Does anyone know why certain components of ITSM come bundled with an ancient version of the Sun JRE?
Atrium Core comes bundled with this JVM: [user@server bin]$ pwd /path/to/AtriumCore/server/BMCAtriumCoreInstallJVM/bin [user@server bin]$ ./java -version java version "1.5.0_09" Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_09-b03) Java HotSpot(TM) Server VM (build 1.5.0_09-b03, mixed mode) The following security issues are not addressed in the bundled JVM: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095, CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099, CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103, CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_20: CVE-2009-2625, CVE-2009-2670, CVE-2009-2671, CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676, CVE-2009-2716, CVE-2009-2718, CVE-2009-2719, CVE-2009-2720, CVE-2009-2721, CVE-2009-2722, CVE-2009-2723, CVE-2009-2724. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_22: CVE-2009-3728, CVE-2009-3729, CVE-2009-3864, CVE-2009-3865, CVE-2009-3866, CVE-2009-3867, CVE-2009-3868, CVE-2009-3869, CVE-2009-3871, CVE-2009-3872, CVE-2009-3873, CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, CVE-2009-3877, CVE-2009-3879, CVE-2009-3880, CVE-2009-3881, CVE-2009-3882, CVE-2009-3883, CVE-2009-3884, CVE-2009-3886, CVE-2009-3885. There are many more issues that exist with the bundled JVM that are not listed above. See here for a more comprehensive list, which unfortunately only goes back to 2007, so updates to the bundled JVM between it's release date and 2007 are not outlined on the following pages: http://blogs.oracle.com/sunsecurity/tags/java http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html#AppendixJAVA Of particular concern are the following: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3556 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3557 I don't understand why the JVM is bundled with the product. Flashboards, email engine, and the main ARServer Java plugin server do not have a bundled JVM, but these particular components do. This applies to the plugin server used to load the following plugins: DSM.FILTER (dsm.jar) BMC.ARDBC.ATRIUM.API (atrium-ar-kit.jar) AIS.FILTERAPI (ais.jar) RMDY.ITSM.RLE (rle.jar) And also to another plugin server used to load the following plugins: BMC.FILTERAPI.NORM.ENGINE (neplugin75.jar) Applicable Environment Information: - ARServer 7.5 Patch 3 - CMDB 7.5.00 Patch 005 - Platform: Solaris 10 Questions I have for anyone willing to answer: - Is the JVM bundled with later versions of the CMDB the same version or has it been updated? - Is it possible to use a different JVM for these 2 plugin servers without impacting the stability of the plugins or is there some inherent dependency on that specific JVM? I can easily re-point the plugin server to a later release of Java in these files: /path/to/AtriumCore/server/cmdb/server/bin/normeng.sh /path/to/AtriumCore/server/cmdb/server/bin/atriumplugin.sh Axton Grams _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are"