APM introscope critical vulnerabilities
Article ID: 413084
Updated On:
Products
Issue/Introduction
APM introscope critical vulnerabilities
<plugin_output>
Path : /opt/introscope/
Installed version : 8.0.112.15 / build 8.0.112
Fixed version : Upgrade to version 8.0.411 or greater
Path : /opt/ibm-ucd/jdk1.8.0_191/
Installed version : 8.0.191.12 / build 8.0.191
Fixed version : Upgrade to version 8.0.411 or greater
</plugin_output>
Resolution
We suggest you to take the following steps to address the above vulnerabilities.
1- Path : /opt/introscope/
This looks like it belongs to APM and it is indicating that APM is using JDK or JRE 8.0.112.15 / build 8.0.112.
When we reviewed the APM EM logs and it looks like it is using following JRE:
Using Java VM version "OpenJDK 64-Bit Server VM 11.0.18" from Eclipse Adoptium
Using Introscope installation at: /opt/introscope/Introscope10.8.0.27/.
It looks like you may have older APM 10.7 backups. In this case, we suggest that you remove all those backups to another location and do the scan again to see where is the JRE 8.0.112.15 / build 8.0.112 vulnerability comings from. Most likely once you removed older release backups, this vulnerability should not occur.
2- Path : /opt/ibm-ucd/jdk1.8.0_191/
This does not belongs to APM. It looks like it may be some type of application that is using jdk version 1.8.
In this case you can check with the application owner. It looks like solution is to upgrade the JDK to version 8.0.411 or greater. Make sure to consult with application owner before making any changes.
Feedback
