Netty Black Duck Scan issue for CA APM 10.7

book

Article ID: 74806

calendar_today

Updated On:

Products

APP PERF MANAGEMENT CA Application Performance Management Agent (APM / Wily / Introscope) CUSTOMER EXPERIENCE MANAGER INTROSCOPE

Issue/Introduction



Planning an upgrade to CA APM 10.7 GA release. Recently we downloaded and ran Black Duck scans. We found two vulnerabilities

BD Component Name    BD Component Version    BD KB Id    BD Release Id    Vulnerability    Severity    CVSS    Published Date

Netty - io.netty:netty-parent    4.0.26.Final    thenettyproject1639058    4690027    CVE-2015-2156    Medium    4.3    10/18/2017
Netty - io.netty:netty-parent    4.0.26.Final    thenettyproject1639058

How can I eliminate this?

Environment

APM 10.7

Resolution

 As a quick workaround for  CVE-2016-4970, CVE-2015-2156, all that has to be done is replace netty-all-4.0.26.Final.jar has to be manually replaced with netty-all-4.0.37.Final.jar.  

On my system, I found this file in C:\Program Files\CA APM\Introscope10.7.0.35\APMSqlServer\repo 

To directly download the jar file, directly click on http://central.maven.org/maven2/io/netty/netty-all/4.0.37.Final/netty-all-4.0.37.Final.jar