search cancel

PAM Socket Filter Agent (SFA) dependency on 2005/2008 VC++

book

Article ID: 133058

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM) CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

We are in the midst of upgrading the PAM socket filter agent (SFA) from 2.8 to later versions. Our auditors have flagged the 2.8 SFA as having a vulnerability by using 2005/2008 VC++ as a dependency. Does it really use those libraries? Do the newer PAM 3.X SFA releases have the same dependency?

Environment

Release : Any supported PAM release as of June 2019.

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

The Windows SFA continues to support Windows 2008 R2 and is still built using Visual Studio 2008, which means it uses and depends on Visual C++ 2008 runtime libraries. This is the case for all releases supported as of June 2019, including the new PAM 3.3 release. Windows 2008 R2 is nearing its End of Life and future PAM SFA releases may not have this dependency anymore, but at this time we do not have an ETA.