Introscope Java Agent 10.7 CVE Security Vulnerability

book

Article ID: 141142

calendar_today

Updated On:

Products

CA Application Performance Management Agent (APM / Wily / Introscope) CA Application Performance Management (APM / Wily / Introscope) INTROSCOPE DX Application Performance Management

Issue/Introduction

Cause

Not applicable to Wily Java Agent 

Environment

Release : 10.7.0

Component : APM Agents

Resolution

Per engineering, below two problems are applicable to agent. since have not found any referred jars/component/binaries (PDF report) in agent classpath or folder.

Among these only Guava 19.0 has vulnerability with CVE number CVE-2018-10237. Have done the analysis on the vulnerability and found that Guava allocates unbounded memory based on user input data.
This is a false positive for agent because the agent doesn't take any values from the user/end-user other than properties file. which is managed by the administrator.

Another one is commons-compress has sonatype-2018-0293 doesn't have any publicly available details to analyze the vulnerability.

Threat Level Problem Code Component
6 sonatype-2018-0293 org.apache.commons : commons-compress : 1.9
5 CVE-2018-10237 com.google.guava : guava : 19.0

Attachments