Identified some vulnerabilities on 10.2 patch

book

Article ID: 102348

calendar_today

Updated On:

Products

CA Application Test Service Virtualization CA Continuous Application Insight (PathFinder) CA Service Virtualization (DevTest / LISA / VSE / Application Test)

Issue/Introduction

Hi Team, We observed some vulnerabilities on 10.2 patch .

Please can you help on this.

List of vulnerabilities : CVE-2017-7525 CVE-2017-7525 CVE-2017-7525 CVE-2017-7525 CVE-2017-7525
Jras details: jackson-databind-2.6.5.jar jackson-databind-2.6.6.jar jackson-databind-2.6.7.jar jackson-databind-2.8.3.jar jackson-databind-2.8.8.jar

Cause

outdated jackson-databind jars.

Environment

DevTest 10.3.0 and earlier.

Resolution

Unfortunately this vulnerability will not be fixed until our next release DevTest 10.4.

As per development the jackson-databind jars cannot be easily patched, since updating any of them in the current releases will break other parts of the product.