Vulnerability Findings with Oracle Java in uninstall directory
search cancel

Vulnerability Findings with Oracle Java in uninstall directory

book

Article ID: 242676

calendar_today

Updated On:

Products

CA Identity Manager

Issue/Introduction

Uninstallers - 

  • D:\IDM\CA\Identity Manager\Connector Xpress\_uninst\_jvm\bin\java.exe
  • D:\IDM\CA\Identity Manager\Provisioning Manager\_uninst\_jvm\bin\java.exe
  • D:\IDM\CA\Identity Manager\Provisioning Directory\_uninst\_jvm\bin\java.exe
  • D:\IDM\CA\Identity Manager\Provisioning Server\_uninst\_jvm\bin\java.exe

 

Environment

Release : 14.3, 14.4, 14.5

Component : Identity Manager

Resolution

For the files in the uninstall directories, \_uninst\_jvm\, those are only needed and called when you are attempting to uninstall, so they can be archived until such time as you need to uninstall. 

As for the \Connector Xpress\jvm\ and \Connector Server\jvm\ we do not have any newer versions of those files at this time.   
I do see that in the latest release, 14.4, these directories no longer contain a jvm and I believe simply uses the JAVA_HOME variable to locate the Java install.

In 14.3 these might be replaceable by a newer version of Java 8 without any issues.  I did a very quick test and backed up the existing java.exe, javaw.exe. and javaws.exe, and replaced them with the files from the 1.8.0_91 JDK I originally installed IDM against.  
The connector server restarted and does basic work.


You will want to test thoroughly to ensure there are no connectivity issues with any of your endpoints in a lower environment before making this change in a production environment. 

Additional Information

These are not Runtime java files.

Version 15 of IM product will no longer provide older Java versions.