[Linux-PowerEdge] srvadmin-jre-9.4.0-3787.15943.el7.x86_64.rpm vulnerable
Josh_Moore at Dell.com
Josh_Moore at Dell.com
Mon Mar 16 12:47:41 CDT 2020
In case you are not aware of the options presented by OMSA, it is possible to specify system JRE rather than the bundled JRE which would allow the use of updated JRE release.
Under Webserver Preferences you will find:
The Java Runtime Environment — Allows you to select the one of the following options:
• Bundled JRE — Enables use of the JRE provided along with the System Administrator.
• System JRE — Enables use of the JRE installed on the system. Select the required version from the drop-down list
Generally speaking, the bundled JRE is only updated alongside full OMSA releases which is one reason this option is provided.
Sr. Principal Engineer, Compute & Solutions Support Team, HPC SME
Dell EMC | Infrastructure Solutions Support
Josh.Moore at Dell.com
How am I doing? Please contact my manager Brandon.White at Dell.com to provide feedback. Thanks!
Please consider the environment before printing this email.
Confidentiality Notice: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential or proprietary information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, immediately contact the sender by reply e-mail and destroy all copies of the original message.
From: linux-poweredge-bounces-Lists <linux-poweredge-bounces at lists.us.dell.com> On Behalf Of White, Spike
Sent: Monday, March 16, 2020 12:15 PM
Subject: Re: [Linux-PowerEdge] srvadmin-jre-9.4.0-3787.15943.el7.x86_64.rpm vulnerable
I am an OMSA consumer -- same as you.
Because we do not routinely update the OMSA versions on our older server builds, our cybersecurity team identifies a lot of java vulnerabilities as well. To avoid this maintenance nightmare, our team now has a policy of doing the OMSA install minus the GUI (which also means minus java and minus tomcat). Now We have also retrofitted our old OMSA builds -- removed the GUI, java and tomcat.
Occasionally, the cybersecurity team picked up tomcat vulnerabilities in the older OMSA installs, but it's far more frequent that they picked up java vulnerabilities.
To install OMSA w/o the CLI isn't quite as easy as installing the full OMSA. To install the full OMSA, you merely do a:
yum install srvadmin-all
At least for OMSA 9.4, a colleague has gone through the list of RPMs and determined this was the min set to install OMSA functions, but without java/GUI:
yum install dell-system-update srvadmin-base srvadmin-storageservices srvadmin-idrac srvadmin-server-snmp srvadmin-server-cli
Date: Fri, 13 Mar 2020 10:18:31 +0100
From: "mr.zbiggy" <mr.zbiggy at upcpoczta.pl>
To: linux-poweredge at dell.com
Subject: [Linux-PowerEdge] [Security Alert] Latest Dell's
Message-ID: <ef5ce32c-97c2-80a9-642f-e2e5fe6098ba at upcpoczta.pl>
Content-Type: text/plain; charset="utf-8"
Nessus Security Scanner found your package:
srvadmin-jre-9.4.0-3787.15943.el7.x86_64.rpm vulnerable. Please update.
Java JRE 1.11.0_4 from Dell's package:
has several vulnerabilities. Please update to fixed Java JRE 1.11.0_6 or stop distributing Java JRE and start using Java from Operating System which is faster maintained.
Package : srvadmin-jre-9.4.0-3787.15943.el7.x86_64.rpm
Path : /opt/dell/srvadmin/lib64/openmanage/
Installed version : 1.11.0_4
Fixed version : 1.11.0_6
The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 11 Update 6. It is, therefore, affected by multiple vulnerabilities related to the following components:
Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
- Oracle Java SE and Java SE Embedded are prone to a severe division by zero, over 'Multiple' protocol. This issue affects the 'SQLite'
- Oracle Java SE and Java SE Embedded are prone to format string vulnerability, leading to a read uninitialized stack data over 'Multiple' protocol. This issue affects the 'libxst' component.
- Oracle Java SE and Java SE Embedded are prone to a remote security vulnerability. An unauthenticated remote attacker can exploit this over 'Kerberos' protocol. This issue affects the 'Security' component.
- Oracle Java SE/Java SE Embedded are prone to a remote security vulnerability. An unauthenticated remote attacker can exploit this overmultiple protocols. This issue affects the 'Serialization'
component. (CVE-2020-2604, CVE-2020-2583)
- Oracle Java SE/Java SE Embedded are prone to a remote security vulnerability. Tn unauthenticated remote attacker can exploit this over multiple protocols. This issue affects the 'Networking' component.
- Oracle Java SE are prone to a remote security vulnerability. An unauthenticated remote attacker can exploit this over multiple protocols. This issue affects the 'Libraries' component. (CVE-2020-2654)
- Oracle Java SE are prone to a multiple security vulnerability. An unauthenticated remote attacker can exploit this over multiple protocols. This issue affects the 'JavaFX' component. (CVE-2020-2585)
- Oracle Java SE are prone to a multiple security vulnerability. An unauthenticate remote attacker can exploit this over 'HTTPS' protocols.
This issue affects the 'JSSE' component. (CVE-2020-2655)
Linux-PowerEdge mailing list
Linux-PowerEdge at dell.com
More information about the Linux-PowerEdge