Vulnerability CVE-2023-26048 and the Data Aggregator
search cancel

Vulnerability CVE-2023-26048 and the Data Aggregator

book

Article ID: 366727

calendar_today

Updated On:

Products

DX NetOps CA Performance Management - Usage and Administration

Issue/Introduction

According to this KB article this CVE is supposed to be resolved in the 23.3.9 release of DX NetOps Data Aggregator and Data Repository systems.

Knowledge Article: Performance Management Data Aggregator CVE-2024-26308 and CVE-2024-25710 impact

After 23.3.9 has been installed a new scan still flags the following CVE's as vulnerabilities on the systems.

  • CVE: CVE-2024-25710, CVE-2024-26308
  • Current Version: 1.21
  • Fixed Version: 1.26.0
  • Affected Servers:
    • Data Aggregator Location: $IMDataAggregator_HOME/Uninstall/uninstaller.jar -> META-INF/maven/org.apache.commons/commons-compress
    • Data Repository Location: $IMDataRepository_vertica10/Uninstall/uninstaller.jar -> META-INF/maven/org.apache.commons/commons-compress

Environment

All supported releases of DX NetOps Performance Management

Resolution

Changes to the DX NetOps software itself did remediate this. The new references are hidden in the InstallAnywhere (IA) installer tools used to install and uninstall the Data Aggregator and Data Repository systems.

To remediate this requires a new version of IA that remediates the problems. That is not yet available from IA. When it is the tool will be updated to that release. The change is tracked by the engineering team using defect ID DE601443.

To remediate the issue delete the offending Uninstaller files or move them to a safe location for future use. Without them uninstalling and cleanup becomes more difficult. If manual steps are required engage Support with a new case for additional information.