Vulnerabilities found and flagged mainly on jackson-databind
Article ID: 130451
Updated On:
Products
CA Application Performance Management Agent (APM / Wily / Introscope)
INTROSCOPE
Issue/Introduction
Running a code scan on APM 10.7.0 SP3 finds vulnerabilities and flags mainly on jackson-databind as the version is lower than 2.9.8
Vulnerabilities Found:
/CA-APM-Wily_10.7.sp3.04012019.tar.gz/apm10.7.sp3/hotfix/10.7.0-HF29/product/enterprisemanager/plugins/jackson-databind_2.7.9.3.jar
Severity: High
/CA-APM-Wily_10.7.sp3.04012019.tar.gz/apm10.7.sp3/hotfix/10.7.0-HF29/APMSqlServer/repo/jackson-databind-2.9.6.jar
Severity: Medium
Vulnerabilities Found:
/CA-APM-Wily_10.7.sp3.04012019.tar.gz/apm10.7.sp3/hotfix/10.7.0-HF29/product/enterprisemanager/plugins/jackson-databind_2.7.9.3.jar
Severity: High
/CA-APM-Wily_10.7.sp3.04012019.tar.gz/apm10.7.sp3/hotfix/10.7.0-HF29/APMSqlServer/repo/jackson-databind-2.9.6.jar
Severity: Medium
Environment
CA APM 10.7 SP3
Cause
The vulnerabilities are found within the "hotfix" folder
apm10.7.sp3/hotfix/10.7.0-HF29
They contain the previous problematic jar files.
In this scenario, <EM folder>/hotfix/10.7.0-HF29/ backup is created while applying the patch.
apm10.7.sp3/hotfix/10.7.0-HF29
They contain the previous problematic jar files.
In this scenario, <EM folder>/hotfix/10.7.0-HF29/ backup is created while applying the patch.
Resolution
Per engineering and as a best practice, the folders <EM/WV/WS_HOME>/hotfix and <EM_HOME>/backup have to be deleted before the scan.
Feedback
Yes
No
Powered by
