search cancel

Easytrieve Java 1.6 package needs update due to vulnerability

book

Article ID: 42171

calendar_today

Updated On:

Products

PanAudit Plus Easytrieve Report Generator PAN/SQL

Issue/Introduction

We failed an internal audit because a version of Java is out of date that is in a path of Easytrieve. 
We don’t want to change anything in the Easytrieve path without consulting first.
We do not have a TAR file.
The following vulnerable instance of Java is installed on the remote host :
We are running the Linux x86 version of Easytrieve with redhat 6.7
Path : /opt/CA/ezt/
Installed version : 1.6.0_26
Fixed version : 1.5.0_85 / 1.6.0_95 / 1.7.0_79 / 1.8.0_45
drwxr-xr-x.  4 root    root        4096 Sep 10  2015 jre

Environment

Release:
Component: EZTRLP

Resolution

The Linux PC (x86) version of Easytrieve, is the only platform that was packaged and delivered with the Install Anywhere product. For all other UNIX/Linux variants, a TAR file is deleivered. For the Linux PC platform, it is all packaged into the ezt_install file. 

Also, it is InstallAnywhere that has the requirement of needing the Java run-time. Support did some testing on a x86 Linux machine, and deleted the JRE (jre directory) under the install directory and, because a JRE was also part of the base operating system, there was no issue with doing an uninstall of Easytrieve. 

Easytrieve only ships the JRE as a part of the "base" install and it isn't packaged with any subsequent patch files for that platform. Potentially providing a new patch with an updated JRE may be possible but most systems already have their own installed and maintained. 
From an Easytrieve standpoint, it does not matter what is done with that JRE(upgrade it or delete it). Neither will affect the Easytrieve programs.

Additional Information

Support has more recently done further testing of Easytrieve uninstall and patch install using environment variable LAX_DEBUG=true.
Per comments in the above Resolution, neither procedure requires the Easytrieve jre directory and the user's PATH (uninstall) and additional Linux system directories (patch install) will be searched to find the java VM e.g.

Uninstall:
+++
WARNING! No valid lax.nl.current.vm available.
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin:/opt/CA/ezt/bin
Searching for VMs in PATH:
Looking in:............................. /usr/local/sbin
Looking in:............................. /usr/local/bin
Looking in:............................. /usr/sbin
Looking in:............................. /usr/bin
  Found VM:............................. /usr/bin/java
   Version:............................. 1.8.0_242
Looking in:............................. /root/bin
Looking in:............................. /opt/CA/ezt/bin
* Using VM:............................. /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64/jre/bin/java
+++

Patch install (RO98605: ezt_patch-11.6.2017.612):
+++
WARNING! No valid lax.nl.current.vm available.
/usr/xpg4/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin:/opt/CA/ezt/bin:/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin
Searching for VMs in PATH:
Looking in:............................. /usr/xpg4/bin
Looking in:............................. /usr/local/sbin
Looking in:............................. /usr/local/bin
Looking in:............................. /usr/sbin
Looking in:............................. /usr/bin
  Found VM:............................. /usr/bin/java
   Version:............................. 1.8.0_242
Looking in:............................. /root/bin
Looking in:............................. /opt/CA/ezt/bin
Looking in:............................. /bin
  Found VM:............................. /bin/java
   Version:............................. 1.8.0_242
Looking in:............................. /usr/bin
  Found VM:............................. /usr/bin/java
   Version:............................. 1.8.0_242
Looking in:............................. /sbin
Looking in:............................. /usr/sbin
Looking in:............................. /usr/local/bin
checking: "1.8.0_242" against "1.5+": passed
* Using VM:............................. /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64/jre/bin/java
+++

Therefore as long as java is installed on the Linux system and is accessible from the user's PATH that java version will be found and used during uninstall or patch install