[Linux-PowerEdge] [Security Alert] Latest Dell's srvadmin-jre-9.4.0-3787.15943.el7.x86_64.rpm vulnerable

Fragon_Zhou at dell.com Fragon_Zhou at dell.com
Sat Mar 14 03:07:49 CDT 2020


Dell Customer Communication - Confidential

Hi Zbigniew

Are you using GUI function of OMSA? Or only command line? If latter, I'd suggest to remove GUI related packages (include Java/Tomcat etc). This avoids Java vulnerabilities. 

Thanks,  

-----Original Message-----
From: linux-poweredge-bounces-Lists <linux-poweredge-bounces at lists.us.dell.com> On Behalf Of mr.zbiggy
Sent: Friday, March 13, 2020 5:19 PM
To: linux-poweredge-Lists
Subject: [Linux-PowerEdge] [Security Alert] Latest Dell's srvadmin-jre-9.4.0-3787.15943.el7.x86_64.rpm vulnerable


[EXTERNAL EMAIL] 

Dear Dell,

Nessus Security Scanner found your package:
srvadmin-jre-9.4.0-3787.15943.el7.x86_64.rpm vulnerable. Please update.

Java JRE 1.11.0_4 from Dell's package:
 srvadmin-jre-9.4.0-3787.15943.el7.x86_64.rpm
has several vulnerabilities. Please update to fixed Java JRE 1.11.0_6 or stop distributing Java JRE and start using Java from Operating System which is faster maintained.

Package		  : srvadmin-jre-9.4.0-3787.15943.el7.x86_64.rpm
Path              : /opt/dell/srvadmin/lib64/openmanage/
Installed version : 1.11.0_4
Fixed version     : 1.11.0_6

The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 11 Update 6. It is, therefore, affected by multiple vulnerabilities related to the following components:
- 2D
- Libraries
- Kerberos
- Networking
- JavaFX
- Hotspot
- Scripting
- Javadoc
- Deployment
- Concurrency
- JAXP
- Serialization
- Security
Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
- Oracle Java SE and Java SE Embedded are prone to a severe division by zero, over 'Multiple' protocol. This issue affects the 'SQLite'
component.(CVE-2019-16168)
- Oracle Java SE and Java SE Embedded are prone to format string vulnerability, leading to a read uninitialized stack data over 'Multiple' protocol. This issue affects the 'libxst' component.
(CVE-2019-13117, CVE-2019-13118)
- Oracle Java SE and Java SE Embedded are prone to a remote security vulnerability. An unauthenticated remote attacker can exploit this over 'Kerberos' protocol. This issue affects the 'Security' component.
(CVE-2020-2601, CVE-2020-2590)
- Oracle Java SE/Java SE Embedded are prone to a remote security vulnerability. An unauthenticated remote attacker can exploit this overmultiple protocols. This issue affects the 'Serialization'
component. (CVE-2020-2604, CVE-2020-2583)
- Oracle Java SE/Java SE Embedded are prone to a remote security vulnerability. Tn unauthenticated remote attacker can exploit this over multiple protocols. This issue affects the 'Networking' component.
(CVE-2020-2593, CVE-2020-2659)
- Oracle Java SE are prone to a remote security vulnerability. An unauthenticated remote attacker can exploit this over multiple protocols. This issue affects the 'Libraries' component. (CVE-2020-2654)
- Oracle Java SE are prone to a multiple security vulnerability. An unauthenticated remote attacker can exploit this over multiple protocols. This issue affects the 'JavaFX' component. (CVE-2020-2585)
- Oracle Java SE are prone to a multiple security vulnerability. An unauthenticate remote attacker can exploit this over 'HTTPS' protocols.
This issue affects the 'JSSE' component. (CVE-2020-2655)

iava: 2019-A-0385
cve: CVE-2019-11068
cve: CVE-2019-2894
cve: CVE-2019-2933
cve: CVE-2019-2945
cve: CVE-2019-2949
cve: CVE-2019-2958
cve: CVE-2019-2962
cve: CVE-2019-2964
cve: CVE-2019-2973
cve: CVE-2019-2975
cve: CVE-2019-2977
cve: CVE-2019-2978
cve: CVE-2019-2981
cve: CVE-2019-2983
cve: CVE-2019-2987
cve: CVE-2019-2988
cve: CVE-2019-2989
cve: CVE-2019-2992
cve: CVE-2019-2996
cve: CVE-2019-2999
bid: 109323
iava: 2020-A-0023
cve: CVE-2019-13117
cve: CVE-2019-13118
cve: CVE-2019-16168
cve: CVE-2020-2583
cve: CVE-2020-2585
cve: CVE-2020-2590
cve: CVE-2020-2593
cve: CVE-2020-2601
cve: CVE-2020-2604
cve: CVE-2020-2654
cve: CVE-2020-2655
cve: CVE-2020-2659

greetings,
Zbigniew

_______________________________________________
Linux-PowerEdge mailing list
Linux-PowerEdge at dell.com
https://lists.us.dell.com/mailman/listinfo/linux-poweredge



More information about the Linux-PowerEdge mailing list