cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Which SP fixes vulnerabilities for ​Crystal Report Runtime SP31 mentioned in this question ?

Go to solution
former_member1312107
Member

on ‎2021 Nov 24 11:19 AM

0 Kudos
813

Hi,

Security scan on CRRuntime_32bit_13_0_31.msi (Crystal Report Runtime 32bit version 13_0_31 msi) identified the following vulnerabilities: -

CVE-2020-14153, CVE-2021-23840, CVE-2018-1285, CVE-2017-12627 and CVE-2015-5922

Steps to Reproduce: - Run a security scan using security scanning tool.

Where can I find if thes vulnerabilities are fixed in Crystal Reports SP31 or not? Please guide me to the release notes of Crystal Reports SP31 that shows the vulnerabilities and issues fixed. Or else provide the Service Pack / Version Number where it is fixed.

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
former_member763929
Participant
‎2021 Nov 24 11:19 AM
0 Kudos

Thank you for visiting SAP Community to get answers to your questions. Since this is your first question, I recommend that you familiarize yourself with Community Q&A , as the overview provides tips for preparing questions that draw responses from our members.

Should you wish, you can revise your question by selecting Actions, then Edit.

By adding a picture to your Profile you encourage readers to respond.

Accepted Solutions (1)

Accepted Solutions (1)

former_member11696
Employee
Employee
‎2021 Nov 24 3:22 PM
0 Kudos

You can't, not for this product, we don't publish CVE's that have been fixed publically, requires a Support Contract to access the SAP Notes referring to the update.

I only found a few of them fixed in older versions of BOE, CRR for VS is build off the same so if it's been fixed in BOE it's been rolled into CR for VS.

The majority of the CVE's that are reported do not affect CR products.

If you can show SAP in an application that those CVE's affect your application we can look at them and resolve them. The do need to be a high level though.

For CVE-2020-14153, don't use JPegs in your reports.

For CVE-2021-23840 - not applicable since CR for VS doesn't use SSL.

For CVE-2018-1285 - CR for VS doesn't use Log4Net, it's an Apache issue, CR for VS uses IIS so not an issue.

For CVE-2017-12627 - Not an issue, same as above. Your app won't be using the references.

For CVE-2015-5922 - not an issue, it's an Apple OS X issue.

So for all it's not an issue since your .NET app won't be using or accessing any of the reported resources.

Typically called false/positives...

Show replies
Show replies

Answers (0)

Ask a Question