An Open Source Black Duck scan shows Vulnerabilities with APM.

Document ID:  TEC1031323
Last Modified Date:  08/02/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details

Products

  • CA Application Performance Management

Releases

  • CA Application Performance Management:Release:10.5.1

Components

  • INTROSCOPE:APMISP
  • INTROSCOPE:INTSCP
Symptoms:

A Black Duck security scan found the following vulnerabilities with APM 10.5.1.

1)
CVE-2017-5644 : Apache POI,3.14 : Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
https://nvd.nist.gov/vuln/detail/CVE-2017-5644

2)
CVE-2016-3674: XStream Core - com.thoughtworks.xstream:xstream,1.4.8 Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.
https://nvd.nist.gov/vuln/detail/CVE-2016-3674

3)
CVE-2012-5784 and CVE-2014-3596 : Apache Web Services Axis 1.4 : The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.
https://nvd.nist.gov/vuln/detail/CVE-2012-5784
https://nvd.nist.gov/vuln/detail/CVE-2014-3596

Environment:
This is APM 10.5.1
Resolution:

1) CVE-2017-5644 :
APM 10.5.1 uses Apache POI 3.14. The CVE-2017-5644 vulnerability will be addressed in APM 10.6

2) CVE-2016-3674 :
APM 10.5.1 uses xstream 1.4.9. Vulnerability listed in the note is 1.4.8 and below versions.

3) CVE-2012-5784 and CVE-2014-3596 :
APM 10.5.1 uses Apache axis 1.4.1. vulnerability listed in the note is axis 1.4 or prior.

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255

{{status}}

Not what you were looking for?

Search Again >

Product Information

Support by Product >

Communities

Join a Community >