Source article

APM 10.8 EM Blackduck finding: commons-bcel 5.0 CVE-2022-42920

Copy of the article

Blackduck scans of the EM have revealed vulnerabilities in the open source component “commons-bcel 5.0”

Scanned EM version: 10.8.0.27

File locations of the detected component:

plugins/org.apahe.xlanj_2.7.2.9.jar/xlan-2.7.2jar/org/apache/bcel/verifier

Reported vulnerabilities: CVE-2022-42920 (BDSA-2022-3150) severity 9.8 High https://sap.blackducksoftware.com/api/vulnerabilities/CVE-2022-42920/overview

Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass attacker-controllable data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected. Update to Apache Commons BCEL 6.6.0.

Analysis from APM Development, defect #DE550502

“One of the detected uses of Commons BCEL is in Xalan-J where it is embedded in the JAR. We should replace Xalan-J with Saxon-HE and completely remove Xalan-J from the product.

Recommended fix: prepare the OSGi bundle for Saxon-HE 11.4“