Apm java agent vulnerabilities
Article ID: 426130
Updated On:
Products
Issue/Introduction
A scanning tool reported following vulnerabilities in APM Java agent 24.9.
Scan tool: "Qualys - cloud version:
https://qualysguard.qg2.apps.qualys.eu "
| CVE IDs | Score | Description |
| CVE-2023-2976 CVE-2021-35515 CVE-2021-35516 CVE-2021-35517 CVE-2021-36090 CVE-2024-12798 CVE-2025-24970 CVE-2025-58057 CVE-2025-58056 |
7.1 7.5 7.5 7.5 7.5 8.6 7.5 7.5 7.5 |
Java (Maven) Security Update for com.google.guava:guava (GHSA-7g45-4rm6-3mm3) Java (maven) Security Update for org.apache.commons:commons-compress (GHSA-7hfm-57qf-j43q) Java (maven) Security Update for org.apache.commons:commons-compress (GHSA-crv7-7245-f45f) Java (maven) Security Update for org.apache.commons:commons-compress (GHSA-xqfj-vm6h-2x34) Java (maven) Security Update for org.apache.commons:commons-compress (GHSA-mc84-pj99-q6hh) Java (Maven) Security Update for ch.qos.logback:logback-core (GHSA-pr98-23f8-jwxv) Java (Maven) Security Update for io.netty:netty-handler (GHSA-4g8c-wm8x-jfhw) Java (Maven) Security Update for io.netty:netty-codec (GHSA-3p8m-j85q-pgmj) Java (Mave |
Resolution
Development team has following input on these vulnerabilities in java agent.
Not found any reference to guava or commons-compress in 24.9 agent packages.
guava and commons-compress are not distributed in agent packages.
As for remaining CVEs:
CVE-2024-12798 - logback-core - has not been addressed yet since it requires dropping java 7 support from agent. Will be addressed in 26.x release, where java 7 support will be dropped.
CVE-2025-24970 - netty-handler - addressed in 25.3
CVE-2025-58057 - netty-codec - addressed in 25.9
CVE-2025-58056 - netty - addressed in 25.9
These are listed as false positive on APM side.
DX O2 2x Security Vulnerabilities that are False Positive
CVE-2021-35515
CVE-2021-35516
CVE-2021-35517
CVE-2021-36090
Feedback
