Vulnerability detected with Symantec PAM A2A client version 4.12.3
search cancel

Vulnerability detected with Symantec PAM A2A client version 4.12.3

book

Article ID: 257590

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Vulnerability detected with A2A client version 4.12.3.  Please see attached for NexuIQ scan results for more details, but it is due to commons-net.jar.   

Please look into this asap, we need to proceed as the vulnerability is holding up projects/new builds.

 

Environment

Release : 4.x

Cause

Client's vulnerability scanner flagged this jar file. CVE-2021-37533

Resolution

After a review of the A2A code base, development determined that commons-net.jar is not a required file for any base A2A functionality and this jar file will be removed from any future releases of the A2A agent (starting with PAM 4.1.2). There is no patch required for running any previous since that jar file can simply be deleted without any restart of any services.

Linux/Unix

      [root@jXXXX ]# find <Your A2A install folder> -name commons-net*.jar
      /opt/catech/cspmclient_v.4.12.3/lib/commons-net-3.3.jar

      [root@jXXXX ]# rm /opt/catech/cspmclient_v.4.12.3/lib/commons-net-3.3.jar

Windows

    Delete the jar file using windows manager (Default location C:\cspm\cloakware\cspmclient\lib)

         

Powered by Wolken Software