search cancel

EEM Embedded Java

book

Article ID: 190462

calendar_today

Updated On:

Products

CA Application Performance Management Agent (APM / Wily / Introscope) CA Application Performance Management (APM / Wily / Introscope) INTROSCOPE DX Application Performance Management

Issue/Introduction

Below I have inserted some text I received for findings on the EEM server. I have provided it below for your review. It looks like it is suggesting we need to upgrade the Java version. Can you please provide instructions for the best way to accomplish this?

 

 

 


Oracle Java SE Multiple Vulnerabilities (October 2018 CPU) (Unix)

The remote Unix host contains a programming platform that is affected by multiple vulnerabilities.

The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 11 Update 1, 8 Update 191, 7 Update 201, or 6 Update 211. It is, therefore, affected by multiple vulnerabilities :

  - An unspecified vulnerability in the Java SE Embedded     component of Oracle Java SE in the Deployment (libpng)     subcomponent could allow an unauthenticated, remote     attacker with network access via HTTP to compromise     Java SE. (CVE-2018-13785) 
  - An unspecified vulnerability in the Java SE Embedded     component of Oracle Java SE in the Hotspot subcomponent     that could allow an unauthenticated, remote attacker     with network access via multiple protocols to compromise     Java SE (CVE-2018-3169)

  - An unspecified vulnerability in the Java SE component of     Oracle Java SE in the JavaFX subcomponent could allow an     unauthenticated, remote attacker with network access via     multiple protocols to compromise Java SE.
    (CVE-2018-3209)

  - An unspecified vulnerability in the Java SE, Java SE     Embedded, and JRockit component of Oracle Java SE in     the JNDI subcomponent could allow an unauthenticated,     remote attacker with network access via multiple     protocols to compromise Java SE, Java SE Embedded, and     JRockit. (CVE-2018-3149)    
  - An unspecified vulnerability in the Java SE, Java SE     Embedded, JRockit component of Oracle Java SE in the     JSSE subcomponent could allow an unauthenticated,     remote attacker with network access via SSL/TLS to     compromise Java SE, Java SE Embedded, or JRockit.
    (CVE-2018-3180)

  - An unspecified vulnerability in the Java SE, Java SE     Embedded component of Oracle Java SE in the Networking     subcomponent could allow an unauthenticated, remote     attacker with network access via multiple protocols to     compromise Java SE or Java SE Embedded. (CVE-2018-3139)

  - An unspecified vulnerability in the Java SE, Java SE     Embedded, JRockit component of Oracle Java SE in the     Scripting subcomponent could allow an unauthenticated,     remote attacker with network access via multiple     protocols to compromise Java SE, Java SE Embedded, or     JRockit. (CVE-2018-3183)

  - An unspecified vulnerability in the Java SE, Java SE     Embedded component of Oracle Java SE in the Security     subcomponent could allow an unauthenticated, remote     attacker with network access via multiple protocols to     compromise Java SE, Java SE Embedded. (CVE-2018-3136)

  - An unspecified vulnerability in the Java SE, Java SE     Embedded component of Oracle Java SE in the     Serviceability subcomponent could allow a low privileged     attacker with logon to the infrastructure where Java SE,     Java SE Embedded executes to compromise Java SE, Java SE     Embedded. (CVE-2018-3211)

  - An unspecified vulnerability in the Java SE component of     Oracle Java SE in the Sound subcomponent could allow an     unauthenticated, remote attacker with network access via     multiple protocols to compromise Java SE.
    (CVE-2018-3157)

  - An unspecified vulnerability in the Java SE component of     Oracle Java SE in the Utility subcomponent could allow an     unauthenticated, remote attacker with network access via     multiple protocols to compromise Java SE.
    (CVE-2018-3150)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Upgrade to Oracle JDK / JRE 11 Update 1, 8 Update 191 / 7 Update 201 / 6 Update 211 or later. If necessary, remove any affected versions.

Note that an Extended Support contract with Oracle is needed to obtain JDK / JRE 6 Update 95 or later.

The following vulnerable instance of Java is installed on the
remote host :

  Path              : /opt/CA/SharedComponents/EmbeddedEntitlementsManager/
  Installed version : 1.6.0_37
  Fixed version     : 1.6.0_211 / 1.7.0_201 / 1.8.0_191 / 1.11.0_1

Environment

Release : 10.1

Component : APM Agents

Resolution

In searching EEM's docs, this section is the closest I could find to putting the upgraded Java directory into EEM's config.

JRE18 Folder is Not Available

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/ca-embedded-entitlements-manager/12-6/release-notes/known-issues.html