What are the vulnerabilities fixed in Cumulative APM 10.7 HF #75?

book

Article ID: 206013

calendar_today

Updated On:

Products

CA Application Performance Management Agent (APM / Wily / Introscope) CA Application Performance Management (APM / Wily / Introscope) INTROSCOPE DX Application Performance Management

Issue/Introduction

What are the vulnerabilities fixed in Cumulative APM 10.7 HF #75?

Cause

Documentation 

Environment

Release : 10.7.0

Component : APM Agents

Resolution


Per readme file (attached), APM Cumulative update: 10.7 #HF75:

HF# 75:

DE485759 - 32387148-Security vulnerability in jackson-databind (CVE-2020-25649)

HF # 70:

DE478171 - 32231977-Security vulnerabilities in jackson-databind (CVE-2020-14060, CVE-2020-14061, CVE-2020-14062, CVE-2020-14195, CVE-2020-24616)

HF # 67:

DE466760 - 32042236-Security vulnerability in postgresql driver CVE-2020-13692 (postgresql < 4.2.13)
DE472040 - 32130743-Security vulnerability in jetty-server-9.4.29.v20200521 (CVE-2019-17638)
DE470819 - 32112761-patch for 10.7 to fix CVE-2020-5398 vulnerability

HF# 65:

DE471947 - 32130743-Security vulnerability in Jetty 9.4.29, CVE-2019-17638 (EM, WV)

HF # 64:

DE412867 - 01337425-Security vulnerability CVE-2000-0649 in EM Jetty, added HostHeaderCustomizer

HF# 61:

DE434288 - 20068181-Security vulnerabilities in Jetty (EM/WV,APMSQLServer, jetty 9.4.11-2 upgraded to 9.4.27)
DE434288 - 20068181-Security vulnerabilities in jquery 2.2.4
DE449639 - 31704439-Security vulnerabilities in apache-el 8.5.23
DE449639 - 31704439-Security vulnerabilities in apache-jsp 8.5.23
DE449639 - 31704439-Security vulnerabilities in javax.servlet 2.5, 3.1.0
DE449639 - 31704439-Security vulnerabilities in javax.servlet-api 2.5, 3.1.0
DE449639 - 31704439-Security vulnerabilities in jetty-schemas 3.1
DE449639 - 31704439-Security vulnerabilities in org.hibernate 3.2.1
DE449639 - 31704439-Security vulnerabilities in org.owasp.esapi 2.0.0
DE449639 - 31704439-Security vulnerabilities in org.postgresql 9.2.1003 (PostgreSQL JDBC driver to 42.2.8)
DE449639 - 31704439-Security vulnerabilities in WilyBouncyCastle 1.0, replaced with bcprov-jdk15on.jar, bcpkix-jdk15on.jar and bcpg-jdk15on.jar
DE449639 - 31704439-Security vulnerabilities in Axis 1.4.1
DE452281 - Security vulnerabilities in fasterxml-jackson-databind 2.9.10.1, 2.9.10.3

DE461576 - 31917805-Security vulnerabilities in org.dom4j CVE-2020-10683 (DE461044)

HF # 54:

DE438470 - 20099449-Security Vulnerability: HSTS Missing from HTTPS Server

HF # 49:

DE435755 - 20085640-Security vulnerabilities in fasterxml-jackson-databind 2.9.8 (Apache-2.0)

HF # 41:

DE425090 - 01373171-Security vulnerability in c3p0-0.9.1.jar in APMSQLServer (CVE-2019-5427)

HF # 40:

DE418110 - Security vulnerability in spring-security-oauth2-2.0.16.RELEASE.jar (CVE-2019-3778), Spring Framework upgraded to 4.3.24, security.oauth to 2.0.18 and data-rest Ingalls to SR22


HF # 39:

DE419829 - 01373171-Security vulnerabilities in xstream_1.4.10.jar (CVE-2013-7285)

HF # 35:

DE402232 - 01281857-Security vulnerabilities in commons-httpclient-3.0.1.jar, dom4j-1.5.2.jar, guava.jar and xerces.jar

HF # 29 (SP3):

DE397978 - 01249054,01306493-Security vulnerabilities in spring-websocket-4.3.17.RELEASE.jar in ACC

DE389337 - Security vulnerabilities in cxf-rt-rs-client, cxf-rt-rs-security-jose, cxf-rt-wsdl and cxf-core 3.2.2
DE375385 - Security vulnerabilities in fasterxml-jackson-databind 2.7.9.3 (Apache-2.0)
DE401876 - Security vulnerabilities in fasterxml-jackson-core 2.9.6 (Apache-2.0), DE401878
DE363005 - Security vulnerabilities in apache-jakarta-taglibs 1.1.2
DE402764 - Security vulnerabilities in spring-web-4.3.9.RELEASE.jar (com.ca.apm.em.idp.shibboleth)
DE402736 - Security vulnerabilities in spring-aspects-3.2.16.RELEASE.jar
DE363013 - Security vulnerabilities in apache-jakarta-taglibs 1.1 (tess)
DE376092 - Security vulnerabilities in lucene-core-2.2.0.jar (tess)
DE401800 - Security vulnerabilities in slf4j-api 1.7.9 (MIT)
DE400714 - Security vulnerabilities in Apache ActiveMQ 5.8.0 (Apache 2.0, 5.14.5-bcm-1)

HF # 25:

DE398352 - 01261431-Cyber vulnerability in "Spring Data Commons" in ACC (CVE-2018-1273, RCE), plus spring-security-oauth

HF # 24:

DE385641 - 01194546-Security vulnerabilities in Jetty and EM/WV (jetty 6.1.26/6.1.25 upgraded to 9.4.11)

DE376081 - Security vulnerabilities in Jetty and APMSQLServer (ehcache, jetty-runner)



HF # 21:

DE387984 - 01208236-Security vulnerabilities in ACC Command Center Jetty

HF # 14 (SP2) :

DE361530 - 00994619-Open Source BlackDuck Vulnerabilities
DE375369 - Security vulnerabilities in commons-collections 3.2.1 (Apache-2.0)
DE369015 - Security vulnerabilities in org.springframework.webmvc.jar (CVE-2016-5007, CVE-2018-1258)
DE363244 - Security vulnerabilities in JFreeChart 1.0.8 (CVE-2007-6307, CVE-2007-6306)
DE363238 - Security vulnerabilities in Apache Commons HttpClient 3.1 (CVE-2014-3577, CVE-2015-5262)
DE363268 - Security vulnerabilities in Spring used in Shibboleth (2.5.6.SEC03 to 4.3.9)
DE329263 - Security vulnerabilities in hawk, jquery (CVE-2016-2515, CVE-2011-4969, CVE-2016-7103)
DE377959 - Security vulnerabilities in spring-tx-5.0.5.RELEASE.jar in APMSQLServer (CVE-2018-1258, 00986299)

HF # 12:

DE369015 - Security vulnerabilities in EM-org.springframework.webmvc.jar (CVE-2016-5007,CVE-2018-1258) - MEDIUM



HF # 11:

DE374652 - Security vulnerabilities in PostgreSQL-9.6.2: xmlsave.h & xslt.h ( CVE-2017-18258, CVE-2017-5130, CVE-2013-2877, CVE-2013-0339, CVE-2014-3660, CVE-2016-1683, CVE-2015-7995, CVE-2016-1684)


HF # 10:

DE357957 - Security vulnerabilities in ACC-activemq-spring-5.14.0.jar (CVE-2017-15709-MEDIUM)
DE365679 - Security vulnerabilities in ACC-spring-security-web-4.1.4.RELEASE.jar & spring-websocket-4.3.11.RELEASE.jar (CVE-2018-1199,CVE-2017-15709-MEDIUM)
DE371965 - Security vulnerabilities in ACC-spring security OAuth v2.0.14 (CVE-2018-1260-HIGH) - RCE



HF # 09:

DE316022 - PostgreSQL security vulnerabilities: CVE-2014-3660, CVE-2013-2877, CVE-2013-0339, CVE-2016-1684, CVE-2015-7995, CVE-2016-1683
DE366386 - CVE-2018-1199 - spring-tx-5.0.2.RELEASE.jar reported against APMSqlServer using Black Duck



HF # 08 (SP1) :

DE300305 - 00772370-Common Vulnerabilities and Exposures (CVE) security threat

DE359803 - Security vulnerabilities in PostgreSQL-9.6.2/pgAdmin 4 - xmllib.py, pct_warnings.py, _compat.py, testapp.py

DE364035 - APMSQLServer: logging broken after vulnerability fixes



HF # 04:

DE354396 - Open Source BlackDuck Vulnerabilities in ACC (jackson-databind)

Attachments

readme_1609874841615.txt get_app