TDM Portal Security Vulnerabilities for Tomcat and OrientDB
search cancel

TDM Portal Security Vulnerabilities for Tomcat and OrientDB

book

Article ID: 258307

calendar_today

Updated On:

Products

CA Test Data Manager (Data Finder / Grid Tools)

Issue/Introduction

Security Vulnerabilities reported by Blackduck:

  • CVE-2019-0227 (BDSA-2019-1049)A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.
    • Component Name: Axis (Java) version 1.4
    • Base Score: 7.5 (NVD)
    • Security Risk: High

  • BDSA-2022-3447: SnakeYAML is vulnerable to remote code execution (RCE) when used in an application to parse untrusted user-supplied YAML files. A remote attacker could craft a malicious YAML file that when deserialized allows arbitrary command execution on the target system.
    • Component Name: SnakeYAML version 1.31 **
    • Base Score: 8.7 (BDSA)
    • Security Risk: High

  • BDSA-2022-3278: Jettison is vulnerable to denial-of-service (DoS) due to an unspecified parsing issue which can lead to an out-of-memory error. An attacker could exploit this vulnerability by supplying an application with maliciously crafted XML or JSON.
    • Component Name: Jettison (JSON Stax Implementation) version 1.5.1 **
    • Base Score: 7.1 (BDSA)
    • Security Risk: High

** 3rd Party Components

Environment

TDM Portal 4.10.148.0 and older

Cause

Vulnerability

Resolution

Broadcom has provided a TDM Portal patch that addresses these vulnerabilities. The patch is available at the "Test Data Manager (TDM) Support Patches" page on the Broadcom Support Portal.
Besides the security fixes, the TDM Portal for Docker patch also contains an enhancement for Kubernetes to use Broadcom helm charts.

Please upgrade your TDM Portal, or TDM Portal for Docker, to TDMWeb-4.10.159.0 or greater.

This patch upgrades the following TDM Portal Components:

  • Upgrades Tomcat 9.0.68 to Tomcat 9.0.71
  • Upgrades Yajsw (Yet Another Java Service Wrapper) to 13.08
  • Upgrades the following components used by OrientDB:
    • Jettison 1.5.1 to Jettison 1.5.3
    • hazelcast 5.0.1 to hazelcast 5.0.4

Note: Since this patch upgrades the Tomcat Web engine and the OrientDB database components, it is highly recommended that you back up your, GTREP Repository database, TDM installation directory, and your OrientDB database files (%ProgramData%\CA Test Data Manager Portal directory).

Additional Information

For more information on upgrading TDM, or applying patches, see:

Powered by Wolken Software