cancel
Showing results for 
Search instead for 
Did you mean: 

Are there plans to update the Spring framework within Crystal Reports

tbingeman
Explorer
0 Kudos

Are there plans to update the Spring framework within Crystal Reports to mitigate CVE-2022-2296?  The software is continually flagged by scanning systems to be vulnerable to this CVE especially if Java 9+ is installed on the system that CR 2020 is installed on.

View Entire Topic
DonWilliams
Active Contributor

EDIT:

I'll get R&D to look into this but be aware SAP has it's own version of Java, not the one belonging to Oracle.

A quick search finds no KBA's on that CVE.

Crystal Reports itself uses Java Scripts and doesn't use the Java engine itself.

In CR Designer click on Help... About and the more info button. You will see if only uses 2 Java processes and not java.exe.

R&D looked at the number and it's related to Chrome browser... not an issue.

Did you mean this one?

CVE-2022-22965

If so that one is on the schedule to be fixed...

And confirm with customer that CVE was flagged in browsing.war?

 

 

tbingeman
Explorer
0 Kudos
CVE-2022-22965 is what was supposed to be in the original question.
DonWilliams
Active Contributor
0 Kudos
Thanks, need you to confirm this also - "And confirm with customer that CVE was flagged in browsing.war?"
tbingeman
Explorer
0 Kudos
Yes the CVE was flagged in browsing.war
tbingeman
Explorer
0 Kudos
Can you tell me when the CVE will be fixed?
DonWilliams
Active Contributor
0 Kudos
it's schedule for end of May but that can change if there are any ship killers, CR for VS is attached and built along with BOE Server and Crystal Reports Designer, so if any one of those have a delay so does CR for VS.
tbingeman
Explorer
0 Kudos

Don,

Can you tell me if the following patch has the fix in it?

 

DonWilliams
Active Contributor
0 Kudos
I would suggest downloading it and checking if the fix is in. CVE's are security issues so info on any CVE's is not available to the public, you require a Support contract to access the gated KBA's. FYI, Crystal Reports itself doesn't use Java, it does use Java Script to handle Parameters, actually it uses HTML5 for prompting. CR Server/BOE does use it but it's also a SAP version of Java and not Oracles.