CA Process Automation jackson-databind remote code execution CVE-2018-7489

Document ID : KB000093101
Last Modified Date : 26/04/2018
Show Technical Document Details
Introduction:
CVE-2018-7489 describes a remote code execution vulnerability with the jackson-databind jar delivered in versions of CA Process Automation.
This jar is delivered with the 4.3.x releases of CA Process Automation, however has been found in 4.2 SP02 HF10, but it is not used at this release level.
Question:
A scan found a vulnerability with the jackson-databind-2.6.3.jar on the CA Process Automation server. How can this be mitigated? Our security team is advising that we upgrade the jar file.
Answer:
In versions of 4.3 and later, this jar file is used by the CA Process Automation S4O REST Services. 
If the version of CA Process Automation being used is any level of 4.2 (anything before 4.3) the jar file can be deleted or renamed as it is not used at this release level.
The location of the jar is PAM/activemq/lib/optional

For the 4.3 releases, this is being addressed as a patch for the 4.3 level releases, and for any versions currently not GA the jar will be updated prior to release.