What Black Duck security vulnerabilities are fixed in APM 10.7 HF 7 and APM 10.7 SP 1.

Document ID : KB000095839
Last Modified Date : 10/06/2018
Show Technical Document Details
Question:
We are looking at migrating to CA APM 10.7 GA release. Recently we downloaded and ran black duck scans. We have 2 high and 1 medium vulnerability. 

BD Component Name BD Component Version BD KB Id BD Release Id Vulnerability Severity CVSS Published Date

Netty - io.netty:netty-parent 4.0.26.Final thenettyproject1639058 4690027 CVE-2015-2156 Medium 4.3 10/18/2017

Netty - io.netty:netty-parent 4.0.26.Final thenettyproject1639058 4690027 CVE-2016-4970 High 7.8 4/13/2017

Spring Framework 3.2.12.RELEASE springframework1869467 4466262 CVE-2015-5211 High 9.3 5/25/2017

 
Environment:
APM 10.7 
Answer:
APM 10.7 HF 7 and SP 1 include the following fixes

1. All fixes in one-off 10.7.0 HF02:  

DE352441: 00986299-Black Duck Scan issue for CA APM 10.7 – (APMSQLServer) netty-all 4.0.37.Final & spring-aop 3.2.18.RELEASE  
DE354641: CVE-2017-7525 (WebView) - jackson-databind reported against APM 10.7 using Black Duck - jackson-annotations-2.7.9.jar, jackson-databind-2.7.9.jar & jackson-core-2.7.9.jar (com.ca.apm.saml_10.7.0.jar  added into the HF script)  
DE266666: Blackduck  medium and high security vulnerabilities (APMSqlServer) CVE-2014-3577, CVE-2013-4152, CVE-2013-6429, CVE-2013-7315, CVE-2014-0054, CVE-2014-3578, CVE-2014-3625, CVE-2014-1904, CVE-2015-5211 and CVE-2015-3192 - (APMSQLServer) spring-core 3.2.16.RELEASE, spring-beans 3.2.16.RELEASE, spring-context 3.2.16.RELEASE, spring-expression 5.0.2.RELEASE, spring-tx 5.0.2.RELEASE, httpasyncclient 4.0.2  
DE351113: remove spring-data-rest-core-2.2.1.RELEASE.jar and spring-data-rest-webmvc-2.2.4.RELEASE.jar  
DE354864: CVE-2017-7525 (ACC) - jackson-databind reported against APM 10.7 using Black Duck Scan (00986299) - HIGH  
   

2. Jackson-databind fix in 10.7.0 HF04 (ACC):  

DE354396: 00994619-Open Source Blackduck Vulnerabilities - APM 10.7.0.45 - jackson-annotations-2.7.9.jar, jackson-databind-2.7.9.jar & jackson-core-2.7.9.jar  
   

3. New vulnerability fixes from BlackDuck scan against 10.7.0 HF02:  

DE300305: 00772370 - Common Vulnerabilities and Exposures (CVE) security threat - NETTY 4.0.37.Final will be upgraded to the latest available version 4.0.56.Final  
DE359094: CVE-2016-5007 (APMSqlServer) - spring-core-3.2.18.RELEASE.jar and spring-aop-3.2.18.RELEASE.jar reported against APM 10.7 using Black Duck  
DE359087: CVE-2016-9878, CVE-2016-5007 (APMSqlServer) - spring-core-3.2.16.RELEASE.jar reported against APM 10.7 using Black Duck  
DE316022 PostgreSQL security vulnerabilities reported : CVE-2014-3660, CVE-2013-2877, CVE-2013-0339, CVE-2016-1684, CVE-2015-7995, CVE-2016-1683 - apm10.7.tar/apm10.7/PostgreSQL-9.6.2/  
DE359803 Security vulnerabilities in PostgreSQL-9.6.2/pgAdmin 4 - xmllib.py, pct_warnings.py, _compat.py, testapp.py (CVE-2013-7459 is HIGH and 5 MEDIUM vuln.)  
   

4. Plus one critical RCE fix  -CVE-2018-1273: RCE with Spring Data Commons  

Besides the above, there ie one more security vulnerability in ACC to fix NOT in APM SP 1. 

and it is the defect DE357957 - Security vulnerabilities in ACC - activemq-spring-5.14.0.jar (CVE-2017-15709 - MEDIUM). There will be a  separate HF at a later date