Security Vulnerability with JRE version in SiteMinder WebAgents


Article ID: 141969


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER



We'd like to know how to solve security of the embeeded JRE used for
the Web Agent Installer.
We want :
  1. Other than upgrading the webagent to latest version, do you have
     any alternative solution to fix this?
  2. Why does webagent need to have this JRE seperately?
  3. Can it use System Default libraries instead of dedicated one? If
     yes, can you guide us with the steps?
  4. Can we just replace this rt.jar file from respective JDK 1.7 and
     1.8 latest builds? Will there be any impact in doing so?
  5. The webagent upgrades and java vulnerability fixes may not coincide
     with each other and we end up in such situations in future as well,
     what is the best way to avoid this in future?




At first glance, as the JRE is used only to run the installer and
uninstaller, and as the JRE is not running as a Service, there should
be no vulnerabilities on the system.

The jvm you see from the installer is given by a third party vendor,
and as such we don't have control on the java version delievered with.

The only way you have to avoid the scanning of the file system telling
you that the installer jvm is vulnerable is :

- Tarball the following repositories, and archive
  them :


This won't harm the work of the Web Agent. 

You should have your own process to keep track of these repository if
you need to run the installer/configuration/uninstaller and upgrade
the Web Agent.