Security Vulnerability with JRE version in SiteMinder WebAgents

book

Article ID: 141969

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We'd like to know how to solve security of the embeeded JRE used for
the Web Agent Installer.
 
We want :
 
  1. Other than upgrading the webagent to latest version, do you have
     any alternative solution to fix this?
  2. Why does webagent need to have this JRE seperately?
  3. Can it use System Default libraries instead of dedicated one? If
     yes, can you guide us with the steps?
  4. Can we just replace this rt.jar file from respective JDK 1.7 and
     1.8 latest builds? Will there be any impact in doing so?
  5. The webagent upgrades and java vulnerability fixes may not coincide
     with each other and we end up in such situations in future as well,
     what is the best way to avoid this in future?

 

Resolution

 

At first glance, as the JRE is used only to run the installer and
uninstaller, and as the JRE is not running as a Service, there should
be no vulnerabilities on the system.

The jvm you see from the installer is given by a third party vendor,
and as such we don't have control on the java version delievered with.

The only way you have to avoid the scanning of the file system telling
you that the installer jvm is vulnerable is :

- Tarball the following repositories, and archive
  them :

   ca-wa-uninstall/
   install_config_jre/

This won't harm the work of the Web Agent. 

You should have your own process to keep track of these repository if
you need to run the installer/configuration/uninstaller and upgrade
the Web Agent.