Vulnerabilities found and flagged mainly on jackson-databind

book

Article ID: 130451

calendar_today

Updated On:

Products

CA Application Performance Management Agent (APM / Wily / Introscope) INTROSCOPE

Issue/Introduction

Running a code scan on APM 10.7.0 SP3 finds vulnerabilities and flags mainly on jackson-databind as the version is lower than 2.9.8

Vulnerabilities Found:

/CA-APM-Wily_10.7.sp3.04012019.tar.gz/apm10.7.sp3/hotfix/10.7.0-HF29/product/enterprisemanager/plugins/jackson-databind_2.7.9.3.jar
Severity: High

/CA-APM-Wily_10.7.sp3.04012019.tar.gz/apm10.7.sp3/hotfix/10.7.0-HF29/APMSqlServer/repo/jackson-databind-2.9.6.jar
Severity: Medium

Cause

The vulnerabilities are found within the "hotfix" folder 

apm10.7.sp3/hotfix/10.7.0-HF29

They contain the previous problematic jar files. 

In this scenario, <EM folder>/hotfix/10.7.0-HF29/ backup is created while applying the patch.

 

Environment

CA APM 10.7 SP3 

Resolution

Per engineering and as a best practice, the folders <EM/WV/WS_HOME>/hotfix and <EM_HOME>/backup have to be deleted before the scan.