Views:

Summary

MET/TEAM™ software uses SAP Crystal Reports for .NET SDK to generate calibration certificates and reports. Security scanners may flag an Apache Commons Text vulnerability (CVE-2022-42889) within the Crystal Reports runtime. SAP has confirmed this does not pose a security risk in Crystal Reports 2020.

Details

What the scanner detects

Vulnerability scanners identify the presence of Apache Commons Text within the Crystal Reports for .NET SDK and may flag CVE-2022-42889 (Text4Shell). This CVE describes a potential code execution vulnerability in certain string interpolation functions.

Why MET/TEAM is not affected

SAP has explicitly confirmed that Crystal Reports does not use the vulnerable Apache Commons Text classes in a way that processes untrusted inputs. The default configuration renders Crystal Reports safe from direct exploitation.

MET/TEAM software:

  • Uses Crystal Reports solely for server-side report rendering
  • Does not pass untrusted user input to the vulnerable interpolation functions
  • Runs Crystal Reports in a controlled server environment

SAP official guidance

SAP has published official guidance confirming Crystal Reports 2020 is not vulnerable:

Recommendations

To address scanner findings:

  1. Review SAP advisories — Confirm the guidance applies to your Crystal Reports version
  2. Apply SAP support packs — Keep your Crystal Reports runtime current by checking the SAP Support Portal for cumulative security patches
  3. Document the exception — Reference SAP's guidance when responding to audit findings

Technical reference

MET/TEAM uses the following Crystal Reports assemblies (version 13.0.4000.0):

  • CrystalDecisions.CrystalReports.Engine
  • CrystalDecisions.ReportAppServer.ClientDoc
  • CrystalDecisions.ReportAppServer.DataDefModel
  • CrystalDecisions.ReportSource
  • CrystalDecisions.Shared