Security Advisory

AM Java Agents Security Advisory #201903

Last updated Aug 16, 2019

A Security vulnerability has been discovered in a library used by the AM Java Agent component. This issue is present in the Java Agent 5.x release.


August 2, 2019

A Security vulnerability has been discovered in a library used by AM Java Agents 5.x.

This advisory provides guidance on how to ensure your deployments can be secured. A fix for the vulnerability is available in the latest release. 

The highest rating for this component is Medium. Deployers should take steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to upgrade to AM Java Agent 5.6.1.1.

Customers can obtain the AM Java Agents fixed version from BackStage.

Issue #201903-01:Polymorphic typing issue could lead to local file access

Product AM Java Agent
Affected versions 5, 5.0.x, 5.1.x, 5.5.x, 5.6.0, 5.6.1.0
Fixed versions 5.6.1.1
Component Java Agent
Severity Medium

Description:

The security vulnerabilities in the jackson-databind 2.x library, as outlined in CVE-2019-12814 and CVE-2019-12384, may be flagged during a dependency check of the Java Agent. If this happens, they should be regarded as False Positives. These security vulnerabilities in the jackson-databind 2.x library allow a remote user in specific circumstances to access arbitrary local files and execute remote code. However this does not affect the Java Agent because default typing and logback are not used, thus mitigating the attack.

Workaround:

N/A

Resolution:

The Jackson-Databind library dependency has been updated to version 2.9.9.1 Update/upgrade to a fixed version, which includes this updated library.

References:

https://nvd.nist.gov/vuln/detail/CVE-2019-12814

https://nvd.nist.gov/vuln/detail/CVE-2019-12384

Change Log

The following table tracks changes to the security advisory:

Date  Description
August 16, 2019 Corrected categories associated with article from AM to Agents.
August 2, 2019 Initial release


Copyright and TrademarksCopyright © 2019 ForgeRock, all rights reserved.

Recommended Books

Loading...