Splunk AppDynamics
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Python Agent 4.5.5 contains vulnerability

Doug_Odegaard
Explorer
‎10-15-2019 08:13 AM

Our team has found a vulnerability in the Python agent 4.5.5 version during a scan and are unable to deploy.  Has anyone else found this issue?  Here is a request from our DevOps team.

Installing the python appdynamics agent 4.5.5.0 pulls in the com.fasterxml.jackson.core_jackson-databind version 2.9.9.1 as a dependency, which includes some critical vulnerabilities (CVSS 9.8) https://nvd.nist.gov/vuln/detail/CVE-2019-14379, https://nvd.nist.gov/vuln/detail/CVE-2019-16335, and https://nvd.nist.gov/vuln/detail/CVE-2019-14540.

Could we ask that the next python appdynamics agent update (4.5.6?) use at least com.fasterxml.jackson.core_jackson-databind 2.9.10, which resolves these vulnerabilities.

In our environment we did a “pip install appdynamics”, and a pip list afterwards shows the following versions of the packages installed:

appdynamics                        4.5.5.0   

appdynamics-bindeps-linux-x64      9.0      

appdynamics-proxysupport-linux-x64 1.8.0.51.1

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Doug_Odegaard
Explorer
‎10-22-2019 11:41 AM

Just to let anyone else know the status I am working heavily with support and other channels to get this addressed.  In the meantime one can do a pip install but remove the jackson file in question as a workaround but goal is a clean pip install hopefully soon.

View solution in original post

Reply
Solved! Jump to solution

iamryan
Community Manager
Community Manager
‎10-18-2019 10:47 AM

Hi @Doug.Odegaard 

I recommend reporting this to support. Let me know if you have any trouble with this.

Reply
Solved! Jump to solution
Solution

Doug_Odegaard
Explorer
‎10-22-2019 11:41 AM

Just to let anyone else know the status I am working heavily with support and other channels to get this addressed.  In the meantime one can do a pip install but remove the jackson file in question as a workaround but goal is a clean pip install hopefully soon.

Reply
Solved! Jump to solution

Colin_Fallwell
Engager
‎10-22-2019 12:04 PM

Hey Doug,

I am the Product Manager for th DL languages.  I appreciate you bringing this up to the community.  We are working to track this with our engineering leads to close the vulnerability in the short-term.  We are also working at a better long term strategy.  

0 Karma
Reply
Get Updates on the Splunk Community!

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

The Splunk Community is a powerful network of users, educators, and organizations working together to tackle ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...
Top