APM 10.7 - Security Vulnerabilities that are False Positive

book

Article ID: 185748

calendar_today

Updated On:

Products

CA Application Performance Management Agent (APM / Wily / Introscope) CA Application Performance Management (APM / Wily / Introscope) INTROSCOPE DX Application Performance Management

Issue/Introduction

This page lists security vulnerabilities reported by Black Duck/Code Insight/TechStack and other tools against APM 10.7 that are false positive.

CVE-2012-5784 (MEDIUM) - Apache Web Services Axis 1.4
CVE-2014-3596 (MEDIUM) - Apache Web Services Axis 1.4
CVE-2018-8032 (MEDIUM) - Apache Web Services Axis 1.4
CVE-2019-0227 (MEDIUM) - Apache Web Services Axis 1.4
CVE-2017-8046 (HIGH) - Spring Boot 1.4.2
CVE-2016-5007, CVE-2018-1258 (MEDIUM) - spring-framework 3.2.18.RELEASE
CVE-2019-3778 (MEDIUM) - spring-security-oauth2-2.0.16.RELEASE.jar
CVE-2018-10237 (MEDIUM - agent jars) - Guava 
CVE-2018-11771 (MEDIUM - agent jars) - commons-compress
CVE-2020-1938 (CRITICAL) - cpe:2.3:a:apache:tomcat (aka Ghostcat)
CVE-2014-0114 (HIGH) (struts ActionForm object) Apache Struts 1.x-1.3.10, 2.x-2.3.16.2
CVE-2019-10086 (HIGH) - org.apache.commons_beanutils-1.9.3.jar
CVE-2014-1904 (MEDIUM) (Formtag) Spring Framework 3.0.0-3.2.8, 4.0.0-4.0.2
CVE-2014-0054 (MEDIUM) (Jaxb2RootElementHttpMessageConverter) Spring 3.0.0-3.2.7, 4.0.0-4.0.1
CVE-2015-3192 (MEDIUM) (XML bomb) Spring Framework 3.x-3.2.1, 4.x - 4.1.7
CVE-2018-1270 (CRITICAL) (Stomp message protocol)  Spring Framework 5.0 to 5.0.4, 4.3-4.3.15   CVE-2018-1275 (CRITICAL) (Stomp message protocol) All the Same
CVE-2013-6429 (MEDIUM) (SourceHttpMessageConverter) Spring MVC 3.x-3.2.8, 4.x-4.0.2
CVE-2018-1272 (MEDIUM) (Multipart Requests) Spring Framework 5.0 - 5.0.4, 4.3-4.3.14
SPR-7779 (LocaleChangeInterceptor) Spring Framework 3.x-3.0.6
CVE-2019-10086 (HIGH) (BeanIntrospector) Apache Commons Beanutils 1.9.2
CVE-2014-0225 (HIGH) Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, XXE attack
CVE-2014-3578 (MEDIUM) Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5
CVE-2017-5638 (CRITICAL) Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1
CVE-2017-5638 (HIGH) Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13
CVE-2020-27216 (Jetty Temp Files)

 

Environment

APM 10.7.x

 

Resolution


CVE-2012-5784 (Medium) - Apache Web Services Axis 1.4


Vulnerability Description: 

Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Impact: apache:axis:1.4 and previous versions

Analysis:
The following security vulnerabilities CVE-2012-5784 & CVE-2014-3596 were reported on Apache Web Services Axis 1.4 for APM 10.3. 
Unfortunately, there is no direct upgrade path available and Axis2 is not an option (due to the different architecture) 

Links to the vulnerabilities in National Vulnerability database:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5784


CVE-2014-3596 (Medium) - Apache Web Services Axis 1.4

Vulnerability Description: 
The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field.  NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.

Impact: apache:axis:1.4 and previous versions

Analysis:
The following security vulnerabilities CVE-2012-5784 & CVE-2014-3596 were reported on Apache Web Services Axis 1.4 for APM 10.3. 

Unfortunately, there is no direct upgrade path available and Axis2 is not an option (due to the different architecture) 

Links to the vulnerabilities in National Vulnerability database:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3596


CVE-2018-8032 (Medium) - Apache Web Services Axis 1.4

Vulnerability Description: 
Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/services.

Impact: apache:axis:1.4 and previous versions

Analysis:
The following security vulnerability CVE-2018-8032 was reported on Apache Web Services Axis 1.4 for APM 10.7 SP2. 

Unfortunately, there is no direct upgrade path available and Axis2 is not an option (due to the different architecture)
Links to the vulnerabilities in National Vulnerability database: https://nvd.nist.gov/vuln/detail/CVE-2018-8032


CVE-2019-0227 (Medium) - Apache Web Services Axis 1.4

Vulnerability Description: 
A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue..

Links to the vulnerabilities in National Vulnerability database: https://nvd.nist.gov/vuln/detail/CVE-2019-0227

Analysis:

The security vulnerability CVE-2019-0227 reported against axis.jar is false positive because the APM Axis1 artifact already does not contain any JWS files or the StockQuoteService default service.


CVE-2017-8046 (High) - Spring Boot 1.4.2

Vulnerability Description: Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.

Analysis:
APM Command Center uses both spring-data-rest-core*.jar spring-data-rest-webmvc*.jar. 

APM Command Center 10.7 GA contains versions that are fixed: spring-data-rest-core-2.5.12.ca-007c450.jar, spring-data-rest-webmvc-2.5.12.ca-007c450.jar

Some service packs of APM Command Center 10.7 contain spring-data-rest-core-2.6.17.RELEASE.jar, spring-data-rest-webmvc-2.6.17.RELEASE.jar which also contain the fix.


CVE-2016-5007, CVE-2018-1258 (Medium) - spring-framework 3.2.18.RELEASE

Vulnerability Description: 
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.

Analysis:
Spring-aspects-3.2.18.RELEASE.jar (CVE-2016-5007, CVE-2018-1258) is also false positive in APM 10.7.
As for CVE-2018-1258, the bug is present only in Spring Framework 5.0.5.RELEASE. APM does not use Spring Framework 5.0.5.RELEASE so it is not impacted. The bug does not impact any Spring Framework 4.x versions or any other versions of Spring Framework.


CVE-2019-3778 (Medium) - spring-security-oauth2-2.0.16.RELEASE.jar

Vulnerability Description: 
Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the "redirect_uri" parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code. This vulnerability exposes applications that meet all of the following requirements: Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer) and uses the DefaultRedirectResolver in the AuthorizationEndpoint. This vulnerability does not expose applications that: Act in the role of an Authorization Server and uses a different RedirectResolver implementation other than DefaultRedirectResolver, act in the role of a Resource Server only (e.g. @EnableResourceServer), act in the role of a Client only (e.g. @EnableOAuthClient).

In https://nvd.nist.gov/vuln/detail/CVE-2019-3778

This vulnerability exposes applications that meet all of the following requirements: Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer) and uses the DefaultRedirectResolver in the AuthorizationEndpoint. This vulnerability does not expose applications that: Act in the role of an Authorization Server and uses a different RedirectResolver implementation other than DefaultRedirectResolver, act in the role of a Resource Server only (e.g. @EnableResourceServer), act in the role of a Client only (e.g. @EnableOAuthClient).

Analysis:
ACC Config Server only uses this OAuth2 library through @EnableResourceServer only so according to the description ACC Config Server is not impacted by this vulnerability.


CVE-2018-10237 (Medium - agent jars) - Guava 

Vulnerability Description: 
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

Analysis:
This vulnerability can be fixed by upgrading the Guava version to 24.1.1. But that breaks the Java compatibility for Java 6 & 7 since 24.1.1 only supports Java 8. In addition the vulnerability does not apply to Agent code since we do not use Guava library for Serialization/Deserialization purposes. So this can be marked as  a false positive in Security scans. 


CVE-2018-11771 (Medium - agent jars) - commons-compress

Vulnerability Description: 
When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.

Analysis:
This vulnerability exposes a risk of unzipping thirdparty products. Usage of commons-compress in Agent code only unzips archives that are part of our product. We do not unzip any archives that are received from outside sources. So this vulnerability does not apply to Agent and can be marked as a false positive.


CVE-2020-1938 (Critical) - cpe:2.3:a:apache:tomcat (aka Ghostcat)

Vulnerability Description: When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.

Analysis:
This is a false positive because Apache Tomcat is not shipped with the APM 10.7 product but we only use org.mortbay.jasper:apache-jsp from the whole Apache Tomcat. 
But the apache-jsp is not the whole Tomcat. The CVE-2020-1938 vulnerability is about the AJP connector in Tomcat but our dependency is only related to the JSP engine. Therefore, it is a false positive.

 

CVE-2014-0114 (HIGH) (struts ActionForm object) Apache Struts 1.x-1.3.10, 2.x-2.3.16.2
Vulnerability Description: Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

This is a false positive because:

1) The main focus of this CVE is related to Struts1 library and the ActionForm class. The source code repository scan shows that none of the Java classes is using the ActionForm class or any source code from the Struts library.

2) Struts1 library is not used in any of application repositories. It is only referenced inside the .pbd class notations which is not executable code.

3) Beanutils is only addressed directly in one class (CC related) that is calling the .setProperty method which is not in affected by this CVE.

For more information see exploit for this particular CVE.

CVE-2019-10086 (HIGH) - org.apache.commons_beanutils-1.9.3.jar
Vulnerability Description: In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. 

This is a false positive because the PropertyUtilsBean class is not used in the APM product. This particular CVE applies only when BeanIntrospector is used which utilizes the PropertyUtilsBean class. 

CVE-2014-1904 (MEDIUM) (Formtag) Spring Framework 3.0.0-3.2.8, 4.0.0-4.0.2
Vulnerability Description: Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.

This is a false positive because the vulnerability exploits class Formtag.java, used Spring Form only. Our APM product does not use the Spring Framework Form feature. This class is not addressed anywhere. 

CVE-2014-0054 (MEDIUM) (Jaxb2RootElementHttpMessageConverter) Spring 3.0.0-3.2.7, 4.0.0-4.0.1
Vulnerability Description: Spring MVC's Jaxb2RootElementHttpMessageConverter also processed user provided XML and neither disabled XML external entities nor provided an option to disable them. Jaxb2RootElementHttpMessageConverter has been modified to provide an option to control the processing of XML external entities and that processing is now disabled by default.

This is a false positive because this CVE is related to the specific class Jaxb2RootElementHttpMessageConverter that we are not using anywhere in our code. 

CVE-2015-3192 (MEDIUM) (XML bomb) Spring Framework 3.x-3.2.1, 4.x - 4.1.7
Vulnerability Description: Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.

This vulnerability can be mitigated by setting:
* disallow-doctype-dec feature in the DOM and SAX APIs to true
* supportDTD property in the StAX API to false.

CVE-2018-1270 (CRITICAL) (Stomp message protocol)  Spring Framework 5.0 to 5.0.4, 4.3-4.3.15   
CVE-2018-1275 (CRITICAL) (Stomp message protocol) All the Same
Vulnerability Description: Spring Framework, versions 5.0.x prior to 5.0.5 and versions 4.3.x prior to 4.3.16, and older unsupported versions allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

This is a false positive because we are not using Stomp over Websocket in any location of our code. 

CVE-2013-6429 (MEDIUM) (SourceHttpMessageConverter) Spring MVC 3.x-3.2.8, 4.x-4.0.2
Vulnerability Description: Spring MVC's SourceHttpMessageConverter also processed user provided XML and neither disabled XML external entities nor provided an option to disable them. SourceHttpMessageConverter has been modified to provide an option to control the processing of XML external entities and that processing is now disabled by default. It was subsequently discovered that this fix was also incomplete (CVE-2014-0054).

This is a false positive because neither SourceHttpMessageConverter nor StaxUtils is used in our code. 

CVE-2018-1272 (MEDIUM) (Multipart Requests) Spring Framework 5.0 - 5.0.4, 4.3-4.3.14
Vulnerability Description: Spring Framework versions 5.0 to 5.0.4, 4.3 to 4.3.14, and older unsupported versions provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

This is a false positive because files that are exploited for this particular CVE does not exist with a release version 3.2.18 ( MimeTypeUtils.java ).

SPR-7779 (LocaleChangeInterceptor) Spring Framework 3.x-3.0.6
Vulnerability Description: The current implementation of the LocaleChangeInterceptor does not an escaping of the value from the request. This can lead to a XSS issue.

This is a false positive because we are not using LocaleChangeInterceptor anywhere in our code.

CVE-2019-10086 (HIGH) (BeanIntrospector) Apache Commons Beanutils 1.9.2
Vulnerability Description: In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.

This is a false positive because we are not using BeanIntrospector class anywhere in our code.

CVE-2014-0225 (HIGH) Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, XXE attack
Vulnerability Description: When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.

This is a false positive. The issue was fixed on version 3.2.8 (our library version is 3.2.18). Commits that were applied to fix this exploit are already present in current distribution. 

CVE-2014-3578 (MEDIUM) Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5
Vulnerability Description: Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL.

This is a false positive. The issue was fixed on version 3.2.9 (our library version is 3.2.18). Commits that were applied to fix this exploit are already present in current distribution. 

CVE-2017-5638 (CRITICAL) Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1
Vulnerability Description: The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

This is a false positive. The CVE is reported in Struts 2 class FileUploadInterceptor.java. It uses LocalizedTextUtil.java to display error message during upload failure. These two classes are part of struts 2 framework and not available in strut 1 framework. Above mentioned classes(FileUploadInterceptor.java,LocalizedTextUtil.java) are not part of any of these binaries. We are only using Struts-menu 2.3 library(though v2.3) which is an independent library which can be used with plain JSPs to display menus in client side.

CVE-2017-5638 (HIGH) Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13
Vulnerability Description: The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.

This is a false positive. Above mentioned classes are not part of any of these binaries. We are only using Struts-menu 2.3 library(though v2.3) which is an independent library which can be used with plain JSPs to display menus in client side.

CVE-2020-27216 (Jetty Temp Files)
Vulnerability Description: A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory.

This is a false positive. Both EM & WebView are using ./work folder inside Introscope directory as a temporary folder.