DX NetOps

Hi
I recently asked a question on the IM Pre-Release Group regarding the version of MySQL in the upcoming IM 3.0 release. This was a result of an InfoSec audit highlighting some vulnerabilities with the version of MySQL in IM 2.X. You can see the question and answer here … https://communities.ca.com/thread/241768482

Something I found that is a concern is that there is a 2 year gap between the version of MySQL in the latest version of IM and the previous 3 releases of IM. The version of MySQL has not changed in versions 2.6 - 2.8, they all ship with MySQL 5.6.20, which was released in July 2014.

My question is whether CA could review how often they upgrade MySQL (and other 3rd party products) to prevent these products falling so far behind and becoming susceptible to failing audits. My view is that it should be possible, and not too difficult, to provide an updated version every time there is a major release of IM.

Can someone from CA please comment on any plans they might have to address this issue in a more timely fashion?

Regards, John

Hi John:

I understand your concerns.  I am personally not aware of any specific plans but I think this is really more of a question for product management.  Do you know who your account rep is?  If you can pass on your concerns to your account rep and ask then to push this through the product management team they may be able to get you an answer on this

Joe

Hi Joe

I was expecting that Product Management would be monitoring the community and could respond on here...

Dan_Holmes jason_normandin stoma11 dieti01

If Product Management are monitoring could one of you please respond?

Regards, John

Hey John - I will get you an answer today on our plans with mysql in CA Performance Management.  Items that are failing security audits are getting top priority and as you said our goal is to make sure our 3rd party components are up to date.

-Dan H

Thanks Dan

Hi John - Thanks for the question!

Two parts to this answer:

1. CAPC has been updated to version 5.7.14 as of CAPC 3.0 (release by end of the calendar year)

2. In regards to the more general concern around vulnerability remediation, CA receives regular updates on security vulnerabilities and does defect analysis for all 3rd party components.  We evaluate the severity of the issue and determine the impact to CAPM (or other products).  Often what is exposed will be a part of the third party tool that we are not using.  In the case of MySQL, there are various storage engines, table formats etc…  In CAPM we are using the most basic and established aspects of the tool that just don’t change very often.   As such we determined there wasn’t a need for more frequent updates prior to our 3.0 updates, but as we move into new market segments we may pursue them more regularly. 

I hope this answers your question and your concerns!

-Jason

Hi Jason

Thanks for your response.

I did find out the version to be installed with 3.0 in answer to my original question, but thanks for the confirmation.

The issue with your answer #2 is that approach will not stop Infosec audits highlighting the product as a vulnerability, even if you are not using parts of the MySQL engine. The audit at our client highlighted MySQL as a vulnerability based on the version. And as the version was over 2 years old then it becomes hard to argue.

My view is that CA should consider upgrading MySQL (and other 3rd party products) more frequently to reduce the chances of this happening. I would think updating MySQL whenever there there is a new upgrade to PM, or every 6 months, should be sufficient. And if as you say the parts of MySQL used by PM don't change much then I would hope that would not be a major job.

Hopefully the move into new market segments will cause this to happen.

Regards, John

You are spot on with your concern regarding audits.  I am currently sitting on a case that was assigned to me in March of 2015 regarding the MySQL version on the Performance Center server.  I am chomping at the bit for 3.0 to go GA so I can roll it in to the lab and then production and finally close out the case.  It hasn't been easy justifying that finding for this long.