Summary

AppDynamics is announcing a patch for a security vulnerability in a third-party component used in the Controller.  The vulnerability could allow remote attackers to obtain sensitive information via vectors that are associated with a request, and related to injected tags and external entity references in XML documents.

Affected Software 

ProductComponentVersionExploitabilitySeverity
All AppDynamics ProductsAppDynamics Controller

3.9 versions below 3.9.8.7

4.0 versions below 4.0.8.2

4.1 versions below 4.1.2.2

LowHigh

Key/Legend for Ratings and Vulnerabilities

Exploitability RatingDescription
KnownAppDynamics is aware of a known exploit. Customers should treat known exploits with the highest priority.
HighAppDynamics believes there is a high probability that a vulnerability is exploitable by an attacker.
MediumAppDynamics believes there is a moderate probability that a vulnerability is exploitable by an attacker.
LowAppDynamics believes there is a low probability that a vulnerability is exploitable by an attacker.
Severity RatingDescription
HighExploit allows an attacker to compromise confidentiality, integrity, accountability, or availability of user data, or of the integrity or availability of processing resources without any mitigations like notifications, audits, and/or authentication.
MediumExploit allows an attacker to compromise confidentiality, integrity, accountability, or availability of user data, or of the integrity or availability of processing resources with reasonable mitigations like notifications, and/or authentication mechanisms.
Low

Exploit allows an attacker to compromise confidentiality, integrity, accountability, or availability of user data, or of the integrity or availability of processing resources, however, significant mitigations like notifications, and/or authentication mechanisms are in place to reduce severity of the impact.

FAQ

Q: What do I need to do to protect against this vulnerability?

 A: Upgrade your Controller to a Patched Version listed below.

 Q: Do I need to upgrade my agents?

 A: No.

Vulnerability Information


CVE-2015-3269 (http://www.securityfocus.com/archive/1/536266)

Apache Flex BlazeDS Insecure Xml Entity Expansion

Mitigating Factors and Workarounds

Upgrade to a patched version. 

Patched Versions

Acknowledgements

Matthias Kaiser of Code White 

Disclaimer

The information provided in this security advisory is provided "as is" without warranty of any kind. AppDynamics disclaims all warranties with respect thereto, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall AppDynamics or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if AppDynamics or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply to you.

Revision History

1.0 - 8/21/2015  Initial Revision.

1.1 - 8/24/2015 Updated the CVE

  • No labels