Multiple Vulnerabilities found with AWI files xstream.jar

book

Article ID: 223436

calendar_today

Updated On:

Products

CA Automic One Automation

Issue/Introduction

The following vulnerabilities were found with the AWI and xstream.jar vulnerabilities:

CVE-2016-3674 - https://nvd.nist.gov/vuln/detail/CVE-2016-3674 - automic.ert.jar:lib/xstream.jar, org.eclipse.osgi/xx/x/.cp/lib/xstream.jar - vulnerability prior to 1.4.9
CVE-2017-7957 - https://nvd.nist.gov/vuln/detail/CVE-2017-7957 - automic.ert.jar:lib/xstream.jar, org.eclipse.osgi/xx/x/.cp/lib/xstream.jar - vulnerability prior to 1.4.9
CVE-2020-26217 - https://nvd.nist.gov/vuln/detail/CVE-2020-26217 - automic.ert.jar:lib/xstream.jar, org.eclipse.osgi/xx/x/.cp/lib/xstream.jar - vulnerability prior to 1.4.14
CVE-2020-26258 - https://nvd.nist.gov/vuln/detail/CVE-2020-26258 - automic.ert.jar:lib/xstream.jar, org.eclipse.osgi/xx/x/.cp/lib/xstream.jar - vulnerability prior to 1.4.15
CVE-2020-26259 - https://nvd.nist.gov/vuln/detail/CVE-2020-26259 - automic.ert.jar:lib/xstream.jar, org.eclipse.osgi/xx/x/.cp/lib/xstream.jar - vulnerability prior to 1.4.15
CVE-2021-21341 - https://nvd.nist.gov/vuln/detail/CVE-2021-21341 - automic.ert.jar:lib/xstream.jar, org.eclipse.osgi/xx/x/.cp/lib/xstream.jar - vulnerability prior to 1.4.16
CVE-2021-21343 - https://nvd.nist.gov/vuln/detail/CVE-2021-21343 - automic.ert.jar:lib/xstream.jar, org.eclipse.osgi/xx/x/.cp/lib/xstream.jar - vulnerability prior to 1.4.16
CVE-2021-21348 - https://nvd.nist.gov/vuln/detail/CVE-2021-21348 - automic.ert.jar:lib/xstream.jar, org.eclipse.osgi/xx/x/.cp/lib/xstream.jar - vulnerability prior to 1.4.16
CVE-2021-21349 - https://nvd.nist.gov/vuln/detail/CVE-2021-21349 - automic.ert.jar:lib/xstream.jar, org.eclipse.osgi/xx/x/.cp/lib/xstream.jar - vulnerability prior to 1.4.16
CVE-2021-29505 - https://nvd.nist.gov/vuln/detail/CVE-2021-29505 - automic.ert.jar:lib/xstream.jar, org.eclipse.osgi/xx/x/.cp/lib/xstream.jar - vulnerability prior to 1.4.17

Cause

Medium and high risk/impact vulnerabilities with 3rd party .jar file

Environment

Release : 12.3

Component : AUTOMATION ENGINE

Resolution

This will be resolved in a future release of 12.3 and version 21. It will be resolved by using an upgraded version of xstream.jar.