DX Unified Infrastructure Management

  • Private Community
 View Only

  • 1.  Update for java_jre 2.0 CVE-2019-2816

    Posted Oct 09, 2019 09:24 AM
    When running server scans our scanner is showing the installed version of JRE is vulnerable

    Vulnerable software installed: Oracle JRE 1.8.0.212 (/opt/nimsoft/jre/jre8u212b04/lib/rt.jar)
    Version java_jre 2.0 installed from our archive.

    Is there an update to jre8u222 which should be the correct fix for this.


    ------------------------------
    Robert Truesdale
    ------------------------------


  • 2.  RE: Update for java_jre 2.0 CVE-2019-2816

    Broadcom Employee
    Posted Oct 09, 2019 09:51 AM
    UIM is no longer using the Oracle java.
    We have moved over to OpenJDK Java Runtime Environment 1.8.0_212-b04.
    You will need to update to UIM 9.20 to get this version of Java and be able to deploy this to robots to resolve this issue.

    http://support.nimsoft.com/unsecure/archive.aspx?id=214

    https://docops.ca.com/ca-unified-infrastructure-management/9-0-2/en/release-notes/ca-unified-infrastructure-management-9-2-0#CAUnifiedInfrastructureManagement9.2.0-ReplacingOracleJDKwithOpenJDK



    ------------------------------
    Gene Howard
    Principal Support Engineer
    Broadcom
    ------------------------------

    Original Message


  • 3.  RE: Update for java_jre 2.0 CVE-2019-2816

    Posted Oct 11, 2019 10:59 AM
    Hello Gene,


    Thanks for the reply. But here is the thing. The  1.8.0_212-b04 version of the JRE has a vulnerability. And we need to have the latest version of the JRE or wait for the update, as it fails our audit.  Can you investigate the CVE I've included in the title of this message.  I'm fully aware on how to install the java_jre within our hubs. 

    Thanks

    Original Message


  • 4.  RE: Update for java_jre 2.0 CVE-2019-2816
    Best Answer

    Broadcom Employee
    Posted Oct 11, 2019 11:07 AM
    I think the confusion is because the CVE specifies the vulnerability is in Oracle Java.

    Your scan result also says:

    Vulnerable software installed: Oracle JRE 1.8.0.212 

    However, if you have installed the newest 2.0 java_jre package, you do not have Oracle JRE installed anymore - we are now using OpenJDK.

    Is it possible this is therefore a false positive?
    Original Message


  • 5.  RE: Update for java_jre 2.0 CVE-2019-2816

    Posted Oct 15, 2019 01:20 PM
    It does look like CVE-2019-2816 applies to OpenJDK 8u212-b04. It is fixed in OpenJDK 8u222 (1.8.0_222-b10).

    https://adoptopenjdk.net/release_notes.html
    Original Message


  • 6.  RE: Update for java_jre 2.0 CVE-2019-2816

    Posted Oct 15, 2019 01:27 PM
    Hello,

    Can we just replace jre8u212b04 with 8u222b10 and still receive support from Broadcom if things go wrong?  I'm just wondering if there is going to be a newer java_jre update > 2.0
    Original Message


  • 7.  RE: Update for java_jre 2.0 CVE-2019-2816

    Broadcom Employee
    Posted Oct 15, 2019 01:32 PM
    It's possible that would work, but it would have to be considered unsupported since we have not yet QA'd 8u222b10 with the product.  I do not know for sure whether there will be a newer update, but I assume so.

    I would recommend that anyone who is concerned with this vulnerability should open a support case; the more customers we have reporting that this is an issue for them, the better, as this will help increase the visibility/priority of the issue and allow us to push for an update.
    Original Message