Release Automation

 Nolio Agent Java Security Issue

Jump to Best Answer
posted 02-03-2021 03:10 AM
Hi All,

I recently got an alert from my security team that I am using a vulnerable prone java in one of my servers. When I checked them, it was pointing to the Java inside the nolio agent and the version of Java used is 1.8.0_162 and is it possible to upgrade the Java inside the nolio agent or any other alternative so that we can point it to our server Java instead of agent embedded java?

Nolio Agent Version: 6.6.9640

I guess similar discussion went in below thread but still no solution, @Gregg Stewart , Will you be able to help please?

https://community.broadcom.com/enterprisesoftware/communities/community-home/digestviewer/viewthread?GroupId=1759&MessageKey=2cd0373f-79ab-46d1-a2f6-796aac6603f7&CommunityKey=81532ad3-5cf2-46cd-ab04-c851a8852960&tab=digestviewer

Thanks​
Broadcom Employee Best Answer
Hi Parthiban,

We are currently investigating solutions for Nolio version 6.6. One option you have is to upgrade to Nolio version 6.7 which uses adoptopenjdk v1.8.0_232. However, please be mindful of the platform compatibility matrix supported by version 6.7. Depending on whether you have old platforms that are not supported by version 6.7 it may mean that you still have some 6.6 - until you can upgrade those systems (since those OS are likely not supported by the Vendor anymore) and get a 6.7 agent on them. 

If you can upgrade everything to 6.7, all is good. If you cannot and need to remain on version 6.6 then I would suggest opening a support issue for timely updates as we know more. Otherwise I will try to revisit this posting to answer the question once we conclude our investigation. 

Please note: 
Agents installed without an embedded JRE can have their JRE updated. Instructions for that are available here:
https://knowledge.broadcom.com/external/article?articleId=4500

However, the KB article doesn't apply to agents that are using an embedded JRE which is what all Windows nolio agents use and probably most Linux nolio agents. For this we'll need to finish our investigation. 
 
Kind regards,
Gregg
Broadcom Employee

Hi Parthiban,

we're currently in the process of preparing instructions about how to upgrade JRE manually because as per the new license from Oracle we no longer can bundle newer versions in our releases.

I'll post the instructions here ASAP,

Best regards,

Ali

Broadcom Employee

Hi Parthiban,

we're in process of preparing instructions about how to upgrade JRE manually because as per the new license from Oracle we no longer can bundle newer versions in our releases,
I'll post the instruction here ASAP,

Best regards,
Ali