There are several critical and severe CVEs are coming from CA Wily for the following jars:
Derby:
CVE-2015-1832,
CVE-2010-2232,
CVE-2009-4269 Jackson-mapper-asl:
CVE-2017-7525 HttpClient: SONATYPE-2017-0359, SONATYPE-2007-0004,
CVE-2012-5783,
CVE-2012-6153 Xerces
CVE-2012-0881,
CVE-2013-4002, SONATYPE-2017-0348 Guava
CVE-2018-10237 Jetty:
CVE-2018-12536 commons-compress
CVE-2018-11771, SONATYPE-2018-0293 jsch
CVE-2016-5725 I would not feel comfortable waiving these
CVEs¦ Also we are getting several critical
CVEs for IronPython.jar through the 6db449585c248c8616482e9b7a179c81b355203102a1db58633139080eb96e79 Base Image Layer for JDK 8:
CVE-2018-18074,
CVE-2018-20060, SONATYPE-2014-0148, SONATYPE-2012-0071
Release : 10.7
Component : APM Agents
Engineering has identified and provided a fix.
Engineering has fixed and provided a Hot Fix APM10.7.0HF43 APM 10.7.0.235 build-994301.
All the vulnerabilities except Guava and commons -compress have been addressed. Here is the explanation to mark these two as false positives.
Guava - The reported vulnerability is for serialization, but we do not use Guava for Seraliization/DeSerialization
Commons-compress - Our usage of commons-compress only unzips archives that are part of our product. We do not unzip any archives that are received from outside sources.
Please open a support case to obtain APM10.7.0HF43