Berlin, Apr 06, 2020
This advisory announces a security vulnerability in versions 16.0 - 19.2 of i-net Clear Reports Server that we have found and fixed in versions 16.4, 17.1, 18.1, and 19.2. In addition to releasing each of these versions, we also provide patches (in the form of a plugin upgrade) for the vulnerability for versions 17.0 - 19.2. This means you are able to fix the issue for your current installation of i-net Clear Reports without needing to fully update to the latest version of i-net Clear Reports.
Note: this vulnerability only affects i-net Clear Reports servers from versions 16.0 - 19.2.
We rate the severity level of this vulnerability as critical - it is easy to exploit and provides an attacker with the ability to download any file on the server system that the i-net Clear Reports process has access to.
This vulnerability affects any running instance of the i-net Clear Reports server which is accessible by an attacker. It allows an attacker to download any file on the system that the i-net Clear Reports server process has access to, without needing to log in. You can read more about this type of attack (classified as CWE-22) here.
The vulnerability existed in any i-net Clear Reports server from version 16.0 to 19.2. We have fixed this issue for each of the latest of the major versions (16.4, 17.1, 18.1, and 19.2), and are also providing a simple patch for any affected server, versions 17.0 - 19.2. We have registered this vulnerability in the Common Vulnerabilities database as CVE-2020-11431.
If your version of i-net Clear Reports is 17.0 - 19.2, we recommend that you replace your
help.zip plugin file to fix this vulnerability. Please see the 'fix' section below for instructions how to do this.
If your version is 16.0 - 16.4, then you will need to update to the latest release of i-net Clear Reports 16.4. Please see the 'fix' section below for instructions how to do this.
If you are not in a position to replace this file or update your installation and you judge it necessary, you can apply the following mitigation, which will disable your i-net Clear Reports online Help system and thereby remove the vulnerability:
Please choose one of the options below that best suits your situation.
If you are running i-net Clear Reports 17.0 - 19.2, then a simple replacement of the
help.zip plugin file with a patched version will fix this issue immediately.
help.zipfile which fits to your product version. See the table below.
services.msc, then hit enter. In the Services dialog, find “i-net Clear Reports Server”, right-click, and click on “Stop”.
service clear-reports stop
help.zipfile into your server’s “plugins” directory, replacing the old
C:\Program Files\i-net Clear Reports\plugins
/Applications/i-net Clear Reports.app/Contents/Java/plugins
services.msc, then hit enter. In the Services dialog, find “i-net Clear Reports”, right-click, and click on “Start”.
service clear-reports start
|i-net Clear Reports Version|| Download Link of Fixed ||MD5 Hash|
|i-net Clear Reports 17.0-17.1||https://download.inetsoftware.de/security/clearreports/17/help.zip||
|i-net Clear Reports 18.0-18.1||https://download.inetsoftware.de/security/clearreports/18/help.zip||
|i-net Clear Reports 19.0-19.2||https://download.inetsoftware.de/security/clearreports/19/help.zip||
The latest versions of i-net Clear Reports contain this fix as well as any other less critical bug fixes and improvements that we have added since the release of your current version.
For further information, please see the Release Notes section of our website.
To download the latest release of your i-net Clear Reports version, see the links in the following table:
|i-net Clear Reports Version||Platform||Download Link of Latest Release|
|i-net Clear Reports 16.4||Windows (64-bit)||https://download.inetsoftware.de/clear-reports-server-16-latest.msi|
|Linux (Debian / Ubuntu)||https://download.inetsoftware.de/clear-reports-server-16-latest.deb|
|i-net Clear Reports 17.1||Windows (64-bit)||https://download.inetsoftware.de/clear-reports-server-17-latest.msi|
|Linux (Debian / Ubuntu)||https://download.inetsoftware.de/clear-reports-server-17-latest.deb|
|i-net Clear Reports 18.1||Windows (64-bit)||https://download.inetsoftware.de/clear-reports-server-18-latest.msi|
|Linux (Debian / Ubuntu)||https://download.inetsoftware.de/clear-reports-server-18-latest.deb|
|i-net Clear Reports 19.2||Windows (64-bit)||https://download.inetsoftware.de/clear-reports-server-latest.msi|
|Linux (Debian / Ubuntu)||https://download.inetsoftware.de/clear-reports-server-latest.deb|
To protect against such vulnerabilities in the future, our development team has spent much time analyzing why this problem occurred and why it was not caught earlier through tests and code reviews. This has led to multiple changes in our development procedures to raise the bar of our software quality even higher.
We have also added automated tests to our test suite which will automatically check for CWE-22 vulnerabilities throughout our products.
We’d like to give our sincere thanks to the company Secarma for reporting this issue to us in a confidential, professional, and timely manner.
Secarma have let us know that they are planning on a public disclosure of all details of this vulnerability, including the steps to exploit it, around the end of June 2020 - which we fully support. For this reason, it is absolutely vital to fix your systems by this time.
If you have any further questions regarding this vulnerability, you can contact us at firstname.lastname@example.org and we will get back to you as soon as possible.
We apologize for this issue. Your trust is deeply important to us, so rest assured that we will continue to make sure such issues are extremely rare and that if they occur, they will always be immediately dealt with and communicated to you without delay.
|i-net Clear Reports - New Major Release 20||Jun 11, 2020|
|i-net PDFC - New Major Release 20||Jun 11, 2020|
|i-net Helpdesk Sicherheitsankündigung 2020 Apr 06||Apr 23, 2020|
|i-net PDFC Security Advisory 2020-APR-06||Apr 06, 2020|
|i-net Clear Reports Security Advisory 2020-APR-06||Apr 06, 2020|
|i-net Clear Reports - New Release 19.2||Oct 22, 2019|
|i-net PDFC - New Release 6.2||Oct 22, 2019|
|i-net PDFC - New Release 6.1||Jun 12, 2019|
|i-net Clear Reports - New Release 19.1||Jun 12, 2019|
|i-net Clear Reports - New Major Release 19.0||Apr 10, 2019|