[Linux-PowerEdge] [Security Alert] Latest Dell's

Ben Argyle Ben.Argyle at uis.cam.ac.uk
Sun Mar 15 10:55:53 CDT 2020


[EXTERNAL EMAIL] 

I'd suggest linking to a system-managed JRE symlink of that version of Java, rather than a specific version(ed) directory which will be removed the next time you get an update for that RPM.

Ben
--
Servers and Storage Team, UIS, University of Cambridge


________________________________________
From: Linux-PowerEdge <linux-poweredge-bounces at dell.com> on behalf of Patrick Boutilier <boutilpj at ednet.ns.ca>
Sent: 14 March 2020 23:01
To: linux-poweredge at dell.com
Subject: Re: [Linux-PowerEdge] [Security Alert] Latest Dell's


[EXTERNAL EMAIL]

This seems to work as a workaround. Restart dsm_om_connsvc service
afterwards.


mv /opt/dell/srvadmin/lib64/openmanage/jre
/opt/dell/srvadmin/lib64/openmanage/jre.OLD

ln -s /usr/lib/jvm/java-11-openjdk-11.0.6.10-1.el7_7.x86_64
/opt/dell/srvadmin/lib64/openmanage/jre




On 3/14/20 4:34 PM, Peter Brunnengraeber wrote:
>
> [EXTERNAL EMAIL]
>
> Dear Dell OMSA team,
>    I need to agree with Zbigniew's post...  OMSA should really use the system JRE.  We require the GUI for our non-technical end users to do their system checklists, but we've had to strip OMSA because our the security team keeps flagging our systems.
>
> -With kind regards,
>   Peter Brunnengräber
>
>
> ----- Original Message -----
> From: linux-poweredge-request at dell.com
> To: linux-poweredge at dell.com
> Sent: Saturday, March 14, 2020 1:00:01 PM
> Subject: Linux-PowerEdge Digest, Vol 184, Issue 6
>
> ------------------------------
>
> Message: 3
> Date: Sat, 14 Mar 2020 08:07:49 +0000
> From: <Fragon_Zhou at dell.com>
> To: <mr.zbiggy at upcpoczta.pl>, <linux-poweredge at lists.us.dell.com>
> Subject: Re: [Linux-PowerEdge] [Security Alert] Latest Dell's
>       srvadmin-jre-9.4.0-3787.15943.el7.x86_64.rpm vulnerable
> Message-ID:
>       <48db0050425e435bbabca45fd3ef9903 at KULX13MDC105.APAC.DELL.COM>
> Content-Type: text/plain; charset="us-ascii"
>
> Dell Customer Communication - Confidential
>
> Hi Zbigniew
>
> Are you using GUI function of OMSA? Or only command line? If latter, I'd suggest to remove GUI related packages (include Java/Tomcat etc). This avoids Java vulnerabilities.
>
> Thanks,
>
> -----Original Message-----
> From: linux-poweredge-bounces-Lists <linux-poweredge-bounces at lists.us.dell.com> On Behalf Of mr.zbiggy
> Sent: Friday, March 13, 2020 5:19 PM
> To: linux-poweredge-Lists
> Subject: [Linux-PowerEdge] [Security Alert] Latest Dell's srvadmin-jre-9.4.0-3787.15943.el7.x86_64.rpm vulnerable
>
>
> [EXTERNAL EMAIL]
>
> Dear Dell,
>
> Nessus Security Scanner found your package:
> srvadmin-jre-9.4.0-3787.15943.el7.x86_64.rpm vulnerable. Please update.
>
> Java JRE 1.11.0_4 from Dell's package:
>   srvadmin-jre-9.4.0-3787.15943.el7.x86_64.rpm
> has several vulnerabilities. Please update to fixed Java JRE 1.11.0_6 or stop distributing Java JRE and start using Java from Operating System which is faster maintained.
>
> Package                 : srvadmin-jre-9.4.0-3787.15943.el7.x86_64.rpm
> Path              : /opt/dell/srvadmin/lib64/openmanage/
> Installed version : 1.11.0_4
> Fixed version     : 1.11.0_6
>
> The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 11 Update 6. It is, therefore, affected by multiple vulnerabilities related to the following components:
> - 2D
> - Libraries
> - Kerberos
> - Networking
> - JavaFX
> - Hotspot
> - Scripting
> - Javadoc
> - Deployment
> - Concurrency
> - JAXP
> - Serialization
> - Security
> Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
> - Oracle Java SE and Java SE Embedded are prone to a severe division by zero, over 'Multiple' protocol. This issue affects the 'SQLite'
> component.(CVE-2019-16168)
> - Oracle Java SE and Java SE Embedded are prone to format string vulnerability, leading to a read uninitialized stack data over 'Multiple' protocol. This issue affects the 'libxst' component.
> (CVE-2019-13117, CVE-2019-13118)
> - Oracle Java SE and Java SE Embedded are prone to a remote security vulnerability. An unauthenticated remote attacker can exploit this over 'Kerberos' protocol. This issue affects the 'Security' component.
> (CVE-2020-2601, CVE-2020-2590)
> - Oracle Java SE/Java SE Embedded are prone to a remote security vulnerability. An unauthenticated remote attacker can exploit this overmultiple protocols. This issue affects the 'Serialization'
> component. (CVE-2020-2604, CVE-2020-2583)
> - Oracle Java SE/Java SE Embedded are prone to a remote security vulnerability. Tn unauthenticated remote attacker can exploit this over multiple protocols. This issue affects the 'Networking' component.
> (CVE-2020-2593, CVE-2020-2659)
> - Oracle Java SE are prone to a remote security vulnerability. An unauthenticated remote attacker can exploit this over multiple protocols. This issue affects the 'Libraries' component. (CVE-2020-2654)
> - Oracle Java SE are prone to a multiple security vulnerability. An unauthenticated remote attacker can exploit this over multiple protocols. This issue affects the 'JavaFX' component. (CVE-2020-2585)
> - Oracle Java SE are prone to a multiple security vulnerability. An unauthenticate remote attacker can exploit this over 'HTTPS' protocols.
> This issue affects the 'JSSE' component. (CVE-2020-2655)
>
> iava: 2019-A-0385
> cve: CVE-2019-11068
> cve: CVE-2019-2894
> cve: CVE-2019-2933
> cve: CVE-2019-2945
> cve: CVE-2019-2949
> cve: CVE-2019-2958
> cve: CVE-2019-2962
> cve: CVE-2019-2964
> cve: CVE-2019-2973
> cve: CVE-2019-2975
> cve: CVE-2019-2977
> cve: CVE-2019-2978
> cve: CVE-2019-2981
> cve: CVE-2019-2983
> cve: CVE-2019-2987
> cve: CVE-2019-2988
> cve: CVE-2019-2989
> cve: CVE-2019-2992
> cve: CVE-2019-2996
> cve: CVE-2019-2999
> bid: 109323
> iava: 2020-A-0023
> cve: CVE-2019-13117
> cve: CVE-2019-13118
> cve: CVE-2019-16168
> cve: CVE-2020-2583
> cve: CVE-2020-2585
> cve: CVE-2020-2590
> cve: CVE-2020-2593
> cve: CVE-2020-2601
> cve: CVE-2020-2604
> cve: CVE-2020-2654
> cve: CVE-2020-2655
> cve: CVE-2020-2659
>
> greetings,
> Zbigniew
>
> _______________________________________________
> Linux-PowerEdge mailing list
> Linux-PowerEdge at dell.com
> https://lists.us.dell.com/mailman/listinfo/linux-poweredge
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Linux-PowerEdge mailing list
> Linux-PowerEdge at dell.com
> https://lists.us.dell.com/mailman/listinfo/linux-poweredge
>
> ------------------------------
>
> End of Linux-PowerEdge Digest, Vol 184, Issue 6
> ***********************************************
>
> _______________________________________________
> Linux-PowerEdge mailing list
> Linux-PowerEdge at dell.com
> https://lists.us.dell.com/mailman/listinfo/linux-poweredge
>



More information about the Linux-PowerEdge mailing list