cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Text4Shell Vulnerability - CVE-2022-42889

Go to solution
avandeloo
Explorer

on ‎2022 Nov 28 5:41 PM

0 Kudos
1,887

There is a “Common Text” vulnerability in the Apache Web Server built in the SAP Crystal Reports version introduced in October.

I’ve reached out to SAP support to see when they plan to deploy a patch to remediate this, I’ve was directed to ask the community question here.

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
DellSC
Active Contributor
‎2022 Nov 28 7:14 PM
0 Kudos

Is this Crystal Reports or Crystal Reports Server? I don't recall that Apache is part of Crystal Reports.

-Dell

DellSC
Active Contributor
‎2022 Nov 28 7:32 PM
0 Kudos

I changed the tags on your question to SAP Crystal Server and SAP BusinessObjects Business Intelligence platform.

The SAP Crystal Reports tag is for questions about report design and using the Crystal Reports desktop software.

-Dell

avandeloo
Explorer
‎2022 Nov 28 7:44 PM
0 Kudos

This is for SAP Crystal Reports, not Server. Below is the information on the Vulnerability.

Accepted Solutions (1)

Accepted Solutions (1)

DellSC
Active Contributor
‎2022 Nov 28 7:22 PM

Assuming that you're talking about SAP Crystal Reports Server (CRS), it is not affected because it doesn't use any functionality in that package.

CRS uses the same source code base as SAP BusinessObjects with limits to allow only the Crystal Reports functionality within the BI Platform. If you find SAP Note 2914574 (launchpad.support.sap.com - you'll need an S-ID to log in), you'll see the "official" verification that the software is not affected by this vulnerability.

-Dell

Show replies
Show replies
avandeloo
Explorer
‎2022 Nov 30 4:50 PM
0 Kudos

Again, this is not regarding SAP Crystal Repots Server. Windows Defender has detected the vulnerability in SAP Crystal Reports (CR.) Apache Web Server IS built into SAP CR.

DellSC
Active Contributor
‎2022 Nov 30 6:38 PM
0 Kudos

don.williams, can you speak to this? Is Apache Web Server built into Crystal?

-Dell

avandeloo
Explorer
‎2022 Nov 30 7:32 PM
0 Kudos

Apologies, the vulnerability is within the Apache Commons Text Library.

avandeloo
Explorer
‎2022 Dec 13 4:07 PM
0 Kudos

Checking to see if there is any further assistance with this?

Answers (4)

Answers (4)

former_member11696
Employee
Employee
‎2022 Dec 15 2:56 PM

Hello,

Dell, You are correct, those classes with the issues are not used in CR Designer so you can ignore the warning.

Stand alone Crystal Designer does not use nor does it access Apache or any other WEB server.

They are only there because R&D specifically did not remove them for the installer due to other dependencies that may use them but not used in CRD.

SAP note does show this but for security reasons if you don't have a support Contract you can't access them.

Ignore the warning

Don

Show replies
Show replies
avandeloo
Explorer
‎2023 Feb 08 8:05 PM
0 Kudos

The user above stated this is for Crystal Reports, not server, not designer. How do we get this escalated to someone who can assist?

I've now been redirected to this forum by our Account Manager and the Chat Bot. Very frustrating.

avandeloo
Explorer
‎2023 Apr 11 11:07 PM
0 Kudos

Finally...New version 14.3.3.4548 has a fix!

Show replies
Show replies
avandeloo
Explorer
‎2023 Jan 18 4:16 PM
0 Kudos

It also appears that SAP Commerce uses the same version of open source Java library Apache Commons Text which has vulnerabilities. there is a patch for it...yet nothing on this.

https://userapps.support.sap.com/sap/support/knowledge/en/3278497

Show replies
Show replies
former_member1027468
Discoverer
‎2023 Jan 12 4:10 PM
0 Kudos

The user above stated this is for Crystal Reports, not server. I am also seeing this issue and I can't just ignore it as it's part of cybersecurity vulnerability scans that are very important for our company. I'm not sure if ignoring it is the correct answer to receive from support. Is there any plans to fix this in a patch?

Show replies
Show replies
avandeloo
Explorer
‎2023 Jan 18 3:11 PM

Thank you! Finally someone that is reading for comprehension and sees the same thing I do. I am mystified at level of service being provided by SAP. I tried removing the file that has the vulnerability but our AV (MS Defender) still shows it's a threat.

Would really love for this to be taken seriously and addressed.

Ask a Question