search cancel

APM 10.8 EM Blackduck finding: commons-bcel 5.0 CVE-2022-42920

book

Article ID: 254700

calendar_today

Updated On:

Products

CA Application Performance Management (APM / Wily / Introscope)

Issue/Introduction

 
Blackduck scans of the EM have revealed vulnerabilities in the open source component "commons-bcel 5.0"
 
Scanned EM version: 10.8.0.27
 
File locations of the detected component:

plugins/org.apahe.xlanj_2.7.2.9.jar/xlan-2.7.2jar/org/apache/bcel/verifier

 
Reported vulnerabilities:
CVE-2022-42920 (BDSA-2022-3150)  severity 9.8 High
https://sap.blackducksoftware.com/api/vulnerabilities/CVE-2022-42920/overview

Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass attacker-controllable data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected. Update to Apache Commons BCEL 6.6.0.

 

Environment

Release : 10.8

Cause

Analysis from APM Development, defect #DE550502

"One of the detected uses of Commons BCEL is in Xalan-J where it is embedded in the JAR. We should replace Xalan-J with Saxon-HE and completely remove Xalan-J from the product.

Recommended fix: prepare the OSGi bundle for Saxon-HE 11.4"

Resolution

To be fixed in next 10.8 release.

Additional Information

APM 10.7 Security Vulnerabilities that are False Positive

https://knowledge.broadcom.com/external/article/185748/apm-107-security-vulnerabilities-that-a.html