AM Java Agents Security Advisory #201903

August 2, 2019

A Security vulnerability has been discovered in a library used by AM Java Agents 5.x.

This advisory provides guidance on how to ensure your deployments can be secured. A fix for the vulnerability is available in the latest release. 

The highest rating for this component is Medium. Deployers should take steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to upgrade to AM Java Agent 5.6.1.1.

Customers can obtain the AM Java Agents fixed version from Backstage.

Issue #201903-01:Polymorphic typing issue could lead to local file access

Description:

The security vulnerabilities in the jackson-databind 2.x library, as outlined in CVE-2019-12814 and CVE-2019-12384, may be flagged during a dependency check of the Java Agent. If this happens, they should be regarded as False Positives. These security vulnerabilities in the jackson-databind 2.x library allow a remote user in specific circumstances to access arbitrary local files and execute remote code. However this does not affect the Java Agent because default typing and logback are not used, thus mitigating the attack.

Workaround:

N/A

Resolution:

The Jackson-Databind library dependency has been updated to version 2.9.9.1 Update/upgrade to a fixed version, which includes this updated library.

References:

https://nvd.nist.gov/vuln/detail/CVE-2019-12814

https://nvd.nist.gov/vuln/detail/CVE-2019-12384

Change Log

The following table tracks changes to the security advisory: