Customer reported Vulnerability CVE-2017-12626 with APM 10.7 SP3

Nessus Plugin:   106717 Apache POI < 3.17 Multiple DoS Vulnerabilities
CVE: CVE-2017-12626
Plugin Output:   
Path: /opt/wily/Introscope10.7/EM/product/enterprisemanager/configuration/org.eclipse.osgi/bundles/260/1/.cp/WebContent/WEB-INF/lib/displaytag-export-poi-1.2.jar  

According to Tech doc https://knowledge.broadcom.com/external/article?articleId=105898
it seems like HOTFIX # 82 resolved this Vulnerability.

Per the above document, customer installed HOTFIX # 82. 

After this we find that Vulnerability is resolved, but now the scan is showing Vulnerability with same file but different location.

Nessus Plugin 106717 - Apache POI < 3.17 Multiple DoS Vulnerabilities
CVE-2017-12626
/opt/wily/Introscope10.7/EM/com.wily.apm.tess/WebContent/WEB-INF/lib/displaytag-export-poi-1.2.jar

When we check the files, We see that there is more latest displaytag-export-poi-1.2.jar file present under:

./product/enterprisemanager/configuration/org.eclipse.osgi/bundles/41/1/.cp/WebContent/WEB-INF/lib:

The security scan did not flag this file.

The older displaytag-export-poi-1.2.jar file present under:

./com.wily.apm.tess/WebContent/WEB-INF/lib:

The security scan did flag this file.

If any file is less than 3.17 needs to stay then customer needs documentation that it is not vulnerable to CVE-2017-12626.

Release : 10.7.0

Component : Introscope

Apply latest Hotfix #84.

In APM 10.7, we support the manual upgrade procedure for PostgreSQL from 9.6.2 to 13.4, but PostgreSQL upgrade is not the requirement for the hotfix installation. You can install this latest hotfix without the PostgreSQL upgrade.

Hotfix #84 resolved the Vulnerability

Contact support to obtain the Hotfix #84.