Skip to main content

BASE-1551: Pinpoint Agent 1.x Vulnerabilities

Overview

Pinpoint is an APM (Application Performance Management) tool for large-scale distributed systems written in Java.

eptos is supporting pinpoint for application performance monitoring.

Pinpoint Java Agent 1.x is using 3rd party libraries with known vulnerabilities which are announced that these will be fixed in pinpoint 2.x only.

Summary

Pinpoint Agent 1.x Vulnerabilities

Advisory Release Date

01.09.2022

updated 16.11.2023

Products

eptos Base Module (All Components)

eptos Business Party Manager

eptos Dictionary Transformation Manager

eptos Document Manager

eptos Terminology Manager

eptos Unit and Quantity Manager

eptos Template Manager

eptos Publication Manager

eptos Item Manager

eptos Dictionary Manager

eptos Email Collector

eptos Search Engine

Affected Releases

eptos 6.1.*

eptos Search Engine 2.1

Fixed Releases

eptos 6.1 On Demand

eptos 6.2 (Unreleased)

eptos Search Engine 2.2

CVE ID

CVE-2018-10237
CVE-2018-11798
CVE-2018-1320
CVE-2019-0205
CVE-2019-0210
CVE-2019-16869
CVE-2019-17571
CVE-2019-20444
CVE-2019-20445
CVE-2020-13949
CVE-2020-8908
CVE-2020-9493
CVE-2021-21290
CVE-2021-21295
CVE-2021-21409
CVE-2021-37136
CVE-2021-37137
CVE-2022-23302
CVE-2022-23305
CVE-2022-23307
CVE-2022-24823
GHSA-2qrg-x229-3v8q
GHSA-5mg8-w23w-74h3
GHSA-65fg-84f6-3jq3

GHSA-f7vh-qwp3-x37m
GHSA-fp5r-v3w9-4333
GHSA-g2fg-mr77-6vrm
GHSA-mvr2-9pj6-7w5j
GHSA-rj7p-rfgp-852x
GHSA-vx85-mj8c-4qm6
GHSA-w9p3-5cr8-m3jj
GHSA-wjxj-f8rg-99wx

Issue ID

BASE-1551

Further information

BASE-1468

BASE-1469

Summary of Vulnerability

Pinpoint Java Agent 1.x is using 3rd party libraries with known vulnerabilities.

There are no indications that any of the CVEs can be actually exploited via Pinpoint Agent, however as a precautionary measure we recommend:

  1. Deactivation of the Pinpoint Agents (See Chapter "Mitigation")

  2. Plan an upgrade to a newer Software Version with Pinpoint Agent 2.x installed

Software Fixes

  • An agent upgrade is available per default in upcoming eptos Version 6.2 and Search Engine 2.2

  • In earlier versions:

    • An update of eptos components from Pinpoint Agent 1.x to 2.x can be prepared on demand for existing customers. Please contact your Solution Manager or Support for an upgrade.

What you need to do

  1. Deactivation of the Pinpoint Agents (See Chapter "Mitigation")

  2. Plan an upgrade to a newer Software Version with Pinpoint Agent 2.x installed

    1. This requires an Upgrade of the Pinpoint Server (Collector) to 2.x version, as 2.x agent are not backwards compatible to Pinpoint 1.x Server

    2. See https://pinpoint-apm.github.io/pinpoint/2.2.2/main.html for details.

    3. Note: Pinpoint Server is not provided or maintained by Paradine, but might be maintained by your IT Department.

Mitigation

As a precautionary measure we recommend to deactivate Pinpoint Agents.

If eptos is installed:

  1. Via Helm: Set values.yaml variable eptos.pinpoint.enabled to false and restart the components

  2. Via YAML: For all eptos Manager Components set environment variable PP_OPTS and Value: ''to disable the Pinpoint Agent”

Support

  • If you have questions or concerns regarding this advisory, check support (at) paradine,at and add BASE-1551 to your issue description.



JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close