ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

APM 10.7 - EM vulnerability: jackson-databind CVE-2020-36518

book

Article ID: 237470

calendar_today

Updated On:

Products

CA Application Performance Management (APM / Wily / Introscope) DX Application Performance Management

Issue/Introduction

Blackduck scans have indicated a new vulnerability.

Scanned: 10.7.0.361

https://nvd.nist.gov/vuln/detail/CVE-2020-36518

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

(Even though the CVE entry dates back to 2020 the CVE seems to have been updated recently).

CVSS score: 7.5

Occurrences:

  • jackson-databind_2.12.5.jar
  • com.ca.apm.saml_10.7.0.jar!jackson-databind-2.12.5.jar
  • install/database-scripts/lib/com.wily.apm.dbtools_10.7.0.jar --> not really relevant for SAP since DB-less

 

Cause

This issue is related to defect DE531305

Environment

Release : 10.7.0

Component : Introscope

Resolution

To be fixed in APM 10.8

Additional Information

https://knowledge.broadcom.com/external/article/105898/apm-107-hotfixes.html