Java vulnerability in Siteminder install_config_jre Web Agent and other component

book

Article ID: 141969

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

How to solve security issue of the embedded JRE used for the Web Agent
Installer and other Siteminder component installers such as CA Access
Gateway (SPS), Web Agent Option Pack, Policy Server and AdminUI.
 
Considering that :

 

  1. Other than upgrading the Siteminder component to latest version,
     is there any alternative solution to fix this ?
     
  2. Why does Siteminder component need to have this JRE seperately ?
     
  3. Can it use System Default libraries instead of dedicated one ? If
     yes, is there any steps to follow ?
     
  4. Can only the rt.jar file be replaced from the respective JDK 1.7
     and 1.8 latest builds ? Will there be any impact in doing so ?
     
  5. As the Siteminder component upgrades and java vulnerability fixes
     may not coincide with each other and installation ends up in such
     situations in future as well, what is the best way to avoid this
     in future ?

 

Resolution

 

At first glance, as the JRE is used only to run the installer and
uninstaller, and as the JRE is not running as a Service, there should
be no running vulnerabilities on the system.

The JVM you see from the installer is given by a third party vendor,
and as such Broadcom has very little control on the java version
delievered with.

The only way to avoid the scanning of the file system reporting that
the installer JVM is vulnerable is :

  - Tarball the following repositories, and archive
    them :

    ca-wa-uninstall/
    install_config_jre/

This won't harm the work of the Siteminder component.

You should have your own process to keep track of these repository if
you need to run the installer/configuration/uninstaller and upgrade
the Siteminder component.