ACC Agent vulnerability check against Oracle Critical Patch Update Advisory - April 2017

book

Article ID: 17143

calendar_today

Updated On:

Products

CA Application Performance Management Agent (APM / Wily / Introscope) INTROSCOPE

Issue/Introduction



The Oracle Critical Patch Update Advisory - April 2017 security advisories in the below link:

http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixJAVA

details several issue with the JVM - we need to know if APM Command Centre could potentially be affected by any of the problems described.

Environment

ACC any platform

Resolution

All 8 vulnerabilities that were reported in that bulletin are not relevant to ACC for the following reasons:

- ACC does not use AWT, also it is not running untrusted code in JVM sandbox.
- ACC generally does not accept XML content types on its APIs, only JSON is accepted, through sometimes it processes local XML files using JAXP. Likelihood of denial of service is low.
- ACC does not send emails
- ACC does not use jar signing to perform security functions
- ACC it does not fetch user-specified links and XML parsers (XML is rarely used in ACC)