search cancel

Java Vulnerability Oracle Java SE CPU - October 2019 for DX NetOps Performance Management

book

Article ID: 214786

calendar_today

Updated On:

Products

CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

This vulnerability was found on Data Collector and Data Aggregator and PC.

Please advise on the remediation step.

Description: The vendor has released updates (Java SE JDK and JRE 13.0.1, 11.0.5, Java 8 Update 231 or later, Java SE JDK and JRE 7 Update 241) to resolve these issues.
Customers are advised to refer to vendor advisory Oracle Java SE CPU - October 2019 and Oracle Doc ID 2589853.1 to obtain more details.
Updates for Java 7 are no longer available to the public. Oracle offers updates to Java 7 only for customers who have purchased Java support or have Oracle products that require Java 7.
Patch: Following are links for downloading patches to fix the vulnerabilities:
Oracle Doc ID 2589853.1

This was found by the TVM Security Scanning tool.

It was found to impact Data Aggregator (DA), Data Collector (DC) and Performance Center (PC) Portal systems in a DX NetOps Performance Management r20.2.7 environment.

Associated CVE list is as follows:

CVE-2019-11068,CVE-2019-2894,CVE-2019-2933,CVE-2019-2945,CVE-2019-2949,CVE-2019-2958,CVE-2019-2962,CVE-2019-2964,CVE-2019-2973,CVE-2019-2975,CVE-2019-2977,CVE-2019-2978,CVE-2019-2981,CVE-2019-2983,CVE-2019-2987,CVE-2019-2988,CVE-2019-2989,CVE-2019-2992,CVE-2019-2996,CVE-2019-2999

Environment

All supported DX NetOps Performance Management releases

Resolution

The r20.2.7 release uses 1.8.0_222 (adoptopenjdk).

The latest PM release, r20.2.10 at the time this was written, uses 1.8.0_282 (adoptopenjdk).

These all impact Oracle Java releases.

Upgrading to the latest release using 1.8.0_282 (adoptopenjdk) would resolve this if the vulnerabilities extend to OpenSource Java which they don't appear to do so.