Overview
Pinpoint is an APM (Application Performance Management) tool for large-scale distributed systems written in Java.
eptos is supporting pinpoint for application performance monitoring.
Pinpoint Java Agent 1.x is using 3rd party libraries with known vulnerabilities which are announced that these will be fixed in pinpoint 2.x only.
|
Summary |
Pinpoint Agent 1.x Vulnerabilities
|
|---|---|
|
Advisory Release Date |
01.09.2022 updated 16.11.2023 |
|
Products |
eptos Base Module (All Components) eptos Business Party Manager eptos Dictionary Transformation Manager eptos Document Manager eptos Terminology Manager eptos Unit and Quantity Manager eptos Template Manager eptos Publication Manager eptos Item Manager eptos Dictionary Manager eptos Email Collector eptos Search Engine |
|
Affected Releases |
eptos 6.1.* eptos Search Engine 2.1 |
|
Fixed Releases |
eptos 6.1 On Demand eptos 6.2 (Unreleased) eptos Search Engine 2.2 |
|
CVE ID |
CVE-2018-10237
GHSA-f7vh-qwp3-x37m
|
|
Issue ID |
.jira-issue { padding: 0 0 0 2px; line-height: 20px; } .jira-issue img { padding-right: 5px; } .jira-issue .aui-lozenge { line-height: 18px; vertical-align: top; } .jira-issue .icon { background-position: left center; background-repeat: no-repeat; display: inline-block; font-size: 0; max-height: 16px; text-align: left; text-indent: -9999em; vertical-align: text-bottom; } BASE-1551 - Getting issue details... STATUS |
|
Further information |
.jira-issue { padding: 0 0 0 2px; line-height: 20px; } .jira-issue img { padding-right: 5px; } .jira-issue .aui-lozenge { line-height: 18px; vertical-align: top; } .jira-issue .icon { background-position: left center; background-repeat: no-repeat; display: inline-block; font-size: 0; max-height: 16px; text-align: left; text-indent: -9999em; vertical-align: text-bottom; } BASE-1468 - Getting issue details... STATUS .jira-issue { padding: 0 0 0 2px; line-height: 20px; } .jira-issue img { padding-right: 5px; } .jira-issue .aui-lozenge { line-height: 18px; vertical-align: top; } .jira-issue .icon { background-position: left center; background-repeat: no-repeat; display: inline-block; font-size: 0; max-height: 16px; text-align: left; text-indent: -9999em; vertical-align: text-bottom; } BASE-1469 - Getting issue details... STATUS |
Summary of Vulnerability
Pinpoint Java Agent 1.x is using 3rd party libraries with known vulnerabilities.
There are no indications that any of the CVEs can be actually exploited via Pinpoint Agent, however as a precautionary measure we recommend:
-
Deactivation of the Pinpoint Agents (See Chapter "Mitigation")
-
Plan an upgrade to a newer Software Version with Pinpoint Agent 2.x installed
Software Fixes
-
An agent upgrade is available per default in upcoming eptos Version 6.2 and Search Engine 2.2
-
In earlier versions:
-
An update of eptos components from Pinpoint Agent 1.x to 2.x can be prepared on demand for existing customers. Please contact your Solution Manager or Support for an upgrade.
-
What you need to do
-
Deactivation of the Pinpoint Agents (See Chapter "Mitigation")
-
Plan an upgrade to a newer Software Version with Pinpoint Agent 2.x installed
-
This requires an Upgrade of the Pinpoint Server (Collector) to 2.x version, as 2.x agent are not backwards compatible to Pinpoint 1.x Server
-
See https://pinpoint-apm.github.io/pinpoint/2.2.2/main.html for details.
-
Note: Pinpoint Server is not provided or maintained by Paradine, but might be maintained by your IT Department.
-
Mitigation
As a precautionary measure we recommend to deactivate Pinpoint Agents.
If eptos is installed:
-
Via Helm: Set values.yaml variable eptos.pinpoint.enabled to false and restart the components
-
Via YAML: For all eptos Manager Components set environment variable PP_OPTS and Value: ''to disable the Pinpoint Agent”
Support
-
If you have questions or concerns regarding this advisory, check support (at) paradine,at and add BASE-1551 to your issue description.