Overview
Version
| Product | Version | Security Vulnerability Statement |
|---|---|---|
FineBI | 6.x | Announcement of vulnerabilities in products of historical versions and solutions: Security Vulnerability Statement |
FineReport | 11.x | |
FineDataLink | 4.2.x |
Application Scenario
To enhance product security, this document lists the security settings that should be enabled in production environments. Follow this guide to reinforce the project security.
You are advised to use the Security Inspection plugin to identify security vulnerabilities and address them following the instructions below.
Note: 1. If you are unable to complete the product upgrade and security hardening, at least follow the document to restrict access to the project by IP address. For details, see Restricting Projects from Being Accessed by IP Address.
2. After the security configurations described in this document are applied, certain functions may be affected. These settings are primarily intended for customers with higher security requirements.
Product Upgrade
Upgrade Instructions by Version
| Product | Version | Upgrade Instruction |
|---|---|---|
FineReport | 11.x | Upgrade the product to V11.5.4 (released on October 20, 2025) or a later version. (Ensure the JAR file date meets the requirement.) |
10.x, 9.x, and 8.x | Minor version maintenance is no longer provided. Perform an upgrade across major versions to V11.5.4.1 (released on October 20, 2025) or a later version. | |
FineBI | 7.0.x | Upgrade the product to V7.0.5 (released on November 7, 2025) or a later version. These versions are compatible with FineReport V11.5.4 (released on October 20, 2025). |
6.1.x | Upgrade the product to V6.1.8 (released on October 21, 2025) or a later version. These versions are compatible with FineReport V11.5.4 (released on October 20, 2025). | |
6.0.x | Upgrade the product to V6.0.24 (released on October 20, 2025) or a later version. These versions are compatible with FineReport V11.5.4 (released on October 20, 2025). | |
5.x and 4.x | Minor version maintenance is no longer provided. Perform an upgrade across major versions to V6.0.24 (released on October 20, 2025) or a later version. | |
FineDataLink | 5.x | Upgrade the product to V5.0.4.3 (released on October 23, 2025) or a later version. |
4.2.x | Upgrade the product to V4.2.11.3 (released on October 23, 2025) or a later version. | |
4.1.x and 4.0.x | Minor version maintenance is no longer provided. Perform an upgrade across major versions to V4.2.11.3 (released on October 23, 2025) or a later version. |
FineReport V11.x Upgrade Procedure
Purpose: For projects currently of high-risk versions (V11.5.4 and earlier versions, released on or before September 29, 2025), upgrade them to the latest secure version.
Procedure: Replace the project JAR files, delete the Netty JAR file, clear the impl folder, and restart the application.
Scope: The upgrade steps in this section apply only to projects that are not deployed via the O&M platform. For projects deployed via the O&M platform, contact FanRuan technical support for upgrade assistance.
Upgrade Steps: This section briefly describes the upgrade steps for server projects. For a more detailed guide, see Guide to Update Project Minor Versions.
| Step | Description | |
|---|---|---|
1 | Checking the project status | For projects integrating FineReport and FineBI, upgrading FineBI according to the instructions below will suffice, as it also upgrades the FineReport JAR files. In this case, a separate FineReport upgrade is not required. |
2 | Obtaining the JAR file | Download and extract the files (FineReport V11.5.4, released on October 20, 2025). |
3 | Upgrading the server project | 1. Back up the project. 2. Stop the standalone project node or each project node in the cluster following the instructions in Closing or Restarting the FineReport Project. 3. Delete netty-all-xxx.Final.jar from Project installation directory/webapps/webroot/WEB-INF/lib. (Skip this step if the file does not exist. For clusters, delete the file from each project node individually.) 4. Delete sqlite-jdbc-xxx.jar from Project installation directory/webapps/webroot/WEB-INF/lib. (After deletion, SQLite data connections will be unavailable. Skip this step if the file does not exist. For clusters, delete the file from each project node individually.) 5. Delete all files from the impl folder under Project installation directory/webapps/webroot/WEB-INF/classes/com/fr/data. (Skip this step if the file does not exist. For clusters, delete the file from each project node individually.) 6. Replace the files in the lib folder under /webapps/webroot/WEB-INF with all files (except the designer folder) extracted in step two. (For clusters, replace files for each project node.) 2. Restart the standalone project node or each project node in the cluster following the instructions in Closing or Restarting the FineReport Project to complete the upgrade. |
4 | Upgrading the designer | As the designer of earlier versions cannot connect to the remote server project of later versions, you need to upgrade the local designer to the latest version. 1. Stop the designer. 2. Delete netty-all-*.Final.jar from FineReport installation directory/webapps/webroot/WEB-INF/lib. (Skip this step if the file does not exist.) 3. Delete sqlite-jdbc-xxx.jar from FineReport installation directory/webapps/webroot/WEB-INF/lib. (After deletion, SQLite data connections will be unavailable. Skip this step if the file does not exist.) 4. Delete all files from the impl folder under Project installation directory/webapps/webroot/WEB-INF/classes/com/fr/data. (Skip this step if the file does not exist.) 5. Replace the files in the lib folder under /webapps/webroot/WEB-INF with all files (except the designer folder) extracted in step two. 6. Replace the files in FineReport installation directory/lib with the files in the designer folder extracted in step two. 7. Restart the designer to complete the upgrade. |
FineBI V7.0.x/6.1.x Upgrade Procedure
Purpose: For projects currently of high-risk versions (V7.0.4 and earlier versions, released on or before September 12, 2025, and V6.1.7.4 and earlier versions, released on September 29, 2025), upgrade them to the latest secure version.
Procedure: FineBI V7.0.x/6.1.x can only be deployed via the O&M platform. Contact FanRuan technical support for upgrade assistance. Do not use the JAR files for FineBI V6.0.x provided in this document for replacement.
FineBI V6.0.x Upgrade Procedure
Purpose: For projects currently of high-risk versions (V6.0.23.2 and earlier versions, released on or before September 26, 2025), upgrade them to the latest secure version.
Procedure: Replace the project JAR files, delete the Netty JAR file, clear the impl folder, and restart the application.
Scope: The upgrade steps in this section apply only to projects that are not deployed via the O&M platform. For projects deployed via the O&M platform, contact FanRuan technical support for upgrade assistance.
Note: Before the upgrade, carefully read the upgrade notes to understand the compatibility implications of each version. For details, see Note on Upgrade of FineBI Within 6.0.x (Minor Version).
Upgrade Steps: This section briefly describes the upgrade steps for server projects. For a more detailed guide, see How to Upgrade Non-Containerized FineBI Within 6.0.x (Minor Versions).
| Step | Description | |
|---|---|---|
1 | Checking the project status | For projects integrating FineReport and FineBI, upgrading FineBI according to the instructions below will suffice, as it also upgrades the FineReport JAR files. In this case, a separate FineReport upgrade is not required. For projects integrating FineBI and FineDataLink, contact customer success personnel to perform a standalone deployment of FineDataLink before the upgrade. After the upgrade, FineBI and FineDataLink can no longer be integrated. |
2 | Obtaining the JAR file | Download and extract the files (FineBI V6.0.24 and later versions, released on or after October 20, 2025 and compatible with FineReport V11.5.4 released on October 20, 2025) |
3 | Upgrading the project | 1. Back up the project according to the "Backup Method" section of Project Backup and Restoration. 2. Stop the standalone project node or each project node in the cluster following the instructions in Closing or Restarting the FineBI Project. 3. Delete netty-all-xxx.Final.jar from Project installation directory/webapps/webroot/WEB-INF/lib. (Skip this step if the file does not exist. For clusters, delete the file from each project node individually.) 4. Delete fdl-*-4.0.jar from Project installation directory/webapps/webroot/WEB-INF/lib. (Skip this step if the file does not exist. For clusters, delete the file from each project node individually.) 5. Delete sqlite-jdbc-xxx.jar from Project installation directory/webapps/webroot/WEB-INF/lib. (After deletion, SQLite data connections will be unavailable. Skip this step if the file does not exist. For clusters, delete the file from each project node individually.) 6. Delete h2-*.jar from Project installation directory/webapps/webroot/WEB-INF/lib. (After deletion, H2 data connections will be unavailable. Skip this step if the file does not exist. For clusters, delete the file from each project node individually.) 7. Delete all files from the impl folder under Project installation directory/webapps/webroot/WEB-INF/classes/com/fr/data. (Skip this step if the file does not exist. For clusters, delete the file from each project node individually.) 8. Replace the files in the lib folder under/webapps/webroot/WEB-INF with all the files extracted in step two. (For clusters, replace files for each project node.) 9. Restart the standalone project node or each project node in the cluster following the instructions in Closing or Restarting the FineBI Project to complete the upgrade. |
FineDataLink V5.x Upgrade Procedure
Purpose: For projects currently of high-risk versions (V5.0.4.2 and earlier versions, released on or before October 16, 2025), upgrade them to the latest secure version.
Upgrade Steps: FineDataLink V5.x is in the co-creation phase. Contact the technical support for upgrade assistance.
FineDataLink V4.2.x Upgrade Procedure
Purpose: For projects currently of high-risk versions (V4.2.11.2 and earlier versions, released on or before October 16, 2025), upgrade them to the latest secure version.
Procedure: Replace the project JAR files, delete the Netty JAR file, clear the impl folder, and restart the application.
Scope: The upgrade steps in this section apply only to projects that are not deployed via the O&M platform. For projects deployed via the O&M platform, contact FanRuan technical support for upgrade assistance.
Upgrade Steps
| Step | Description | |
|---|---|---|
1 | Obtaining the JAR file | Contact customer success personnel to obtain JAR files. Upgrade the product to V4.2.11.3 (released on October 23, 2025) or a later version. |
2 | Upgrading the project | As the upgrade steps vary across minor versions within FineDataLink V4.2.x, refer strictly to Minor Version Upgrades Within V4.2. During the upgrade, pay special attention to: Delete netty-all-xxx.Final.jar from Project installation directory/webapps/webroot/WEB-INF/lib. (Skip this step if the file does not exist. For clusters, delete the file from each project node individually.) Delete sqlite-jdbc-xxx.jar from Project installation directory/webapps/webroot/WEB-INF/lib. (After deletion, SQLite data connections will be unavailable. Skip this step if the file does not exist. For clusters, delete the file from each project node individually.) 7. Delete all files from the impl folder under Project installation directory/webapps/webroot/WEB-INF/classes/com/fr/data. (Skip this step if the file does not exist. For clusters, delete the file from each project node individually.) |
Upgrade Procedure for Other Older Versions
FanRuan no longer maintains FineReport 10.x, 9.x, and 8.x, FineBI 5.x and 4.x, FineDataLink 4.1.x and 4.0.x, and earlier versions of the three products.
These versions pose significant security risks. Contact FanRuan technical support for a major version upgrade. For details about how to contact technical support, see Technical Support Channel Introduction.
Platform Configuration
Password Strength Limit
Objective: Increase the difficulty of password cracking.
1. Check the user authentication method.
Log in to the decision-making platform as the admin, choose System Management > User Management, and click the icon to enter Global Setting.
If Built-in Authentication is selected, proceed with the following password policy restrictions.
If LDAP Authentication or HTTP Authentication is selected, no password policy settings are required, as password security is ensured by the user's authentication system.
2. Configure the password policy.
Note: Do not configure the password policy settings for projects with custom login pages. The configuration items under System Management > Login are not compatible with those included on custom login pages.
For security reasons, you are advised to use the default login page.
Procedure: Log in to the decision-making platform as the admin, choose System Management > System Setting > Login > Password Policy Setting, and enable the following functions (recommended):
Password Strength Limit (The recommended password length is 8 characters, including digits, uppercase and lowercase letters, and symbols.)
Regular Password Update
Password Change Authentication Method
Forced Initial Password Change
Password Repetition Check
Login Lock Setting
Objective: Prevent brute-force attacks.
Recommendation: Enable Login Lock. It must be enabled, as the simplest and most effective attack method is to gain access to the project through weak password brute-force attacks, and then escalate privileges or use other means to compromise the server.
Note: Do not configure the password policy settings for projects with custom login pages. The configuration items under System Management > Login are not compatible with those included on custom login pages.
For security reasons, you are advised to use the default login page.
Procedure: Log in to the decision-making platform as the admin, choose System Management > System Setting > Login, and enable Login Lock, as shown in the following figure.
Template Authentication
Objective: Prevent unauthorized access to templates.
Recommendation: Enable Template Authentication and apply it to all templates. Select an appropriate authentication method. Authenticate Role Permission is recommended.
Procedure: Log in to the decision-making platform as the admin, choose System Management > Template Authentication, click the icon to enter the global setting, enable Template Authentication, and select an appropriate authentication method.
For details, see Template Authentication.
Plugin Management
Plugin Upgrade
You are advised to update all plugins in your project to the latest versions.
Keep only the plugins that are actually used in the project. Uninstall all unused and disabled plugins.
Ensure that at least the following plugins are upgraded to secure versions. (Skip this step if the corresponding plugin is not installed.)
| Plugin Name | High-Risk Version | Upgrade Suggestion |
|---|---|---|
Versions earlier than 2025-03-10 | Upgrade the FineReport JAR files to the latest version as described in the "Product Upgrade" section. Upgrade the plugin to the latest version available in the FanRuan market, or at least to V3.3.0 or a later version.
For details about plugin upgrades, see Server Plugin Management. | |
Versions earlier than 2023-06 | Upgrade the plugin to the latest version available in the FanRuan market. For FineReport V11, upgrade the plugin to V4.6.10 or a later version. For FineReport V10, upgrade the plugin to V4.6.6 or a later version. For details about plugin upgrades, see Server Plugin Management. | |
Versions earlier than V9.4 | Upgrade the plugin to the latest version available in the FanRuan market. For FineReport V11, upgrade the plugin to V9.5 or a later version. For FineReport V10, upgrade the plugin to V9.4 or a later version. For details about plugin upgrades, see Server Plugin Management. |
Plugin Installation
| Plugin Name | Plugin Introduction | Function |
|---|---|---|
Firewall Plugin | Plugin Objective: This plugin is primarily used to restrict access from specific IP addresses, preventing deserialization via the channel API.
Plugin Installation: For plugin installation and configuration steps, see Restricting Projects from Being Accessed by IP Address. | You can choose from the three configuration schemes as needed: Scheme 1: Prevent any user from connecting to the project through remote design (the channel API). Scheme 2: Prevent IP addresses in the blocklist or not in the allowlist from connecting to the project through remote design (the channel API). (This scheme does not require plugin installation.) Scheme 3: Prevent IP addresses in the blocklist or not in the allowlist from accessing the project through any means, including but not limited to project connections via remote design, template viewing after platform login, and template viewing via SSO. |
Security Inspection Plugin | Plugin Objective: FanRuan offers a Security Inspection plugin that proactively detects potential security issues, offering insights for version upgrades and security configuration optimization to reduce security risks.
Plugin Installation: For plugin installation and configuration steps, see Security Inspection. | 1. You are advised to keep the Security Inspection plugin up to date to ensure comprehensive detection of potential security risks. 2. You are advised to enable the Auto Check function for the system to periodically check for unreasonable configurations. 3. Address any anomalies identified promptly. |
Security Settings for the Configuration Database (Optional)
Plugin Installation
You can obtain the FINE_CONF_ENTITY Visualization Configuration plugin at https://community.finereport.com/plugin/?id=107.
For details about how to install the plugin in the designer, see Designer Plugin Management.
For details about how to install the plugin on the server, see Server Plugin Management.
Parameter Configuration
After the plugin is installed, log in to the decision-making platform as the super admin and choose System Management > System Tool (added automatically), as shown in the following figure.
Note: Since modifications to FineDB are critical and have a significant impact, only the super admin can perform these operations. Sub-admins are not allowed.
The following describes two configuration methods:
Select Parameter Configuration: The drop-down list of System Parameter Name (key) displays configurable parameters in FINE_CONF_ENTITY. You can select a parameter from the list and set the parameter value.
Customize Parameter Configuration: You can enter the name of a configurable parameter in FINE_CONF_ENTITY in System Parameter Name (key), modify the automatically displayed parameter value, and click Save to save the change.
The configurable parameters are the same for the two configuration methods. The following table lists configuration parameters recommended for modification and their values in the FINE_CONF_ENTITY table.
| Parameter Name | Parameter Function | Recommended Parameter Value |
|---|---|---|
SystemConfig.hideVersion | Objective: It determines whether to hide version information in the system information API. true: The system information API does not return version information. | true |
The following parameters cannot be modified through the FINE_CONF_ENTITY Visualization Configuration plugin. You need to modify the configuration manually or contact the database administrator to modify the configuration.
Add the following configurations to the FINE_CONF_ENTITY table if they do not exist.
For details, see FINE_CONF_ENTITY Table Modification Through Data Entry.
| Parameter Name | Parameter Function | Recommended Parameter Value |
|---|---|---|
PluginFileValidateConfig.fileValidateOpen | Objective: Introduced on 2021-11-24, it provides plugin integrity verification during plugin installation, preventing malicious tampering with the code in the package of plugins installed from local or manually. true: Plugin package integrity verification is enabled. Note: After setting the value to true, you cannot install plugins without official signatures on the platform. | true |
SystemConfig.driverUpload | Objective: It determines whether users can upload driver JAR files in Driver Management. Uploading is not disabled by default. true: Uploading driver JAR files is supported. | false |
SecurityConfig.disableJNDI | Objective: It determines whether to disable JNDI data connections. The parameter is supported from FineReport V11.0.31. true: JNDI data connections are disabled. | true |
Plugin Deletion
After parameter configuration, delete the FINE_CONF_ENTITY Visualization Configuration plugin.
For details about how to uninstall the plugin in the designer, see Designer Plugin Management.
For details about how to uninstall the plugin on the server, see Server Plugin Management.
Key File Update
In the project encryption algorithm, keys are critical in ensuring data security. Some companies require periodic key updates to ensure long-term system security and data confidentiality.
Prerequisite
1. This function is available fromFineReport V11.0.28.
2. Updating the key file will trigger a backup, which may take a long time. Ensure the system is not in use.
3. Projects using the default algorithm support key file updates.
4. The FanRuan application must use an external configuration database. Systems using the built-in database do not support key file updates. The database user must have read, write, and execute permissions on that database.
5. If you update a key file on one node in a cluster environment, other nodes will fail to connect to the configuration database, and inter-node communication will fail. Key files cannot be synchronized across nodes automatically.
Therefore, to update key files in a cluster environment, stop all other nodes first, and perform the update on a single node.
After a successful update, manually copy the following files in /webroot/WEB-INF/config on that node and paste them to the same directories on all other nodes: db.properties, encryption.properties, default_alpha, default_beta, and default_gamma. Then start the other nodes to complete the key file update.
Key File Update
Log in to the FanRuan application as the admin, choose System Management > Security Management > Security, and then click One-Click Update in Encryption Management.
Wait patiently until the following prompt appears: "The key file is updated successfully."
Disabling JSP File Access in Tomcat
For projects deployed via the O&M platform, JSP file access is disabled by default, and no additional configuration is required. This section applies only to projects deployed independently on Tomcat.
1. Go to Tomcat installation directory/conf as the admin and open the web.xml file with a text editor.
2. Add the following configuration block to the content and save the file.
<security-constraint>
<web-resource-collection>
<web-resource-name>Disable JSP</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<url-pattern>*.jspx</url-pattern>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
</security-constraint>
3. After successful configuration, direct access to JSP files via URLs will be blocked.
For example, a 403 Forbidden error will be returned when you access http://example.com/test.jsp.
