Netty Black Duck Scan issue for CA APM 10.7
Article ID: 74806
Updated On:
Products
APP PERF MANAGEMENT
CA Application Performance Management Agent (APM / Wily / Introscope)
CUSTOMER EXPERIENCE MANAGER
INTROSCOPE
Issue/Introduction
Planning an upgrade to CA APM 10.7 GA release. Recently we downloaded and ran Black Duck scans. We found two vulnerabilities
BD Component Name BD Component Version BD KB Id BD Release Id Vulnerability Severity CVSS Published Date
Netty - io.netty:netty-parent 4.0.26.Final thenettyproject1639058 4690027 CVE-2015-2156 Medium 4.3 10/18/2017
Netty - io.netty:netty-parent 4.0.26.Final thenettyproject1639058
How can I eliminate this?
Environment
APM 10.7
Resolution
As a quick workaround for CVE-2016-4970, CVE-2015-2156, all that has to be done is replace netty-all-4.0.26.Final.jar has to be manually replaced with netty-all-4.0.37.Final.jar.
On my system, I found this file in C:\Program Files\CA APM\Introscope10.7.0.35\APMSqlServer\repo
To directly download the jar file, directly click on http://central.maven.org/maven2/io/netty/netty-all/4.0.37.Final/netty-all-4.0.37.Final.jar
On my system, I found this file in C:\Program Files\CA APM\Introscope10.7.0.35\APMSqlServer\repo
To directly download the jar file, directly click on http://central.maven.org/maven2/io/netty/netty-all/4.0.37.Final/netty-all-4.0.37.Final.jar
Feedback
Powered by
