Vulnerability CVE-2023-40167 and the Data Aggregator
search cancel

Vulnerability CVE-2023-40167 and the Data Aggregator

book

Article ID: 366676

calendar_today

Updated On:

Products

DX NetOps CA Performance Management - Usage and Administration

Issue/Introduction

Scan results against the NetOps Data Aggregator returned the following vulnerability. When will it be resolved?

CVE: CVE-2023-40167

Current Version: 9.4.50.v20221201

Fixed Version: 12.0.1, 11.0.16, 10.0.16, 9.4.52

Server: Data Aggregator

Location: /[Partition=78dac6f3]/IMDataAggregator/maven_repository/org/eclipse/jetty/jetty-http/9.4.50.v20221201/jetty-http-9.4.50.v20221201.jar

Environment

All supported DX NetOps Performance Management Data Aggregator releases 23.3.9 and older.

Resolution

This is embedded in the apache-karaf jetty implementation we utilize and upgrades to it are dependent on apache-karaf updates.

The Data Aggregator is moving to apache-karaf version 4.4.5 in the pending NetOps 23.3.10 release. It will bring version 9.4.53.v20231009 that remediates this.

Upgrade to 23.3.10 or newer releases to resolve this.