CA UIM Java Security Concerns

book

Article ID: 36467

calendar_today

Updated On:

Products

DX Infrastructure Management NIMSOFT PROBES

Issue/Introduction

Introduction: 

On the 6th November, Security scientists of the Company Foxglove Security published multiple exploits which showed how you can let Java run any code you give it.

Question: 

Can you say with 100% assurance that CA UIM including all licensed probes are secure from this? 

Answer: 

This vulnerability was investigated by CA UIM engineering. CA engineering has spent a considerable amount of time understanding the vulnerability, and has downloaded the tools described in the Foxglove Security blog post and followed instructions on how to detect vulnerability issues. Ca engineering also reviewed UIM code paths to identify suspicious areas and involved UIM product architects and senior engineers in identifying potential risk areas. At this time, CA engineering is highly confident that UIM is no exposed to this vulnerability issue from any non-trusted sources, but it is not possible to be 100% certain.  CA will continue to monitor any new developments in this area, but believes at this time UIM is not at risk from this specific vulnerability. CA will continue to update the common library in our components over time to newer, more secure versions. 

Additional Information:

 

http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability  

Environment

Release: CNMSPP99000-8.31-Unified Infrastructure Mgmt-Server Pack-- On Prem
Component: