cancel
Showing results for 
Search instead for 
Did you mean: 

Vulnerability report of Crystal Reports for Visual Studio SP36

yumb
Explorer
0 Kudos
530

I run the Vulnerability report of my product that uses Crystal Reports for Visual Studio latest Support Pack SP36, and several Critical and High severity issues were found (see packages with their versions below). Can you advise how these vulnerability issues can be eliminated?

The report finds very old versions of some packages - it is very strange to see them in the latest SP.

 

PackageVersionModulesSeverityVulnerabilities
libicu3.0crdb_p2ssyb10.dll, icuin30.dll,  keydecoder.dllcriticalCVE-2015-5922, CVE-2016-6293, CVE-2017-17484
libicu3.0crdb_p2ssyb10.dll, icuin30.dll,  keydecoder.dllhighCVE-2011-4599, CVE-2014-7923, CVE-2014-7926, CVE-2014-8146, CVE-2014-8147, CVE-2015-5922, CVE-2016-6293, CVE-2017-17484, CVE-2017-7867, CVE-2017-7868, CVE-2020-10532
libicu3.4icuuc30.dllcriticalCVE-2014-9654, CVE-2014-9911, CVE-2015-5922, CVE-2016-6293, CVE-2017-17484
libicu3.4icuuc30.dllhighCVE-2011-4599, CVE-2014-7923, CVE-2014-7926, CVE-2014-8146, CVE-2014-8147, CVE-2017-7867, CVE-2017-7868, CVE-2020-10531
libicu4.4icuin42.dllcriticalCVE-2014-9911, CVE-2015-5922, CVE-2017-14952, CVE-2017-17484
libicu4.4icuin42.dllhighCVE-2014-7923, CVE-2014-7926, CVE-2014-8146, CVE-2014-8147, CVE-2017-7867, CVE-2017-7868, CVE-2020-10531
libicu4.2.1icuuc42.dll, icudt42.dllcriticalCVE-2014-9911, CVE-2015-5922, CVE-2016-6293, CVE-2017-17484
libicu4.2.1icuuc42.dll, icudt42.dllhighCVE-2011-4599, CVE-2014-7923, CVE-2014-7926, CVE-2014-8146, CVE-2014-8147, CVE-2017-7867, CVE-2017-7868, CVE-2020-10531
libjpeg9acslibu-3-0.dllhighCVE-2020-14153
libtiff4.5.1cslibu-3-0.dllhighCVE-2023-52355
openssl1.0.2fsapcrypto.dllcriticalCVE-2016-2177, CVE-2022-1292, CVE-2022-2068
openssl1.0.2fsapcrypto.dllhighCVE-2016-8610, CVE-2022-0778, CVE-2023-0215, CVE-2023-0464
zlib1.2.12boezlib.dll, zlib.dllcriticalCVE-2022-37434, CVE-2023-45853
DonWilliams
Active Contributor
Typically CVE's can be false/positives when it comes to CR for VS .NET. And if your app does not use the parts reported there is no concern. But I reported this post to R&D and they'll look into it. Please note, SAP doesn't list the ones that are affected for security reasons obviously. You can get access to the SAP Notes if you have a support contract.
yumb
Explorer
0 Kudos

Don, thank you for the answer.

  1. How can I prove that some issue is false-positive or not used?
  2. How can I get /order the support contract?
  3. Can you please inform me if/when you get an answer from R&D?

Thanks

View Entire Topic
DonWilliams
Active Contributor

Here's the response from R&D, from the looks of her response they have all been looked at and none of API's  are used by CR or not relevant:

 

Package

Version

Modules

Severity

Vulnerabilities

libicu

3.0

crdb_p2ssyb10.dll, icuin30.dll,  keydecoder.dll

critical

CVE-2015-5922, CVE-2016-6293, CVE-2017-17484

CVE-2015-5922 Crystal reports is not supported on Apple OSX. so not impacted by this

CVE-2016-6293 we don't use uloc_acceptLanguageFromHTTP . so not impacted by this

CVE-2017-17484 we don't use function ucnv_UTF8FromUTF8

 

libicu

3.0

crdb_p2ssyb10.dll, icuin30.dll,  keydecoder.dll

high

CVE-2011-4599, CVE-2014-7923, CVE-2014-7926, CVE-2014-8146, CVE-2014-8147, CVE-2015-5922, CVE-2016-6293, CVE-2017-17484, CVE-2017-7867, CVE-2017-7868, CVE-2020-10532

CVE-2011-4599  we don't use _canonicalize function. so we are not impacted by this

CVE-2014-7923  we don't use this TP in chrome. So we are not impacted by this

CVE-2014-7926  we don't use this TP in chrome. So we are not impacted by this

CVE-2014-8146  we don't use resolveImplicitLevels  function. So Not impacted by this.

CVE-2014-8147  we don't use resolveImplicitLevels  function. So Not impacted by this.

CVE-2015-5922 Crystal reports is not supported on Apple OSX. so not impacted by this

CVE-2016-6293 we don't use uloc_acceptLanguageFromHTTP . so not impacted by this

CVE-2017-17484 we don't use function ucnv_UTF8FromUTF8

CVE-2017-7867  we don't use utf8TextAccess function so we are not impacted by this CVE

CVE-2017-7868  we don't use utf8TextAccess function so we are not impacted by this CVE

CVE-2020-10531  we don't use UnicodeString::doAppend(). So not impacted by this

CVE-2020-10532  is it a typo? Icu only has CVE CVE-2020-10531.

libicu

3.4

icuuc30.dll

critical

CVE-2014-9654, CVE-2014-9911, CVE-2015-5922, CVE-2016-6293, CVE-2017-17484

CVE-2015-5922 Crystal reports is not supported on Apple OSX. so not impacted by this

CVE-2014-9911 we are not using ures_getByKeyWithFallback . so not impacted by this

CVE-2014-9654 we are not using this component in Chrome. So not impacted by this

CVE-2016-6293 we don't use function uloc_acceptLanguageFromHTTP

CVE-2017-17484 we don't use function ucnv_UTF8FromUTF8

 

libicu

3.4

icuuc30.dll

high

CVE-2011-4599, CVE-2014-7923, CVE-2014-7926, CVE-2014-8146, CVE-2014-8147, CVE-2017-7867, CVE-2017-7868, CVE-2020-10531

Duplicated CVEs with icuin30.dll

libicu

4.4

icuin42.dll

critical

CVE-2014-9911, CVE-2015-5922, CVE-2017-14952, CVE-2017-17484

CVE-2014-9911 we are not using ures_getByKeyWithFallback . so not impacted by this

CVE-2015-5922 Crystal reports is not supported on Apple OSX. so not impacted by this

CVE-2017-14952 we don't use function ZoneMeta::createMetazoneMappings in file icu/i18n/zonemeta.cpp

CVE-2017-17484 we don't use function ucnv_UTF8FromUTF8

 

libicu

4.4

icuin42.dll

high

CVE-2014-7923, CVE-2014-7926, CVE-2014-8146, CVE-2014-8147, CVE-2017-7867, CVE-2017-7868, CVE-2020-10531

Duplicated CVEs with icuuc30.dll

libicu

4.2.1

icuuc42.dll, icudt42.dll

critical

CVE-2014-9911, CVE-2015-5922, CVE-2016-6293, CVE-2017-17484

Duplicated CVEs with above

libicu

4.2.1

icuuc42.dll, icudt42.dll

high

CVE-2011-4599, CVE-2014-7923, CVE-2014-7926, CVE-2014-8146, CVE-2014-8147, CVE-2017-7867, CVE-2017-7868, CVE-2020-10531

Duplicated CVEs with above

libjpeg

9a

cslibu-3-0.dll

high

CVE-2020-14153 

 False Alarm. We are using jpeg 9d instead of 9a

libtiff

4.5.1

cslibu-3-0.dll

high

CVE-2023-52355

no impact. TIFFRasterScanlineSize64 is not used in crystal reports.

openssl

1.0.2f

sapcrypto.dll

critical

CVE-2016-2177, CVE-2022-1292, CVE-2022-2068

These are transitive dependency and  main tp has been taken care of all the mitigation of this

openssl

1.0.2f

sapcrypto.dll

high

CVE-2016-8610, CVE-2022-0778, CVE-2023-0215, CVE-2023-0464

These are transitive dependency and  main tp has been taken care of all the mitigation of this

zlib

1.2.12

boezlib.dll, zlib.dll

critical

CVE-2022-37434, CVE-2023-45853

CVE-2022-37434 We don't call function inflateGetHeader ()

CVE-2023-45853 We don’t use affected function zipOpenNewFileInZip4_64()

yumb
Explorer
0 Kudos
Don, thank you for the answer