Release : 10.7.0
Component : APM Agents
Not applicable to Wily Java Agent
Per Engineering, below two problems are applicable to agent. since have not found any referred jars/component/binaries (PDF report) in agent classpath or folder.
Among these only Guava 19.0 has vulnerability with CVE number CVE-2018-10237. Have done the analysis on the vulnerability and found that Guava allocates unbounded memory based on user input data.
This is a false positive for agent because the agent doesn't take any values from the user/end-user other than properties file. which is managed by the administrator.
Another one is commons-compress has sonatype-2018-0293 doesn't have any publicly available details to analyze the vulnerability.
Threat Level | Problem Code | Component |
6 | sonatype-2018-0293 | org.apache.commons : commons-compress : 1.9 |
5 | CVE-2018-10237 | com.google.guava : guava : 19.0 |