Birt Report runtime version 4.4.2 uses iText 2.1.7 version and iText 2.1.7 has XXE vulnerability.

Jeetchaudhari
edited February 11, 2022 in Analytics #1

Currently I am using Birt Report runtime version 4.4.2 and it internally uses iText version - 2.1.7
I have Birt report .rptdesign files as template and using Birt Report runtime engine to create/render pdfs where data comes from database and pdf will be rendered on web browser.
as per below link there is XXE vulnerability in iText 2.1.7 version
https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2017-017_itext_xml_external_entity_attack.txt

To fix this vulnerability I need to use latest iText version 7.X release.
After some research I have found that I can't use latest iText version 7.X release because Birt Report runtime version 4.4.2 is using internally old iText version classes.

I am looking for new Birt Report runtime jar version.
if Birt Report Runtime latest version is not available then I would like to know what are the options to replace my existing create/render pdf functionality - data comes through database.
I am ready to take license version with paid option

Comments

  • Please help on this topic.. its urgent issue

  • Hi Jeetchaudhari,

    The underlying iText is still 2.1.7 in the latest version of BIRT iHub 16.7. This may not be a vulnerability in the process of PDF conversion in the iHub server application. We have had XXE vulnerabilities addressed in the past and some of them have not applied due to the workflow design. If you open a support ticket, we can investigate further. Do you have an example of the vulnerability exploited in BIRT?

    Warning No formatter is installed for the format ipb
  • Thanks Jeffery.
    When I am adding below maven dependency in project and generating pdf using Birt Runtime its giving error for iText jar classes.
    it seems Birt runtime internally calls iText classes and so it will need iText jar to work.
    If I add iText 2.1.7 maven dependency and run scans its gives me XXE vulnerability due to iText jar ..
    this vulnerability is not due to Birt runtime jar.
    Could you please provide Birt runtime version which does not required iText jar dependency ?


    org.eclipse.birt.runtime
    org.eclipse.birt.runtime
    4.4.2

    Error :
    Jan 14, 2020 12:13:14 PM org.eclipse.birt.report.engine.api.impl.EngineTask handleFatalExceptions
    SEVERE: Error happened while running the report.
    java.lang.NoClassDefFoundError: com/lowagie/text/DocumentException
    at org.eclipse.birt.report.engine.emitter.pdf.PDFRender.createPageDevice(PDFRender.java:66)
    at org.eclipse.birt.report.engine.layout.emitter.PageDeviceRender.start(PageDeviceRender.java:120)

  • Hi Jeetchaudhari,

    "Could you please provide Birt runtime version which does not required iText jar dependency ?"
    Answer - It does not exist for open source or professional to my knowledge. I also do not know of any developers that have circumvented this class, so I do not have any contacts or locations that I can point you to.

    We perform a number of scans and checks. I was able to dig a bit deeper into our upcoming development and it looks like that particular vulnerability is being discussed at this time, but no changes were made for the latest release, iHub 16.7. As it stands the next release may include mitigation/fix/upgrade in regards to: CVE-2017-9096, which is the item noted in your link.

    Warning No formatter is installed for the format ipb