Business Objects Security Bulletin

Vulnerability in Crystal Reports Web Viewers could allow Information Disclosure and Denial of Service

Issued: June 8, 2004
Version: 1.0

Summary

Who Should Read This Document: Customers who are using Crystal Reports 9 or 10 to view reports with the web viewers and customers who are using Crystal Enterprise 9 or 10.

Impact: Information Disclosure and Denial of Service

Recommendation: Customers should consider applying the security patch.

Tested Software and Security Update Download Locations:

Software Affected:

• Crystal Enterprise 8.5 Java SDK - Download the update (Windows, Solaris, AIX)
• Crystal Enterprise RAS 8.5 for UNIX - Download the update (Solaris)
• Crystal Reports 9 - Download the update (Windows)
• Crystal Enterprise 9 - Download the update (Windows)
• Crystal Reports 10 - Download the update (Windows)
• Crystal Enterprise 10 - Download the update (Windows, Solaris, AIX)
• Visual Studio.Net 2003 - Read the Microsoft Security Bulletin - Download the update
• Microsoft Business Solutions CRM 1.2 - Read the Microsoft Security Bulletin - Download the update
• Borland J Builder - Download the update (Windows, Solaris, Linux)
• BEA WebLogic 8.1 - Download the update (Windows, Unix, Linux)
• Crystal Reports for Borland C# Builder - Download the update (Windows)

Software Not Affected:

• All other supported versions of Crystal Reports or Crystal Enterprise

Known Exploits: None at time this bulletin was last updated

Platforms:

• This vulnerability exists in the JSP, ASP, ASP.NET and CSP versions of the Crystal Reports web viewers and is not specific to any operating system.

General Description

This security update resolves a security vulnerability found with the Business Objects Crystal Report web viewers. Technical information relating to the nature of the vulnerability and steps to mitigate the threat are provided in this document.

An attacker could potentially exploit this vulnerability to gain access to and possibly delete arbitrary files on a system.

Business Objects recommends the security update is installed however a customer may wish to take other steps to ensure their systems are less vulnerable to a possible exploit.

Technical Details

Information Disclosure and Denial of Service

An attacker can exploit a vulnerability in the Business Objects Crystal Reports web viewers to specify a file to be accessed (Information Disclosure) and potentially deleted (Denial of Service).

Mitigating Factors

• Proper use and configuration of firewalls will prevent access to any vulnerable system from attacks originating outside of the internal network.
• The attacker must have knowledge of exactly where the file exists in order to be able to specify access to this file.
• The denial of service attack would only be successful if the security context of the account the web viewer is running under has file access permissions to delete the file specified by the attacker.

Security Update Information

The security updates can be downloaded at the customer support site. The security update will also be provided as part of the Business Objects Hot Fixes. Please visit the critical update page for more information on how to download and install security updates.

Workarounds

For more information on how to secure your system without applying the security update please review the best practices guide (PDF - 55KB).

Technical Support

Please contact your regional technical support center if you have any questions regarding the nature of the vulnerability or have any difficulties with the security update.

For more information on contacting Business Objects Technical Support please visit the customer support site.

Acknowledgments

Business Objects thanks the following for working with us to help protect customers:

• Imperva Application Defense Center for reporting the issue

Software Available on this Web Site

Any software and documentation ("the Software") that is made available to download from this web site is the copyrighted work of Business Objects SA and/or its suppliers, and is for demonstration purposes only. It may not be resold or used for any commercial purposes. Unauthorized use may subject you and your company to severe civil and criminal penalties.
THE SOFTWARE IS PROVIDED " AS IS ", WITHOUT WARRANTY OF ANY KIND. BUSINESS OBJECTS SA HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS WITH REGARD TO THE SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON INFRINGEMENT. IN NO EVENT SHALL BUSINESS OBJECTS SA BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFIT ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THE SOFTWARE.

Restricted Rights Legend

Any software which is downloaded from this web site for or on behalf of the United States of America, its agencies and/or instrumentalities ("U.S. Government"), is provided with Restricted Rights. Use, duplication, or disclosure by the US Government is subject to restrictions as set forth in subparagraph (c)(1) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 or subparagraphs (c)(1) and (2) of the Commercial Computer Software-Restricted Rights at 48 CFR 52.227-19, as applicable. Manufacturer is Business Objects SA, 157-159, rue Anatole France, 92309 Levallois-Perret, France.

Documents, Software, and Services Available on this Web Site

BUSINESS OBJECTS SA AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEB SITE FOR ANY PURPOSE. ALL SUCH DOCUMENTS AND RELATED GRAPHICS ARE PROVIDED " AS IS ", WITHOUT WARRANTY OF ANY KIND. BUSINESS OBJECTS SA AND/OR ITS SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS OF WITH REGARD TO THIS INFORMATION, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON INFRINGEMENT. IN NO EVENT SHALL BUSINESS OBJECTS SA BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFIT ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF INFORMATION AVAILABLE ON THIS WEB SITE.
The documents and related graphics published on this web site could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Business Objects SA and/or its suppliers may make improvements and/or changes in the products and/or the programs described herein at any time.
Permission to use the documents contained herein, such as press releases, data sheets, white papers, is granted provided that (i) the below copyright notice appears on any and all copies, (ii) that use of such documents is for informational and non commercial or personal purposes only, and no changes to any such document are made. You are not allowed to use or copy the design or layout of this Business Objects SA web site, logos, graphics, sounds or images, except as expressly authorized by Business Objects SA.

Revisions

• Version 1.0; June 8, 2004; Published