Java vulnerability in Siteminder install_config_jre Web Agent and other component


Article ID: 141969


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER



How to solve security issue of the embedded JRE used for the Web Agent
Installer and other Siteminder component installers such as CA Access
Gateway (SPS), Web Agent Option Pack, Policy Server and AdminUI.
Considering that :


  1. Other than upgrading the Siteminder component to latest version,
     is there any alternative solution to fix this ?
  2. Why does Siteminder component need to have this JRE seperately ?
  3. Can it use System Default libraries instead of dedicated one ? If
     yes, is there any steps to follow ?
  4. Can only the rt.jar file be replaced from the respective JDK 1.7
     and 1.8 latest builds ? Will there be any impact in doing so ?
  5. As the Siteminder component upgrades and java vulnerability fixes
     may not coincide with each other and installation ends up in such
     situations in future as well, what is the best way to avoid this
     in future ?




At first glance, as the JRE is used only to run the installer and
uninstaller, and as the JRE is not running as a Service, there should
be no running vulnerabilities on the system.

The JVM you see from the installer is given by a third party vendor,
and as such Broadcom has very little control on the java version
delievered with.

The only way to avoid the scanning of the file system reporting that
the installer JVM is vulnerable is :

  - Tarball the following repositories, and archive
    them :


This won't harm the work of the Siteminder component.

You should have your own process to keep track of these repository if
you need to run the installer/configuration/uninstaller and upgrade
the Siteminder component.