Blackduck scans of the EM have revealed vulnerabilities in the open source component "commons-bcel 5.0"
Scanned EM version: 10.8.0.27
File locations of the detected component:
CVE-2022-42920 (BDSA-2022-3150) severity 9.8 High
Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass attacker-controllable data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected. Update to Apache Commons BCEL 6.6.0.
Release : 10.8
Analysis from APM Development, defect #DE550502
"One of the detected uses of Commons BCEL is in Xalan-J where it is embedded in the JAR. We should replace Xalan-J with Saxon-HE and completely remove Xalan-J from the product.
Recommended fix: prepare the OSGi bundle for Saxon-HE 11.4"
To be fixed in next 10.8 release.