search cancel

ACC Agent vulnerability check against Oracle Critical Patch Update Advisory - April 2017


Article ID: 17143


Updated On:


CA Application Performance Management Agent (APM / Wily / Introscope) INTROSCOPE


The Oracle Critical Patch Update Advisory - April 2017 security advisories in the below link:

details several issue with the JVM - we need to know if APM Command Centre could potentially be affected by any of the problems described.


ACC any platform


All 8 vulnerabilities that were reported in that bulletin are not relevant to ACC for the following reasons:

- ACC does not use AWT, also it is not running untrusted code in JVM sandbox.
- ACC generally does not accept XML content types on its APIs, only JSON is accepted, through sometimes it processes local XML files using JAXP. Likelihood of denial of service is low.
- ACC does not send emails
- ACC does not use jar signing to perform security functions
- ACC it does not fetch user-specified links and XML parsers (XML is rarely used in ACC)