JDKJRESDK_Patch_Security_Vulnerability

book

Article ID: 198702

calendar_today

Updated On:

Products

CA Release Automation - Release Operations Center (Nolio) CA Release Automation - DataManagement Server (Nolio)

Issue/Introduction

We have the vulnerability detected on CARA server on JAVA JRE6. Java 1.6 binaries are just present from the previous CARA 6.4 versions and not being used now. But CARA is pointed to JAVA 1.8 from the server specific. 

  • Path               : /opt/deploy/CA/ReleaseAutomationServer/upgradeAgent/-1975/-3006/JRE_SUNOS/SPARC_JRE6/
  • Path               : /opt/deploy/CA/ReleaseAutomationServer/upgradeBackup/upgradeAgent/-1975/-3006/JRE_SUNOS/SPARC_JRE6/
  • Symbolic Link : /NolioAgentInstallDire/jre/NolioAgent -> /usr/java6/jre/bin/java

Cause

The paths listed below, has been identified in security scan consisting of JRE6 artifacts residing on system. We will call it as partial false alarm as these artifacts doesn't reflect actual usage of the same on system by any application. However, we will leave it to security policy standards at your end to determine if you want to exclude the mentioned path or not. We will provide details about each path and what possible next action can be taken.

  • Path               : /opt/deploy/CA/ReleaseAutomationServer/upgradeAgent/-1975/-3006/JRE_SUNOS/SPARC_JRE6/

Detail: The above path is pointing to agent artifact which will be used by Release Automation to upgrade agent.

 

  • Path               : /opt/deploy/CA/ReleaseAutomationServer/upgradeBackup/upgradeAgent/-1975/-3006/JRE_SUNOS/SPARC_JRE6/

Detail: The above path is pointing to a restoration point, had been created when this system is upgraded in past.

 

  • Symbolic Link : /NolioAgentInstallDire/jre/NolioAgent -> /usr/java6/jre/bin/java

Detail: The above path is a symbolic link to JRE present on the system. This reflect that the agent installed on this OS is not shipped with JRE and rely on JRE present on the system.

Environment

Release : 6.4

Component : CA RELEASE AUTOMATION RELEASE OPERATIONS CENTER

Resolution

Please find possible next action can be taken to eradicate the listed vulnerabilities.

  • Path               : /opt/deploy/CA/ReleaseAutomationServer/upgradeAgent/-1975/-3006/JRE_SUNOS/SPARC_JRE6/

Next Action:

    • When you will upgrade the Release Automation NAC server from 6.4 to higher version the above artifact will be replaced by appropriate JRE bundle shipped with that version.
    • In case of delay in upgrade you can remove the mentioned artifacts i.e. -1975 directory. However, doing so will block agent upgrade feature from NAC

 

  • Path               : /opt/deploy/CA/ReleaseAutomationServer/upgradeBackup/upgradeAgent/-1975/-3006/JRE_SUNOS/SPARC_JRE6/

Next Action:

    • Post upgrade if end user had perform some sanity over upgraded system and no more requiring a restoration point created can go ahead and remove the directory /upgradeAgent. This need to be done manually as product can't determine if restoration point is required or not in future.

 

  • Symbolic Link : /NolioAgentInstallDire/jre/NolioAgent -> /usr/java6/jre/bin/java

Next Action:

    • As agent is not shipped with JRE, the version concurrency and maintenance of JRE present on system is outside scope of product Release Automation and need to be carried out by System Admins.