EM 10.8 vulnerabilities: Rhino and JSON (BDSA-2018-5289 and CVE-2022-45688)
search cancel

EM 10.8 vulnerabilities: Rhino and JSON (BDSA-2018-5289 and CVE-2022-45688)

book

Article ID: 265267

calendar_today

Updated On:

Products

CA Application Performance Management (APM / Wily / Introscope)

Issue/Introduction

 
Blackduck scans of the  have revealed two vulnerabilities with HIGH CVSS score:
 
Scanned  version: 10.8.1.6
 
Reported vulnerabilities:
 

, severity 7.5 HIGH

 
File locations of the detected component:
 
plugins/com.wily.introscope.appmap.em_10.8.0.jar!/WebContent/WEB-INF/lib/rhino.jar
plugins/com.wily.introscope.em_10.8.0.jar!/lib/rhino.jar
 
Mozilla Rhino is vulnerable to XML external entities (XXE) due to an insecure XML parsing in the toXml function. Applications that use this function to accept untrusted input could be vulnerable to information disclosure and minor integrity and availability impacts due to the requests sent and local files accessed by the external entities in the crafted XML document.

Fixed in version 1.7.12 by this commit.

The latest stable releases can be found here.

 

CVE-2022-45688, severity 7.5 HIGH https://nvd.nist.gov/vuln/detail/CVE-2022-45688

file locations:

plugins/com.wily.introscope.appmap.em_10.8.0.jar!/WebContent/WEB-INF/lib/json.jar

A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.

 

Environment

Release : 10.8

Resolution

Fixed in 10.8 SP1

Additional Information

https://knowledge.broadcom.com/external/article/185748/apm-107-security-vulnerabilities-that-a.html