topic Re: Python Agent 4.5.5 contains vulnerability in Splunk AppDynamics

Python Agent 4.5.5 contains vulnerability

Doug_Odegaard — Tue, 15 Oct 2019 15:13:07 GMT

Our team has found a vulnerability in the Python agent 4.5.5 version during a scan and are unable to deploy. Has anyone else found this issue? Here is a request from our DevOps team.

Installing the python appdynamics agent 4.5.5.0 pulls in the com.fasterxml.jackson.core_jackson-databind version 2.9.9.1 as a dependency, which includes some critical vulnerabilities (CVSS 9.8) https://nvd.nist.gov/vuln/detail/CVE-2019-14379, https://nvd.nist.gov/vuln/detail/CVE-2019-16335, and https://nvd.nist.gov/vuln/detail/CVE-2019-14540.

Could we ask that the next python appdynamics agent update (4.5.6?) use at least com.fasterxml.jackson.core_jackson-databind 2.9.10, which resolves these vulnerabilities.

In our environment we did a “pip install appdynamics”, and a pip list afterwards shows the following versions of the packages installed:

appdynamics 4.5.5.0

appdynamics-bindeps-linux-x64 9.0

appdynamics-proxysupport-linux-x64 1.8.0.51.1

Re: Python Agent 4.5.5 contains vulnerability

iamryan — Fri, 18 Oct 2019 17:47:10 GMT

Hi @Doug.Odegaard

I recommend reporting this to support. Let me know if you have any trouble with this.

Re: Python Agent 4.5.5 contains vulnerability

Doug_Odegaard — Tue, 22 Oct 2019 18:41:12 GMT

Just to let anyone else know the status I am working heavily with support and other channels to get this addressed. In the meantime one can do a pip install but remove the jackson file in question as a workaround but goal is a clean pip install hopefully soon.

Re: Python Agent 4.5.5 contains vulnerability

Colin_Fallwell — Tue, 22 Oct 2019 19:04:31 GMT

Hey Doug,

I am the Product Manager for th DL languages. I appreciate you bringing this up to the community. We are working to track this with our engineering leads to close the vulnerability in the short-term. We are also working at a better long term strategy.