EM vulnerabilities in com.tomsawyer_9.0.0.jar
Article ID: 231902
Updated On:
Products
CA Application Performance Management (APM / Wily / Introscope)
Issue/Introduction
After scanning build 10.7.0.358 with Blackduck, there are results of vulnerabilities.
The EM plugin com.tomsawyer_9.0.0.jar now contains a series of vulnerabilities.
These are listed below. For this plugin, they all refer to Xerces2j 2.9.1 and batik 1.7:
| Apache Xerces2 J | 2.9.1 | CVE-2009-2625 (BDSA-2009-0005) | plugins/com.tomsawyer_9.0.0.jar!/lib/(server|client)/thirdparty/xercesImpl.jar |
| Apache Xerces2 J | 2.9.1 | CVE-2013-4002 (BDSA-2016-1289) | plugins/com.tomsawyer_9.0.0.jar!/lib/(server|client)/thirdparty/xercesImpl.jar |
| Apache Xerces2 J | 2.9.1 | CVE-2012-0881 (BDSA-2012-0077) | plugins/com.tomsawyer_9.0.0.jar!/lib/(server|client)/thirdparty/xercesImpl.jar |
| Batik XML utility library | 1.7 | CVE-2015-0250 | plugins/com.tomsawyer_9.0.0.jar!/lib/client/thirdparty/batik-all.jar |
| Batik XML utility library | 1.7 | CVE-2017-5662 (BDSA-2012-0002) | plugins/com.tomsawyer_9.0.0.jar!/lib/client/thirdparty/batik-all.jar |
| Batik XML utility library | 1.7 | CVE-2018-8013 (BDSA-2018-1559) | plugins/com.tomsawyer_9.0.0.jar!/lib/client/thirdparty/batik-all.jar |
| Batik XML utility library | 1.7 | CVE-2019-17566 (BDSA-2020-1423) | plugins/com.tomsawyer_9.0.0.jar!/lib/client/thirdparty/batik-all.jar |
| Batik XML utility library | 1.7 | CVE-2020-11987 (BDSA-2021-0450) | plugins/com.tomsawyer_9.0.0.jar!/lib/client/thirdparty/batik-all.jar |
| Batik XML utility library | 1.7.ubuntu | CVE-2015-0250 | plugins/com.tomsawyer_9.0.0.jar!/lib/client/thirdparty/batik-all.jar |
Environment
Release : 10.7.0
Component : Introscope
Cause
The related files are mostly related to features that have already been deprecated, related to the APM triage map features which are no longer available in the Workstation or WebView.
Resolution
This will be addressed in 10.7 SP4
Additional Information
The APM Status Console is a related feature to this, it has been possible to keep the functionality of the Status Console in the Workstation while still addressing the vulnerability.
Feedback
Yes
No
Powered by
