APM 10.7 & 10.8 Security Vulnerabilities that are False Positive
search cancel

APM 10.7 & 10.8 Security Vulnerabilities that are False Positive

book

Article ID: 185748

calendar_today

Updated On:

Products

CA Application Performance Management Agent (APM / Wily / Introscope)

Issue/Introduction

This page lists security vulnerabilities reported by Black Duck/Code Insight/TechStack and other tools against APM 10.7 and 10.8 that are false positive. The  security vulnerabilities are either fixed by patching such as Apache Axis 1.4 or it is not applicable to APM 10.x.

Environment

APM 10.7.x, 10.8.x

 

Resolution

CVE-2012-5784 (MEDIUM) - Apache Web Services Axis 1.4
CVE-2014-3596 (MEDIUM) - Apache Web Services Axis 1.4
CVE-2018-8032 (MEDIUM) - Apache Web Services Axis 1.4
CVE-2019-0227, BDSA-2019-1049 (MEDIUM) - Apache Web Services Axis 1.4
CVE-2017-8046 (HIGH) - Spring Boot 1.4.2
CVE-2016-5007, CVE-2018-1258 (MEDIUM) - spring-framework 3.2.18.RELEASE
BDSA-2024-0622, CVE-2024-23672 (MEDIUM) - Apache Tomcat Vulnerable to Denial-of-Service (DoS) via Incomplete Cleanup in WebSocket Client
CVE-2019-3778 (MEDIUM) - spring-security-oauth2-2.0.16.RELEASE.jar
CVE-2018-10237 (MEDIUM - agent jars) - Guava 
CVE-2020-8908 (BDSA-2020-3736) (LOW - agent jars) - Guava 
BDSA-2022-2734, CVE-2021-43980 (MEDIUM) - Apache Tomcat Vulnerable to Information Disclosure via Concurrency Issue With Shared 'Http11Processor'
CVE-2018-1313 (BDSA-2018-1426) (MEDIUM - agent jars) - Apache Derby
BDSA-2023-2250, CVE-2023-41080 (MEDIUM) - Apache Tomcat Vulnerable to Open Redirects via Insufficient Input Validation in 'FormAuthenticator.java' File
CVE-2018-11771 (MEDIUM - agent jars) - commons-compress
CVE-2020-1938 (CRITICAL) - cpe:2.3:a:apache:tomcat (aka Ghostcat)
CVE-2021-30639 (HIGH) - Tomcat libraries
CVE-2021-30640 (MEDIUM) - Tomcat libraries
CVE-2021-41079 (HIGH) - Tomcat libraries
CVE-2014-0114 (HIGH) (struts ActionForm object) Apache Struts 1.x-1.3.10, 2.x-2.3.16.2
BDSA-2023-0623, CVE-2023-28708 - Apache Tomcat Vulnerable to Information Disclosure via Missing JSessionId Secure Attribute
CVE-2019-10086 (HIGH) - org.apache.commons_beanutils-1.9.3.jar
CVE-2014-1904 (MEDIUM) (Formtag) Spring Framework 3.0.0-3.2.8, 4.0.0-4.0.2
BDSA-2023-2736, CVE-2023-42795 (MEDIUM) - Apache Tomcat Vulnerable to Information Exposure via Internal Object Recycling in 'recycle' Methods
CVE-2014-0054 (MEDIUM) (Jaxb2RootElementHttpMessageConverter) Spring 3.0.0-3.2.7, 4.0.0-4.0.1
CVE-2015-3192 (MEDIUM) (XML bomb) Spring Framework 3.x-3.2.1, 4.x - 4.1.7
CVE-2023-44487 (HIGH) - HTTP/2 Protocol Vulnerable to Denial-of-Service (DoS) via Rapid Request Cancellations
CVE-2018-1270 (CRITICAL) (Stomp message protocol)  Spring Framework 5.0 to 5.0.4, 4.3-4.3.15   CVE-2018-1275 (CRITICAL) (Stomp message protocol) All the Same
CVE-2013-6429 (MEDIUM) (SourceHttpMessageConverter) Spring MVC 3.x-3.2.8, 4.x-4.0.2
BDSA-2023-2726, CVE-2023-45648 (MEDIUM) - Apache Tomcat Vulnerable to HTTP Request Smuggling via Improper Validation of HTTP Trailer Header Field Parsing in 'parseHeader()' Functions
CVE-2018-1272 (MEDIUM) (Multipart Requests) Spring Framework 5.0 - 5.0.4, 4.3-4.3.14
SPR-7779 (LocaleChangeInterceptor) Spring Framework 3.x-3.0.6
CVE-2023-46589 (HIGH) - Apache Tomcat Vulnerable to HTTP Request Smuggling due to Trailer Header Error Handling
CVE-2019-10086 (HIGH) (BeanIntrospector) Apache Commons Beanutils 1.9.2
CVE-2014-0225 (HIGH) Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, XXE attack
CVE-2014-3578 (MEDIUM) Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5
CVE-2017-5638 (CRITICAL) Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1
CVE-2017-5638 (HIGH) Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13
CVE-2020-27216 (HIGH) - Jetty Temp Files
CVE-2019-11358 (MEDIUM)  - docker-utility-2.0.25.jar: jquery-3.1.1.min.js
CVE-2020-11022 (MEDIUM)  - docker-utility-2.0.25.jar: jquery-3.1.1.min.js
CVE-2020-11023 (MEDIUM) - docker-utility-2.0.25.jar: jquery-3.1.1.min.js
CVE-2017-12629 (CRITICAL) - Apache Lucene 4.7.2
CVE-2017-9096 (HIGH) - iText 1.3.1, 2.1.3, 2.0.7
CVE-2021-43113 (CRITICAL) - iText command injection via a CompareTool filename
CVE-2017-16853 (HIGH) - OpenSAML before 2.6.1
CVE-2021-41616 (CRITICAL) - Apache Hive
CVE-2017-5645, CVE-2019-17571, CVE-2021-4104, CVE-2020-9488, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307 (CRITICAL, HIGH, LOW) - custom log4j 1.x in APM agents
CVE-2022-23307, CVE-2020-9488 (CRITICAL) - Apache Log4j 1.2.x
CVE-2022-23302 (HIGH) - Apache Log4j 1.x
CVE-2022-23305 (CRITICAL) - Apache Log4j 1.2.x
CVE-2021-4104 (HIGH) - Apache Log4j 1.2.x
CVE-2019-17571 (CRITICAL) - Apache Log4j 1.2 up to 1.2.17
CVE-2017-5645 (CRITICAL) - Apache Log4j 2.x before 2.8.2
CVE-2021-43557 (HIGH) - Apache Hive
CVE-2021-45232, CVE-2022-24112 (CRITICAL) - Apache Hive
CVE-2022-22965 (CRITICAL) - Spring Framework RCE via Data Binding on JDK 9+
CVE-2022-24197 (MEDIUM) - iText v7.1.17
CVE-2022-21449 (HIGH) - Oracle Java - Improper ECDSA signature verification
BDSA-2024-0623, CVE-2024-24549 (MEDIUM) - Apache Tomcat Vulnerable to Denial-of-Service (DoS) due to Improper Input Validation of HTTP/2 Requests
CVE-2016-1000027 (CRITICAL) - Spring Framework - HTTP invoker
BDSA-2023-1242, CVE-2023-28709 (MEDIUM) - Apache Tomcat Vulnerable to Denial-of-Service (DoS) via Excessive Resource Allocation due to Insufficient Limiting of the Number of Request Parts
CVE-2022-25757, CVE-2022-29266 (HIGH, CRITICAL) - Apache Hive
CVE-2022-34169 (CRITICAL) - Apache Xalan Java XSLT library
BDSA-2023-0357, CVE-2023-24998 (MEDIUM) - Apache Commons FileUpload Vulnerable to Denial-of-Service (DoS) via Excessive Resource Allocation due to Insufficient Limiting of the Number of Request Parts
CVE-2022-42889 (CRITICAL) - Apache Commons Text (<1.10)
CVE-2022-33915 (HIGH) -  Amazon Linux package log4j-cve-2021-44228-hotpatch
CVE-2023-35116 (HIGH) - Jackson-Databind Vulnerable to Denial-of-Service (DoS) via Stack Overflow in 'map' Parameter (Jackson-Databind)
CVE-2019-9628 (HIGH) - XMLTooling Vulnerable to Denial-of-service (DoS) via Mishandled XML Files in 'ParserPool.cpp' File
CVE-2023-39017 (CRITICAL) -  Quartz Scheduler Vulnerable to Remote Code Execution (RCE) via Command Injection with 'SendQueueMessageJob.execute' Method
BDSA-2024-0396 (HIGH) - Apache Tomcat on openSUSE Vulnerable to Privilege Escalation via '%post' Script
CVE-2023-4863 (HIGH) - libwebp Vulnerable to Memory Corruption via Heap-Based Buffer Overflow in WebP Crafted Files
BDSA-2017-4117 (HIGH) - iText RUPS Vulnerable to XML External Entity (XXE) Attacks via Insecure XML Parser Configuration in 'XfaFile.java' File
CVE-2023-40743 (HIGH) - Apache Web Services Axis 1.4 - Apache Axis Vulnerable to Remote Code Execution (RCE) via Malicious Input Protocols in 'getService' Function
CVE-2023-5217 (HIGH) -  libvpx Vulnerable to Memory Corruption via Heap-Based Buffer Overflow in 'vp8' Encoding Functionality
CVE-2023-42794 (HIGH) - Apache Tomcat Vulnerable to Denial-of-Service (DoS) via Improper Session Management in 'FileUpload' Functionality
CVE-2023-51441 (MEDIUM) - Apache Axis Vulnerable to Server Side Request Forgery (SSRF) via Admin Service HTTP API
CVE-2023-45853 (MEDIUM) - MiniZip Vulnerable to Memory Corruption via Heap-Based Buffer Overflow in 'zipOpenNewFileInZip4_64' Function

Additional Information

Powered by Wolken Software