ReportServer 3.3.0

The 3.3.0 version is now available for all users.

Some Important Features and Noteworthy Improvements for ReportServer RS3.3.0

Library Deletions and Upgrades

The following important libraries are upgraded in ReportServer 3.3.0:

  • Sencha GXT: upgraded to 4.0.2
  • GWT: upgraded to 2.8.2

These libraries basically determine the ReportServer’s client-side look-and-feel (among other functionalities).

Numerous other libraries were upgraded and some unnecessary libraries were deleted. Refer to the release notes for details.

Email Notifications

Users can be now notified when their password has been created the first time or when their password was changed (by an administrator). The notification is done via email (note that for this the mail server must be correctly configured). For this purpose, the following new configuration file is available: /etc/security/notifications.cf. This configuration file allows to configure the texts sent by email and further allows to disable this functionality, if desired.

Note that from RS 3.3.0 the old lostpassword.cf configuration file is no longer available. This configuration is now done in the new notifications.cf file. Please rename your old lostpassword.cf to notifications.cf after performing an upgrade.

<createdpassword disabled="false">
	<email>
		<subject>Email Subject</subject>
		<text>Email Text
			Username: ${user.getUsername()}
		</text>
	</email>
</createdpassword>
<changedpassword disabled="false">
	<email>
		<subject>Email Subject</subject>
		<text>Email Text
			Username: ${user.getUsername()}
		</text>
	</email>
</changedpassword>

The complete default notifications.cf file is the following:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <createdpassword disabled="false">
    <email>
      <subject>${msgs['net.datenwerke.security.ext.server.locale.DwSecurityMessages']['createdPasswordSubject']}</subject>
      <text>${msgs['net.datenwerke.security.ext.server.locale.DwSecurityMessages']['createdPasswordSalutation']} ${user.getFirstname()} ${user.getLastname()},

${msgs['net.datenwerke.security.ext.server.locale.DwSecurityMessages']['createdPasswordIntro']}

${user.getUsername()}

${msgs['net.datenwerke.security.ext.server.locale.DwSecurityMessages']['createdPasswordEnd']}

      </text>
    </email>
  </createdpassword>
  <changedpassword disabled="false">
    <email>
      <subject>${msgs['net.datenwerke.security.ext.server.locale.DwSecurityMessages']['changedPasswordSubject']}</subject>
      <text>${msgs['net.datenwerke.security.ext.server.locale.DwSecurityMessages']['changedPasswordSalutation']} ${user.getFirstname()} ${user.getLastname()},

${msgs['net.datenwerke.security.ext.server.locale.DwSecurityMessages']['changedPasswordIntro']}

${user.getUsername()}

${msgs['net.datenwerke.security.ext.server.locale.DwSecurityMessages']['changedPasswordEnd']}
      </text>
    </email>
  </changedpassword>
  <lostpassword indicateWrongUsername="false">
    <email>
      <subject>${msgs['net.datenwerke.rs.passwordpolicy.service.locale.PasswordPolicyMessages']['lostPasswordSubject']}</subject>
      <text>${msgs['net.datenwerke.rs.passwordpolicy.service.locale.PasswordPolicyMessages']['lostPasswordSalutation']} ${user.getFirstname()} ${user.getLastname()},

${msgs['net.datenwerke.rs.passwordpolicy.service.locale.PasswordPolicyMessages']['lostPasswordIntro']}

        ${msgs['net.datenwerke.rs.passwordpolicy.service.locale.PasswordPolicyMessages']['lostPasswordUsername']}: ${user.getUsername()}
        ${msgs['net.datenwerke.rs.passwordpolicy.service.locale.PasswordPolicyMessages']['lostPasswordPassword']}: ${password}

 ${msgs['net.datenwerke.rs.passwordpolicy.service.locale.PasswordPolicyMessages']['lostPasswordEnd']}
      </text>
    </email>
  </lostpassword>
</configuration>

Currency Locales

The currency locales may be now configured in the following section of the /etc/main/localization.cf file:

<currencies>
       <currency language="de" region="DE">currencyEuro</currency>
       <currency language="en" region="US">currencyDollar</currency>
       <currency language="en" region="GB">currencyPound</currency>
       <currency language="ar" region="AE">AED</currency>
       <currency language="ps" region="AF">AFN</currency>
       ...
</currencies>

In the example above, the Euro currency is localized to the de_DE locale. If you need to change this, e.g. to fr_FR, you may change this to:

<currencies>
       <currency language="fr" region="FR">currencyEuro</currency>
       <currency language="en" region="US">currencyDollar</currency>
       <currency language="en" region="GB">currencyPound</currency>
       <currency language="ar" region="AE">AED</currency>
       <currency language="ps" region="AF">AFN</currency>
       ...
</currencies>

As currency is locale-specific, the format may change depending on the locale configured here.
For example, 123456.79 dollars will be printed as follows in the default locale:

US$123,456.79

In en_US locale, the same will be printed as:

$123,456.79

Note that you have to restart ReportServer if you change your currency locale configuration.

More details on currency locales may be found here: http://www.gwtproject.org/javadoc/latest/com/google/gwt/i18n/client/NumberFormat.html. The complete default localization.cf file is the following:

More details on currency locales may be found here: http://www.gwtproject.org/javadoc/latest/com/google/gwt/i18n/client/NumberFormat.html. The complete default localization.cf file is the following:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <localization>
     <default>en</default>
     <!-- <locales>en,fr,de</locales> -->
     <format>
     <!--
         <shortDatePattern></shortDatePattern>
	     <longDatePattern></longDatePattern>
	     <shortTimePattern></shortTimePattern>
	     <longTimePattern></longTimePattern>
	     <shortDateTimePattern></shortDateTimePattern>
	     <longDateTimePattern></longDateTimePattern>
	     <numberPattern></numberPattern>
	     <currencyPattern></currencyPattern>
	     <integerPattern></integerPattern>
	     <percentPattern></percentPattern>
	  -->
     </format>
     <currencies>
       <currency language="de" region="DE">currencyEuro</currency>
       <currency language="en" region="US">currencyDollar</currency>
       <currency language="en" region="GB">currencyPound</currency>
       <currency language="ar" region="AE">AED</currency>
       <currency language="ps" region="AF">AFN</currency>
       <currency language="sq" region="AL">ALL</currency>
       <currency language="hy" region="AM">AMD</currency>
       <currency language="pap" region="CW">ANG</currency>
       <currency language="pt" region="AO">AOA</currency>
       <currency language="es" region="AR">ARS</currency>
       <currency language="en" region="AU">AUD</currency>
       <currency language="nl" region="AW">AWG</currency>
       <currency language="az" region="AZ">AZN</currency>
       <currency language="bs" region="BA">BAM</currency>
       <currency language="en" region="BB">BBD</currency>
       <currency language="bn" region="BD">BDT</currency>
       <currency language="bg" region="BG">BGN</currency>
       <currency language="ar" region="BH">BHD</currency>
       <currency language="en" region="BI">BIF</currency>
       <currency language="en" region="BM">BMD</currency>
       <currency language="ms" region="BN">BND</currency>
       <currency language="es" region="BO">BOB</currency>
       <currency language="pt" region="BR">BRL</currency>
       <currency language="en" region="BS">BSD</currency>
       <currency language="dz" region="BT">BTN</currency>
       <currency language="en" region="BW">BWP</currency>
       <currency language="be" region="BY">BYR</currency>
       <currency language="en" region="BZ">BZD</currency>
       <currency language="en" region="CA">CAD</currency>
       <currency language="ln" region="CD">CDF</currency>
       <currency language="de" region="CH">CHF</currency>
       <currency language="es" region="CL">CLP</currency>
       <currency language="zh" region="CN">CNY</currency>
       <currency language="es" region="CO">COP</currency>
       <currency language="es" region="CR">CRC</currency>
       <currency language="es" region="CU">CUC</currency>
       <currency language="es" region="CU">CUP</currency>
       <currency language="pt" region="CV">CVE</currency>
       <currency language="cs" region="CZ">CZK</currency>
       <currency language="aa" region="DJ">DJF</currency>
       <currency language="da" region="DK">DKK</currency>
       <currency language="es" region="DO">DOP</currency>
       <currency language="ar" region="DZ">DZD</currency>
       <currency language="ar" region="EG">EGP</currency>
       <currency language="ti" region="ER">ERN</currency>
       <currency language="ti" region="ET">ETB</currency>
       <currency language="de" region="DE">EUR</currency>
       <currency language="hif" region="FJ">FJD</currency>
       <currency language="en" region="FK">FKP</currency>
       <currency language="en" region="GB">GBP</currency>
       <currency language="ka" region="GE">GEL</currency>
       <currency language="en" region="GG">GGP</currency>
       <currency language="ak" region="GH">GHS</currency>
       <currency language="en" region="GI">GIP</currency>
       <currency language="en" region="GM">GMD</currency>
       <currency language="fr" region="GN">GNF</currency>
       <currency language="es" region="GT">GTQ</currency>
       <currency language="en" region="GY">GYD</currency>
       <currency language="en" region="HK">HKD</currency>
       <currency language="es" region="HN">HNL</currency>
       <currency language="hr" region="HR">HRK</currency>
       <currency language="ht" region="HT">HTG</currency>
       <currency language="hu" region="HU">HUF</currency>
       <currency language="id" region="ID">IDR</currency>
       <currency language="he" region="IL">ILS</currency>
       <currency language="en" region="IM">IMP</currency>
       <currency language="hi" region="IN">INR</currency>
       <currency language="ar" region="IQ">IQD</currency>
       <currency language="fa" region="IR">IRR</currency>
       <currency language="is" region="IS">ISK</currency>
       <currency language="en" region="JE">JEP</currency>
       <currency language="en" region="JM">JMD</currency>
       <currency language="ar" region="JO">JOD</currency>
       <currency language="ja" region="JP">JPY</currency>
       <currency language="om" region="KE">KES</currency>
       <currency language="ky" region="KG">KGS</currency>
       <currency language="km" region="KH">KHR</currency>
       <currency language="fr" region="KM">KMF</currency>
       <currency language="ko" region="KP">KPW</currency>
       <currency language="ko" region="KR">KRW</currency>
       <currency language="ar" region="KW">KWD</currency>
       <currency language="en" region="KY">KYD</currency>
       <currency language="kk" region="KZ">KZT</currency>
       <currency language="lo" region="LA">LAK</currency>
       <currency language="ar" region="LB">LBP</currency>
       <currency language="si" region="LK">LKR</currency>
       <currency language="en" region="LR">LRD</currency>
       <currency language="en" region="LS">LSL</currency>
       <currency language="ar" region="LY">LYD</currency>
       <currency language="ar" region="MA">MAD</currency>
       <currency language="ru" region="MD">MDL</currency>
       <currency language="mg" region="MG">MGA</currency>
       <currency language="mk" region="MK">MKD</currency>
       <currency language="my" region="MM">MMK</currency>
       <currency language="mn" region="MN">MNT</currency>
       <currency language="en" region="MO">MOP</currency>
       <currency language="ar" region="MR">MRU</currency>
       <currency language="mfe" region="MU">MUR</currency>
       <currency language="dv" region="MV">MVR</currency>
       <currency language="en" region="MW">MWK</currency>
       <currency language="es" region="MX">MXN</currency>
       <currency language="ms" region="MY">MYR</currency>
       <currency language="pt" region="MZ">MZN</currency>
       <currency language="en" region="NA">NAD</currency>
       <currency language="en" region="NG">NGN</currency>
       <currency language="es" region="NI">NIO</currency>
       <currency language="nn" region="NO">NOK</currency>
       <currency language="ne" region="NP">NPR</currency>
       <currency language="en" region="NZ">NZD</currency>
       <currency language="ar" region="OM">OMR</currency>
       <currency language="es" region="PA">PAB</currency>
       <currency language="es" region="PE">PEN</currency>
       <currency language="tpi" region="PG">PGK</currency>
       <currency language="fil" region="PH">PHP</currency>
       <currency language="pa" region="PK">PKR</currency>
       <currency language="pl" region="PL">PLN</currency>
       <currency language="es" region="PY">PYG</currency>
       <currency language="ar" region="QA">QAR</currency>
       <currency language="ro" region="RO">RON</currency>
       <currency language="sr" region="RS">RSD</currency>
       <currency language="ru" region="RU">RUB</currency>
       <currency language="rw" region="RW">RWF</currency>
       <currency language="ar" region="SA">SAR</currency>
       <currency language="en" region="SB">SBD</currency>
       <currency language="en" region="SC">SCR</currency>
       <currency language="ar" region="SD">SDG</currency>
       <currency language="sv" region="SE">SEK</currency>
       <currency language="en" region="SG">SGD</currency>
       <currency language="en" region="SH">SHP</currency>
       <currency language="en" region="SL">SLL</currency>
       <currency language="so" region="SO">SOS</currency>
       <currency language="nl" region="SR">SRD</currency>
       <currency language="en" region="SS">SSP</currency>
       <currency language="pt" region="ST">STN</currency>
       <currency language="es" region="SV">SVC</currency>
       <currency language="ar" region="SY">SYP</currency>
       <currency language="en" region="SZ">SZL</currency>
       <currency language="th" region="TH">THB</currency>
       <currency language="tg" region="TJ">TJS</currency>
       <currency language="tk" region="TM">TMT</currency>
       <currency language="ar" region="TN">TND</currency>
       <currency language="to" region="TO">TOP</currency>
       <currency language="tr" region="TR">TRY</currency>
       <currency language="en" region="TT">TTD</currency>
       <currency language="en" region="TV">TVD</currency>
       <currency language="zh" region="TW">TWD</currency>
       <currency language="sw" region="TZ">TZS</currency>
       <currency language="uk" region="UA">UAH</currency>
       <currency language="lg" region="UG">UGX</currency>
       <currency language="en" region="US">USD</currency>
       <currency language="es" region="UY">UYU</currency>
       <currency language="uz" region="UZ">UZS</currency>
       <currency language="es" region="VE">VEF</currency>
       <currency language="vi" region="VN">VND</currency>
       <currency language="bi" region="VU">VUV</currency>
       <currency language="sm" region="WS">WST</currency>
       <currency language="fr" region="CM">XAF</currency>
       <currency language="en" region="LC">XCD</currency>
       <currency language="fr" region="BJ">XOF</currency>
       <currency language="fr" region="PF">XPF</currency>
       <currency language="ar" region="YE">YER</currency>
       <currency language="en" region="ZA">ZAR</currency>
       <currency language="en" region="ZM">ZMW</currency>
       <currency language="en" region="ZW">ZWL</currency>
     </currencies>
  </localization>
</configuration>

For a list of all changes please refer to the release notes. The upgrade guide is available in the documentation area.
Happy reporting!

Apache JServ Protocol (AJP) Security Update

On February 29th, a vulnerability affecting Apache Tomcat were publicly disclosed:

This CVE describes an issue in AJP (Apache JServ Protocol) that can be exploited to either read or write files to a Tomcat server. Tomcat uses AJP to exchange data with nearby Apache HTTPD web servers or other Tomcat instances. This connector is enabled by default on all Tomcat servers and listens on the server’s port 8009, bounded to the 0.0.0.0 IP address.

In addition, application’s configuration files could be read, and passwords or API tokens stolen creating backdoors or web shells. This attack is exploitable via network with low attack complexity and without the required privileges as well as without the need for user interaction.

More info about this issue and the exact changes at the Apache Tomcat official site.

Affected Platforms

Check the Apache Tomcat version that you are currently using. The following versions are vulnerable and allow malicious users to exploit it:

  • 7.0.0 to 7.0.99
  • 8.5.0 to 8.5.50
  • 9.0.0.M1 to 9.0.30

How To Patch It

Update Apache Tomcat version to 7.0.100, 8.5.51 or 9.0.31.

We also recommend to not expose the AJP port externally to avoid being affected by this issue.

Bitnami Packages

Both ReportServer Enterprise and Community editions Bitnami solutions were updated to include the latest version of Tomcat. Also, new cloud images we submitted to the different cloud providers to secure new users deployments in the cloud as well.

More information can be found here: https://docs.bitnami.com/general/security/security-2020-02-29/

Switching your ReportServer archive tables off

ReportServer uses Hibernate Envers (https://hibernate.org/orm/envers/) as an archiving / versioning solution for entity classes. This might result in an unexpected and unwanted growth of size of the ReportServer repository database.

A new revision is created on every single entity change, so the archive tables grow with each entity modification. Thus, these tables get larger and larger, making your DB occupy a large amount of space after some time. If you don’t need the archive tables, you can easily turn this behaviour off.

For each table in the ReportServer repository there is a shadow table which has the same as the original tables plus the suffix _A. All entity versions can be found in the these tables. The “_A” suffix stands for “archive” or “audit”. So, e.g., your User’s revisions are found in the RS_USER_A archive table, since the respective actual entity versions are located in the RS_USER table.

To stop this behaviour in your ReportServer installation, open your persistence.xml and locate the section containing the string <!– Envers –>.
Then add the following:

<property name="hibernate.integration.envers.enabled" value="false"/>

The result would be similar to:

<!-- Envers -->
<property name="org.hibernate.envers.audit_table_suffix" value="_A"/>
<property name="org.hibernate.envers.audit_table_prefix" value=""/>
<property name="hibernate.integration.envers.enabled" value="false"/>

After a ReportServer restart, you can make sure that the archive tables are switched off by opening a ReportServer terminal session and typing a rev command for a given entity, as in this example:

Making sure the archive tables are switched off

If you get the message “Service is not yet initialized”, the archive tables are correctly turned off.

Once your archive tables are switched off, you can modify your “_A” tables: you can either leave them as they are or delete the entries.

Attention:
Once the archive tables are switched off, they cannot be switched on again unproblematically.
Pls. do not confuse the archive tables with the audit log ReportServer maintains in the RS_AUDIT_* tables. These are not impacted by the operations described above.