search cancel

APM 10.8 EM Blackduck finding: commons-bcel 5.0 CVE-2022-42920


Article ID: 254700


Updated On:


CA Application Performance Management (APM / Wily / Introscope)


Blackduck scans of the EM have revealed vulnerabilities in the open source component "commons-bcel 5.0"
Scanned EM version:
File locations of the detected component:


Reported vulnerabilities:
CVE-2022-42920 (BDSA-2022-3150)  severity 9.8 High

Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass attacker-controllable data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected. Update to Apache Commons BCEL 6.6.0.



Release : 10.8


Analysis from APM Development, defect #DE550502

"One of the detected uses of Commons BCEL is in Xalan-J where it is embedded in the JAR. We should replace Xalan-J with Saxon-HE and completely remove Xalan-J from the product.

Recommended fix: prepare the OSGi bundle for Saxon-HE 11.4"


To be fixed in next 10.8 release.

Additional Information

APM 10.7 Security Vulnerabilities that are False Positive