List of Vulnerabilities detected in the APM 10.8.0.214 release
search cancel

List of Vulnerabilities detected in the APM 10.8.0.214 release

book

Article ID: 419328

calendar_today

Updated On:

Products

CA Application Performance Management (APM / Wily / Introscope)

Issue/Introduction

Reported vulnerabilities

***************************

CVE-2021-46877
CVE-2022-42003
CVE-2022-42004
CVE-2024-38819
CVE-2024-38816

AssetName    Name    CVSSSeverity    LocationPath
<Hostname>    CVE-2021-46877    High    /[Partition=yyyy]/ccms/apmintroscope/product/enterprisemanager/plugins/net.sf.ehcache_2.10.9.2.jar -> rest-management-private-classpath/META-INF/xx/com.fasterxml.jackson.core/jackson-databind
<Hostname>     CVE-2021-46877    High    /[Partition=yyyy]/ccms/apmintroscope/product/workstation/plugins/net.sf.ehcache_2.10.9.2.jar -> rest-management-private-classpath/META-INFxx/com.fasterxml.jackson.core/jackson-databind
<Hostname>      CVE-2022-42003    High    /[Partition=yyyy]/ccms/apmintroscope/product/enterprisemanager/plugins/net.sf.ehcache_2.10.9.2.jar -> rest-management-private-classpath/META-INF/xx/com.fasterxml.jackson.core/jackson-databind
<Hostname>      CVE-2022-42003    High    /[Partition=yyyy]/ccms/apmintroscope/product/workstation/plugins/net.sf.ehcache_2.10.9.2.jar -> rest-management-private-classpath/META-INF/xx/com.fasterxml.jackson.core/jackson-databind
<Hostname>      CVE-2022-42004    High    /[Partition=yyyy]/ccms/apmintroscope/product/enterprisemanager/plugins/net.sf.ehcache_2.10.9.2.jar -> rest-management-private-classpath/META-INF/xx/com.fasterxml.jackson.core/jackson-databind
<Hostname>     CVE-2022-42004    High    /[Partition=yyyy]/ccms/apmintroscope/product/workstation/plugins/net.sf.ehcache_2.10.9.2.jar -> rest-management-private-classpath/META-INFxx/com.fasterxml.jackson.core/jackson-databind

 

CVE-2024-38819

/[Partition=yyyy]/ccms/apmintroscope/product/enterprisemanager/configuration/org.eclipse.osgi/106/0/.cp/WebContent/WEB-INF/lib/spring-web.jar
/[Partition=yyyy]/ccms/apmintroscope/product/enterprisemanager/configuration/org.eclipse.osgi/106/0/.cp/WebContent/WEB-INF/lib/spring-webmvc.jar
/[Partition=yyyy]/ccms/apmintroscope/product/enterprisemanager/configuration/org.eclipse.osgi/19/0/.cp/WebContent/WEB-INF/lib/spring-web.jar
/[Partition=yyyy]/ccms/apmintroscope/product/enterprisemanager/configuration/org.eclipse.osgi/28/0/.cp/libs/spring-web.jar
/[Partition=yyyy]/ccms/apmintroscope/product/enterprisemanager/configuration/org.eclipse.osgi/82/0/.cp/WebContent/WEB-INF/lib/spring-web.jar
/[Partition=yyyy]/ccms/apmintroscope/product/enterprisemanager/configuration/org.eclipse.osgi/82/0/.cp/WebContent/WEB-INF/lib/spring-webmvc.jar
/[Partition=yyyy]/ccms/apmintroscope/product/enterprisemanager/plugins/com.ca.apm.em.idp.shibboleth_10.8.0.jar -> WebContent/WEB-INF/lib/spring-web.jar
/[Partition=yyyy]/ccms/apmintroscope/product/enterprisemanager/plugins/com.ca.apm.oi_10.8.0.jar -> libs/spring-web.jar
/[Partition=yyyy]/ccms/apmintroscope/product/enterprisemanager/plugins/com.wily.apm.webservices2_10.8.0.jar -> WebContent/WEB-INF/lib/spring-web.jar
/[Partition=yyyy]/ccms/apmintroscope/product/enterprisemanager/plugins/com.wily.apm.webservices2_10.8.0.jar -> WebContent/WEB-INF/lib/spring-webmvc.jar
/[Partition=yyyy/ccms/apmintroscope/product/enterprisemanager/plugins/com.wily.introscope.appmap.em_10.8.0.jar -> WebContent/WEB-INF/lib/spring-web.jar
/[Partition=yyyy]/ccms/apmintroscope/product/enterprisemanager/plugins/com.wily.introscope.appmap.em_10.8.0.jar -> WebContent/WEB-INF/lib/spring-webmvc.jar
/[Partition=yyyy]/ccms/apmintroscope_old/product/enterprisemanager/configuration/org.eclipse.osgi/17/0/.cp/WebContent/WEB-INF/lib/spring-web.jar

 

CVE-2024-38816
/[Partition=yyyy/ccms/apmintroscope/product/enterprisemanager/plugins/com.wily.apm.webservices2_10.8.0.jar -> WebContent/WEB-INF/lib/spring-webmvc.jar
/[Partition=yyyy]/ccms/apmintroscope/product/enterprisemanager/configuration/org.eclipse.osgi/106/0/.cp/WebContent/WEB-INF/lib/spring-webmvc.jar
/[Partition=yyyy]/ccms/apmintroscope/product/enterprisemanager/plugins/com.wily.introscope.appmap.em_10.8.0.jar -> WebContent/WEB-INF/lib/spring-webmvc.jar
/[Partition=yyyy]/ccms/apmintroscope/product/enterprisemanager/configuration/org.eclipse.osgi/82/0/.cp/WebContent/WEB-INF/lib/spring-webmvc.jar

 

Environment

APM

Resolution

BDSA-2021-4830, CVE-2021-46877-:  It is false positive


BDSA-2022-2765, CVE-2022-42003 : It is false positive 


BDSA-2022-2768, CVE-2022-42004-: It is false positive


BDSA-2024-7391, CVE-2024-38819-: APM does not use the Tomcat server and the RouterFunctions & FileSystemResource  functions so we are not affected


BDSA-2024-6258, CVE-2024-38816-: Similarly to the  previous CVE, APM is not vulnerable as we do not use RouterFunctions & FileSystemResource fucntions in the source code. Tomcat is not shipped with the product and the Jetty server contains the rejection mechanism for malicious requests inside so we are not affected.

Powered by Wolken Software