Summary
MET/TEAM™ software uses SAP Crystal Reports for .NET SDK to generate calibration certificates and reports. Security scanners may flag an Apache Commons Text vulnerability (CVE-2022-42889) within the Crystal Reports runtime. SAP has confirmed this does not pose a security risk in Crystal Reports 2020.
Details
What the scanner detects
Vulnerability scanners identify the presence of Apache Commons Text within the Crystal Reports for .NET SDK and may flag CVE-2022-42889 (Text4Shell). This CVE describes a potential code execution vulnerability in certain string interpolation functions.
Why MET/TEAM is not affected
SAP has explicitly confirmed that Crystal Reports does not use the vulnerable Apache Commons Text classes in a way that processes untrusted inputs. The default configuration renders Crystal Reports safe from direct exploitation.
MET/TEAM software:
- Uses Crystal Reports solely for server-side report rendering
- Does not pass untrusted user input to the vulnerable interpolation functions
- Runs Crystal Reports in a controlled server environment
SAP official guidance
SAP has published official guidance confirming Crystal Reports 2020 is not vulnerable:
- Log4j security vulnerability with SAP Crystal Reports for .NET SDK
- SAP Knowledge Base Article 3260611: Impact of Apache Commons CVE-2022-42889
Recommendations
To address scanner findings:
- Review SAP advisories — Confirm the guidance applies to your Crystal Reports version
- Apply SAP support packs — Keep your Crystal Reports runtime current by checking the SAP Support Portal for cumulative security patches
- Document the exception — Reference SAP's guidance when responding to audit findings
Technical reference
MET/TEAM uses the following Crystal Reports assemblies (version 13.0.4000.0):
- CrystalDecisions.CrystalReports.Engine
- CrystalDecisions.ReportAppServer.ClientDoc
- CrystalDecisions.ReportAppServer.DataDefModel
- CrystalDecisions.ReportSource
- CrystalDecisions.Shared
