Blackduck scans of the EM have revealed vulnerabilities in the open source component "commons-bcel 5.0"
 
Scanned EM version: 10.8.0.27
 
File locations of the detected component:

plugins/org.apahe.xlanj_2.7.2.9.jar/xlan-2.7.2jar/org/apache/bcel/verifier

 
Reported vulnerabilities:
CVE-2022-42920 (BDSA-2022-3150)  severity 9.8 High
https://sap.blackducksoftware.com/api/vulnerabilities/CVE-2022-42920/overview

Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass attacker-controllable data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected. Update to Apache Commons BCEL 6.6.0.

Release : 10.8

Analysis from APM Development, defect #DE550502

"One of the detected uses of Commons BCEL is in Xalan-J where it is embedded in the JAR. We should replace Xalan-J with Saxon-HE and completely remove Xalan-J from the product.

Recommended fix: prepare the OSGi bundle for Saxon-HE 11.4"

To be fixed in next 10.8 release.

https://knowledge.broadcom.com/external/article/185748/apm-107-security-vulnerabilities-that-a.html