[EXTERNAL EMAIL]
I'd suggest linking to a system-managed JRE symlink of that version of Java, rather than a specific version(ed) directory which will be removed the next time you get an update for that RPM. Ben -- Servers and Storage Team, UIS, University of Cambridge ________________________________________ From: Linux-PowerEdge <[email protected]> on behalf of Patrick Boutilier <[email protected]> Sent: 14 March 2020 23:01 To: [email protected] Subject: Re: [Linux-PowerEdge] [Security Alert] Latest Dell's [EXTERNAL EMAIL] This seems to work as a workaround. Restart dsm_om_connsvc service afterwards. mv /opt/dell/srvadmin/lib64/openmanage/jre /opt/dell/srvadmin/lib64/openmanage/jre.OLD ln -s /usr/lib/jvm/java-11-openjdk-11.0.6.10-1.el7_7.x86_64 /opt/dell/srvadmin/lib64/openmanage/jre On 3/14/20 4:34 PM, Peter Brunnengraeber wrote: > > [EXTERNAL EMAIL] > > Dear Dell OMSA team, > I need to agree with Zbigniew's post... OMSA should really use the system > JRE. We require the GUI for our non-technical end users to do their system > checklists, but we've had to strip OMSA because our the security team keeps > flagging our systems. > > -With kind regards, > Peter Brunnengräber > > > ----- Original Message ----- > From: [email protected] > To: [email protected] > Sent: Saturday, March 14, 2020 1:00:01 PM > Subject: Linux-PowerEdge Digest, Vol 184, Issue 6 > > ------------------------------ > > Message: 3 > Date: Sat, 14 Mar 2020 08:07:49 +0000 > From: <[email protected]> > To: <[email protected]>, <[email protected]> > Subject: Re: [Linux-PowerEdge] [Security Alert] Latest Dell's > srvadmin-jre-9.4.0-3787.15943.el7.x86_64.rpm vulnerable > Message-ID: > <[email protected]> > Content-Type: text/plain; charset="us-ascii" > > Dell Customer Communication - Confidential > > Hi Zbigniew > > Are you using GUI function of OMSA? Or only command line? If latter, I'd > suggest to remove GUI related packages (include Java/Tomcat etc). This avoids > Java vulnerabilities. > > Thanks, > > -----Original Message----- > From: linux-poweredge-bounces-Lists > <[email protected]> On Behalf Of mr.zbiggy > Sent: Friday, March 13, 2020 5:19 PM > To: linux-poweredge-Lists > Subject: [Linux-PowerEdge] [Security Alert] Latest Dell's > srvadmin-jre-9.4.0-3787.15943.el7.x86_64.rpm vulnerable > > > [EXTERNAL EMAIL] > > Dear Dell, > > Nessus Security Scanner found your package: > srvadmin-jre-9.4.0-3787.15943.el7.x86_64.rpm vulnerable. Please update. > > Java JRE 1.11.0_4 from Dell's package: > srvadmin-jre-9.4.0-3787.15943.el7.x86_64.rpm > has several vulnerabilities. Please update to fixed Java JRE 1.11.0_6 or stop > distributing Java JRE and start using Java from Operating System which is > faster maintained. > > Package : srvadmin-jre-9.4.0-3787.15943.el7.x86_64.rpm > Path : /opt/dell/srvadmin/lib64/openmanage/ > Installed version : 1.11.0_4 > Fixed version : 1.11.0_6 > > The version of Oracle (formerly Sun) Java SE or Java for Business installed > on the remote host is prior to 11 Update 6. It is, therefore, affected by > multiple vulnerabilities related to the following components: > - 2D > - Libraries > - Kerberos > - Networking > - JavaFX > - Hotspot > - Scripting > - Javadoc > - Deployment > - Concurrency > - JAXP > - Serialization > - Security > Nessus has not tested for these issues but has instead relied only on the > application's self-reported version number. > - Oracle Java SE and Java SE Embedded are prone to a severe division by zero, > over 'Multiple' protocol. This issue affects the 'SQLite' > component.(CVE-2019-16168) > - Oracle Java SE and Java SE Embedded are prone to format string > vulnerability, leading to a read uninitialized stack data over 'Multiple' > protocol. This issue affects the 'libxst' component. > (CVE-2019-13117, CVE-2019-13118) > - Oracle Java SE and Java SE Embedded are prone to a remote security > vulnerability. An unauthenticated remote attacker can exploit this over > 'Kerberos' protocol. This issue affects the 'Security' component. > (CVE-2020-2601, CVE-2020-2590) > - Oracle Java SE/Java SE Embedded are prone to a remote security > vulnerability. An unauthenticated remote attacker can exploit this > overmultiple protocols. This issue affects the 'Serialization' > component. (CVE-2020-2604, CVE-2020-2583) > - Oracle Java SE/Java SE Embedded are prone to a remote security > vulnerability. Tn unauthenticated remote attacker can exploit this over > multiple protocols. This issue affects the 'Networking' component. > (CVE-2020-2593, CVE-2020-2659) > - Oracle Java SE are prone to a remote security vulnerability. An > unauthenticated remote attacker can exploit this over multiple protocols. > This issue affects the 'Libraries' component. (CVE-2020-2654) > - Oracle Java SE are prone to a multiple security vulnerability. An > unauthenticated remote attacker can exploit this over multiple protocols. > This issue affects the 'JavaFX' component. (CVE-2020-2585) > - Oracle Java SE are prone to a multiple security vulnerability. An > unauthenticate remote attacker can exploit this over 'HTTPS' protocols. > This issue affects the 'JSSE' component. (CVE-2020-2655) > > iava: 2019-A-0385 > cve: CVE-2019-11068 > cve: CVE-2019-2894 > cve: CVE-2019-2933 > cve: CVE-2019-2945 > cve: CVE-2019-2949 > cve: CVE-2019-2958 > cve: CVE-2019-2962 > cve: CVE-2019-2964 > cve: CVE-2019-2973 > cve: CVE-2019-2975 > cve: CVE-2019-2977 > cve: CVE-2019-2978 > cve: CVE-2019-2981 > cve: CVE-2019-2983 > cve: CVE-2019-2987 > cve: CVE-2019-2988 > cve: CVE-2019-2989 > cve: CVE-2019-2992 > cve: CVE-2019-2996 > cve: CVE-2019-2999 > bid: 109323 > iava: 2020-A-0023 > cve: CVE-2019-13117 > cve: CVE-2019-13118 > cve: CVE-2019-16168 > cve: CVE-2020-2583 > cve: CVE-2020-2585 > cve: CVE-2020-2590 > cve: CVE-2020-2593 > cve: CVE-2020-2601 > cve: CVE-2020-2604 > cve: CVE-2020-2654 > cve: CVE-2020-2655 > cve: CVE-2020-2659 > > greetings, > Zbigniew > > _______________________________________________ > Linux-PowerEdge mailing list > [email protected] > https://lists.us.dell.com/mailman/listinfo/linux-poweredge > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > Linux-PowerEdge mailing list > [email protected] > https://lists.us.dell.com/mailman/listinfo/linux-poweredge > > ------------------------------ > > End of Linux-PowerEdge Digest, Vol 184, Issue 6 > *********************************************** > > _______________________________________________ > Linux-PowerEdge mailing list > [email protected] > https://lists.us.dell.com/mailman/listinfo/linux-poweredge > _______________________________________________ Linux-PowerEdge mailing list [email protected] https://lists.us.dell.com/mailman/listinfo/linux-poweredge
