Java Agent and commons-compress and Guava and the vulnerable classes with CVEs

Article Id: 144112

Status: Published

Updated On: 31-01-2020 18:33

Products:

CA Application Performance Management Agent (APM / Wily / Introscope) , CA Application Performance Management (APM / Wily / Introscope) , INTROSCOPE , DX Application Performance Management

Issue/Introduction:

Java Agent and commons-compress and Guava and the vulnerable classes with CVEs.

Cause:

The Guava library that the agent uses, is loaded by our own custom class loader. Thus, it is not accessible by the application.

Environment:

Release : 10.7.0

Component : APM Agents

Resolution:

The Guava library that the APM Java Agent uses, are loaded by our custom class loader and hence won’t be accessible by the application.

If the application uses some utilities from the Guava library, they have to use its own copy/version where the CVE's have been addressed.