Vulnerabilities discovered in JDK version for the AdminUI
search cancel

Vulnerabilities discovered in JDK version for the AdminUI

book

Article ID: 235267

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign-On

Issue/Introduction

Vulnerabilities have been found in the Java version that runs the SiteMinder Administrative UI (AdminUI).

How to update the Java version of the AdminUI to fix those vulnerabilities?

Environment

AdminUI 12.8SP7 and higher;

Cause

The AdminUI bundles the following versions of JAVA JRE:
 
12.8.7:      AdoptOpenJDK 1.8.0_322-b06
12.8.8:      AdoptOpenJDK 1.8.0_322-b06
12.8.8.1:    AdoptOpenJDK 1.8.0_362-b09
12.9:        AdoptOpenJDK 1.8.0_362-b09
  
The AdminUI uses InstallAnywhere for installation. 
 
InstallAnywhere uses Oracle Java JRE 1.8.0_51-b16. 
 
Analyzing the file system of an AdminUI installation, will find 3 instances of 'JAVA.exe' in different paths:
 
=============================
 
Version of JAVA used by InstallAnywhere.
 
<Install_Dir>\SiteMinder\adminui\install_config_info\install_config_jre\bin\JAVA.exe
 
Oracle Java JRE 1.8.0_51-b16. 
 
---------------------------
 
Version of JAVA used by the AdminUI
 
<Install_Dir>\SiteMinder\adminui\runtime\bin\JAVA.exe
<Install_Dir>\SiteMinder\adminui\runtime\jre\bin\JAVA.exe
 
AdoptOpenJDK 1.8.0_xxx-bxx
 
=============================
 
Note that the installer uses Oracle Java JRE, while the AdminUI is bundled with AdoptOpenJDK JRE.
 
If a vulnerability has been published for a version equal to or higher than what is installed, there might be a need to upgrade the version of JAVA installed.

Resolution

NOTE:

Upgrading the embedded AdminUI java version falls out of Broadcom's support scope.
Upgrading the Java JDK is done at one's own risk.
There is no guarantee that the same steps will work in the future as 3rd party JDK is changing from time to time on each release.
Only the given version of the JDK of the out-of-the-box AdminUI version is tested internally at Broadcom;
Implement a detailed upgrade plan, along with adequate testing and a rollback plan;
It is advisable to implement and test in a lower environment rather than testing in Production;
AdminUI R12.8.x does not work with Oracle Java 11 or AdoptOpenJDK 11.

To upgrade Java on the Administrative UI (AdminUI):

  1. Download Oracle Java SE Runtime Environment (JRE) 1.8.x (8uxxx) from Oracle (Download the 'Compressed Archive' version);

    Downloads: Oracle Java (1)

    Example:
    Windows:     jre-8uxxx-windows-x64.tar.gz
    Linux:       jre-8uxxx-linux-x64.tar.gz

    NOTE:

    Must be Oracle Java SE Runtime Environment (JRE) 1.8.x (8uxxx) from Oracle;

  2. Download AdoptOpenJDK JRE 1.8.x (jdk8uxxx-bxx) from Adoptium (Download the JRE Binary).

    Downloads: AdoptOpenJDK (2)

    Example:
    Windows:     OpenJDK8U-jre_x64_windows_hotspot_8uxxxbxx.zip
    Linux:       OpenJDK8U-jre_x64_linux_hotspot_8uxxxbxx.tar.gz

    NOTE: Must be AdoptOpenJDK JRE 1.8.x (jdk8uxxx-bxx) from Adoptium;

  3. Copy both the Oracle Java and AdoptOpenJDK packages to the AdminUI Host;
  4. Decompress both the Oracle Java and AdoptOpenJDK packages to their own directories;
  5. Back-up the following directories:
    <Install_Dir>\SiteMinder\adminui\install_config_info\install_config_jre\bin\
    <Install_Dir>\SiteMinder\adminui\install_config_info\install_config_jre\lib\
    <Install_Dir>\SiteMinder\adminui\runtime\bin\
    <Install_Dir>\SiteMinder\adminui\runtime\lib\
    <Install_Dir>\SiteMinder\adminui\runtime\jre\bin\
    <Install_Dir>\SiteMinder\adminui\runtime\jre\lib\

    Example on Linux host:
    # cp -r /<Install_Dir>/SiteMinder/adminui/install_config_info/install_config_jre/bin /<Install_Dir>/SiteMinder/adminui/install_config_info/install_config_jre/bin-BAK

Update the Java for Install Anywhere (JBOSS Wildfly):

  1. Stop the AdminUI server;
  2. Copy the binary files from the new Oracle JRE binaries to the AdminUI installer:
    Source:      <install_Dir>/jre-8uxxx-linux-x64/jre1.8.0_xxx/bin/*
    Destination: <Install_Dir>/SiteMinder/adminui/install_config_info/install_config_jre/bin/
  3. Copy the library files from the new Oracle JRE binaries to the AdminUI installer:
    Source:      <install_Dir>/jre-8uxxx-linux-x64/jre1.8.0_xxx/lib/*
    Destination: <Install_Dir>/SiteMinder/adminui/install_config_info/install_config_jre/lib/

    NOTE:

    DOT NOT replace the /bin and /lib directories.

    Copy the FILES from the source directories to the target directories.

    Example:
    # cp -rf <install_Dir>/jre-8uxxx-linux-x64/jre1.8.0_xxx/bin/* <Install_Dir>/SiteMinder/adminui/install_config_info/install_config_jre/bin/
  4. Start the AdminUI server;
  5. Deleted the backed-up directories:
    <Install_Dir>\SiteMinder\adminui\install_config_info\install_config_jre\bin-BAK
    <Install_Dir>\SiteMinder\adminui\install_config_info\install_config_jre\lib-BAK

Update the Java for the AdminUI:

OPTION #1  Replace the Binaries:

  1. Stop the AdminUI server;
  2. Move the directory folder from the new AdoptOpenJDK binaries to the AdminUI:
    Source:       <install_Dir>/OpenJDK8U-jre_x64_linux_hotspot_8uxxxbxx-jre/bin/* 
    Destinations: <Install_Dir>/SiteMinder/adminui/runtime/bin/
                  <Install_Dir>/SiteMinder/adminui/runtime/jre/bin/
  3. Move the directory folder from the new AdoptOpenJDK binaries to the AdminUI:
    Source:       <install_Dir>/OpenJDK8U-jre_x64_linux_hotspot_8uxxxbxx-jre/lib/*
    Destinations: <Install_Dir>/SiteMinder/adminui/runtime/lib/
                  <Install_Dir>/SiteMinder/adminui/runtime/jre/lib/

    Example:
    # mv -rf <install_Dir>/OpenJDK8U-jre_x64_linux_hotspot_8uxxxbxx-jre/bin/ <Install_Dir>/SiteMinder/adminui/runtime/bin/
  4. Start the AdminUI;
  5. Test functionality to verify the upgrade was successful;
  6. Delete the backed-up directories:
       <Install_Dir>\SiteMinder\adminui\runtime\bin-BAK
       <Install_Dir>\SiteMinder\adminui\runtime\lib-BAK
       <Install_Dir>\SiteMinder\adminui\runtime\jre\bin-BAK
       <Install_Dir>\SiteMinder\adminui\runtime\jre\lib-BAK

OPTION #2:  Redirect to Update Binaries:

  1. Stop the AdminUI;
  2. Install an upgraded version of the AdoptOpenJDK 1.8.x;ç
  3. Edit the 'standalone.sh' script to point the 'JAVA_HOME' environment variable to the new AdoptOpenJDK instance:
       <Install_Dir>/SiteMinder/adminui/bin/standalone.sh
       JAVA_HOME="<install_Dir>/OpenJDK8U-jre_x64_linux_hotspot_8uxxxbxx-jre"
  4. Start the AdminUI;
  5. Test functionality to verify upgrade was successful;
  6. Delete the backed-up directories:
       <Install_Dir>\SiteMinder\adminui\runtime\bin-BAK
       <Install_Dir>\SiteMinder\adminui\runtime\lib-BAK
       <Install_Dir>\SiteMinder\adminui\runtime\jre\bin-BAK
       <Install_Dir>\SiteMinder\adminui\runtime\jre\lib-BAK

Additional Information

  1. Java SE 8 Archive Downloads (JDK 8u211 and later)

  2. Download Temurin® JDK

Powered by Wolken Software