APM 10.7 - vulnerability reported with Xtream 1.4.16 affecting EM with CVSS score 8.8
search cancel

APM 10.7 - vulnerability reported with Xtream 1.4.16 affecting EM with CVSS score 8.8

book

Article ID: 217492

calendar_today

Updated On:

Products

CA Application Performance Management (APM / Wily / Introscope)

Issue/Introduction

New vulnerability with CVSS score 8.8:

Description

XStream, when in its default configuration or operating without a sufficient blacklist / whitelist configuration, is vulnerable to an arbitrary code execution issue. This is due to how XStream can potentially create new instances of dangerous objects that are not blocked based on the contents of the input stream. The potentially dangerous type in this case is sun.jndi.toolkit.dir.LazySearchEnumerationImpl.

An attacker could supply a crafted input to XStream in order execute arbitrary code stored on a remote host.

From BDSA record:

How to fix it

Solution - Fix Available

Fixed in 1.4.17 by this commit.

 

Environment

Release : 10.7.0

Component : Introscope

Cause

Defect # DE505488

Resolution

To be fixed in 10.7 SP4

 

Details of the vulnerability:

 

FOSSNAME VERSION CVEID BASE_SCORE
XStream 1.4.16 BDSA-2021-1626 8.8

 

The fix for this is to upgrade it to the 1.4.17 version.

Recommended upgrade: https://mvnrepository.com/artifact/com.thoughtworks.xstream/xstream/1.4.17

Powered by Wolken Software