AM Java Agents Security Advisory #201903
A Security vulnerability has been discovered in a library used by the AM Java Agent component. This issue is present in the Java Agent 5.x release.
August 2, 2019
A Security vulnerability has been discovered in a library used by AM Java Agents 5.x.
This advisory provides guidance on how to ensure your deployments can be secured. A fix for the vulnerability is available in the latest release.
The highest rating for this component is Medium. Deployers should take steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.
The recommendation is to upgrade to AM Java Agent 5.6.1.1.
Customers can obtain the AM Java Agents fixed version from BackStage.
Issue #201903-01:Polymorphic typing issue could lead to local file access
| Product | AM Java Agent |
|---|---|
| Affected versions | 5, 5.0.x, 5.1.x, 5.5.x, 5.6.0, 5.6.1.0 |
| Fixed versions | 5.6.1.1 |
| Component | Java Agent |
| Severity | Medium |
Description:
The security vulnerabilities in the jackson-databind 2.x library, as outlined in CVE-2019-12814 and CVE-2019-12384, may be flagged during a dependency check of the Java Agent. If this happens, they should be regarded as False Positives. These security vulnerabilities in the jackson-databind 2.x library allow a remote user in specific circumstances to access arbitrary local files and execute remote code. However this does not affect the Java Agent because default typing and logback are not used, thus mitigating the attack.
Workaround:
N/A
Resolution:
The Jackson-Databind library dependency has been updated to version 2.9.9.1 Update/upgrade to a fixed version, which includes this updated library.
References:
Change Log
The following table tracks changes to the security advisory:
| Date | Description |
|---|---|
| February 24, 2021 | Added ForgeRock Identity Platform taxon to improve categorization |
| August 16, 2019 | Corrected categories associated with article from AM to Agents. |
| August 2, 2019 | Initial release |