4:44 PM
0 Likes
it's schedule for end of May but that can change if there are any ship killers, CR for VS is attached and built along with BOE Server and Crystal Reports Designer, so if any one of those have a delay so does CR for VS.
tbingeman
Explorer
‎2024 May 28 5:48 PM
0 Likes

Don,

Can you tell me if the following patch has the fix in it?

 

DonWilliams
Active Contributor
‎2024 May 29 6:23 PM
0 Likes
I would suggest downloading it and checking if the fix is in. CVE's are security issues so info on any CVE's is not available to the public, you require a Support contract to access the gated KBA's. FYI, Crystal Reports itself doesn't use Java, it does use Java Script to handle Parameters, actually it uses HTML5 for prompting. CR Server/BOE does use it but it's also a SAP version of Java and not Oracles.

Answers (1)

Answers (1)

DonWilliams
Active Contributor
‎2024 May 29 6:26 PM
0 Likes

FYI - Resources for more info:

https://pages.community.sap.com/topics/crystal-reports/faq

CR default home page:

https://support.sap.com/en/product/support-by-product/01200314690800000341.html

All CR/BOE product Help documents, note depending on if you ahve a Support Contract depends on more info available.
https://help.sap.com/docs/SAP_CRYSTAL_REPORTS

 

Show replies
Show replies
Ask a Question