CA Process Automation jackson-databind remote code execution CVE-2018-7489
Article ID: 93101
Updated On:
Products
CA Process Automation Base
Issue/Introduction
CVE-2018-7489 describes a remote code execution vulnerability with the jackson-databind jar delivered in versions of CA Process Automation.
This jar is delivered with the 4.3.x releases of CA Process Automation, however has been found in 4.2 SP02 HF10, but it is not used at this release level.
A scan found a vulnerability with the jackson-databind-2.6.3.jar on the CA Process Automation server. How can this be mitigated? Our security team is advising that we upgrade the jar file.
This jar is delivered with the 4.3.x releases of CA Process Automation, however has been found in 4.2 SP02 HF10, but it is not used at this release level.
A scan found a vulnerability with the jackson-databind-2.6.3.jar on the CA Process Automation server. How can this be mitigated? Our security team is advising that we upgrade the jar file.
Environment
Release: ITPASA99000-4.3-Process Automation-Add On License for-CA Server Automation
Component:
Component:
Resolution
In versions of 4.3 and later, this jar file is used by the CA Process Automation S4O REST Services.
If the version of CA Process Automation being used is any level of 4.2 (anything before 4.3) the jar file can be deleted or renamed as it is not used at this release level.
The location of the jar is PAM/activemq/lib/optional
For the 4.3 releases, this is being addressed as a patch for the 4.3 level releases, and for any versions currently not GA the jar will be updated prior to release.
If the version of CA Process Automation being used is any level of 4.2 (anything before 4.3) the jar file can be deleted or renamed as it is not used at this release level.
The location of the jar is PAM/activemq/lib/optional
For the 4.3 releases, this is being addressed as a patch for the 4.3 level releases, and for any versions currently not GA the jar will be updated prior to release.
Feedback
Yes
No
Powered by
