Java vulnerability in install_config_jre Web Agent and other component
search cancel

Java vulnerability in install_config_jre Web Agent and other component


Article ID: 141969


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER



How to solve security issues of the embedded JRE used for the Web Agent Installer and other Siteminder component installers such as CA Access Gateway (SPS), Web Agent Option Pack, Policy Server, and AdminUI.
Considering that :

  1.   Other than upgrading the Siteminder component to the latest version, is there any alternative solution to fix this?    
  2.   Why does the Siteminder component need to have this JRE separately?
  3.   Can it use System Default libraries instead of dedicated ones? If yes, are there any steps to follow?
  4.   Can only the rt.jar file be replaced from the respective JDK 1.7 and 1.8 latest builds? Will there be any impact in doing so?
  5.   As the Siteminder component upgrades and java vulnerability fixes may not coincide with each other and installation ends up in such situations in the future as well, what is the best way to avoid this in the future?




At the first glance, as the JRE is used only to run the installer and uninstaller, and as the JRE is not running as a Service, there should be no running vulnerabilities on the system.

The Web Agent itself doesn't use Java (it's written and compiled in C++).

The JVM you see from the installer is given by a third party vendor, and as such Broadcom has very little control on the Java version delievered with.

The only way to avoid the scanning of the file system reporting that the installer JVM is vulnerable is:

  - Tarball the following repositories, and archive them:


This won't harm the work of the Siteminder component.

When planning to uninstall the Web Agent, replace this version of Java, and perform the uninstall. If an upgrade is performed instead, there will not be any issues, since the new Agent install will use its own version of JAVA to perform the upgrade.