Security Vulnerability identified in JRE of VS Catalog 10.x
Article ID: 220157
Updated On:
Products
Issue/Introduction
I have three different Oracle security patches that need to be applied to VS Catalog JRE. The JRE in DevTest and IAM installs seems to be okay but our vulnerability software keeps alerting on the JRE in VS Catalog. Need to know what to do to patch the version VS Catalog:
Threat
JRE and JDK are exposed to multiple vulnerabilities that affect various components. Oracle's Java Critical Patch Update for October 2017 contains 22 new security fixes for Java SE products and sub-products.
Affected Versions:
Oracle Java JDK and JRE, versions prior to 6u171, 7u161, 8u151 and 9.0.1.
QID Detection Logic (Authenticated):
This QID checks for the file or product version of jvm.dll or wsdetect.dll.
Remediation notes
Refer to vendor advisory Oracle Java SE CPU October 2017 and Oracle Doc ID 2305932.1 to obtain more details.
Updates for Java 5, Java 6 and Java 7 are no longer available to the public. Oracle offers updates to Java 5, Java 6 and Java 7 only for customers who have purchased Java support or have Oracle products that require Java 5, Java 6 and Java 7.
Environment
Release : 10.x
Component : CA Service Virtualization
Cause
We have built the VS Catalog code with OpenJDK 8, but we missed the part where we ship the JRE bundle also of OpenJDK due to VSC's very less dependency on JRE.
There will be no impact on the functionality whatsoever with the shipped Oracle JRE.
Resolution
Please open a ticket with support. We will provide the Jre bundle for windows and Linux. Reference DE490067 when opening a ticket.
Feedback
