The bundled JVM/JRE is supplied for use by the installer because the installer needs it. Once the installation is complete, use of the bundled JVM/JRE is used by some customers as a convenience, but it is not a requirement. It is not meant to restrict any customer to using that version during run time or convey that the provided version is the only one supported. Customers are welcome to use any supported version of Java that they see fit and/or patch/upgrade the supplied one.
-David J. Easter Manager of Product Management, Remedy Platform BMC Software, Inc. The opinions, statements, and/or suggested courses of action expressed in this E-mail do not necessarily reflect those of BMC Software, Inc. My voluntary participation in this forum is not intended to convey a role as a spokesperson, liaison or public relations representative for BMC Software, Inc. From: Action Request System discussion list(ARSList) [mailto:[email protected]] On Behalf Of Jason Miller Sent: Thursday, December 15, 2011 9:47 AM To: [email protected] Subject: Re: CMDB - Bundled JVM ** It is a little more current (very little) on my 7.6.04 SP2 Windows server. \PathToInstall\BMC Software\AtriumCore\BMCAtriumCoreInstallJVM\bin>java -version java version "1.5.0_11" Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_11-b03) Java HotSpot(TM) Client VM (build 1.5.0_11-b03, mixed mode) Jason On Thu, Dec 15, 2011 at 9:32 AM, Axton <[email protected]<mailto:[email protected]>> wrote: ** Does anyone know why certain components of ITSM come bundled with an ancient version of the Sun JRE? Atrium Core comes bundled with this JVM: [user@server bin]$ pwd /path/to/AtriumCore/server/BMCAtriumCoreInstallJVM/bin [user@server bin]$ ./java -version java version "1.5.0_09" Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_09-b03) Java HotSpot(TM) Server VM (build 1.5.0_09-b03, mixed mode) The following security issues are not addressed in the bundled JVM: The Common Vulnerabilities and Exposures project (cve.mitre.org<http://cve.mitre.org>) has assigned the following names to the security issues fixed in JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095, CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099, CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103, CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107. The Common Vulnerabilities and Exposures project (cve.mitre.org<http://cve.mitre.org>) has assigned the following names to the security issues fixed in JRE 1.5.0_20: CVE-2009-2625, CVE-2009-2670, CVE-2009-2671, CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676, CVE-2009-2716, CVE-2009-2718, CVE-2009-2719, CVE-2009-2720, CVE-2009-2721, CVE-2009-2722, CVE-2009-2723, CVE-2009-2724. The Common Vulnerabilities and Exposures project (cve.mitre.org<http://cve.mitre.org>) has assigned the following names to the security issues fixed in JRE 1.5.0_22: CVE-2009-3728, CVE-2009-3729, CVE-2009-3864, CVE-2009-3865, CVE-2009-3866, CVE-2009-3867, CVE-2009-3868, CVE-2009-3869, CVE-2009-3871, CVE-2009-3872, CVE-2009-3873, CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, CVE-2009-3877, CVE-2009-3879, CVE-2009-3880, CVE-2009-3881, CVE-2009-3882, CVE-2009-3883, CVE-2009-3884, CVE-2009-3886, CVE-2009-3885. There are many more issues that exist with the bundled JVM that are not listed above. See here for a more comprehensive list, which unfortunately only goes back to 2007, so updates to the bundled JVM between it's release date and 2007 are not outlined on the following pages: http://blogs.oracle.com/sunsecurity/tags/java http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html#AppendixJAVA Of particular concern are the following: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3556 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3557 I don't understand why the JVM is bundled with the product. Flashboards, email engine, and the main ARServer Java plugin server do not have a bundled JVM, but these particular components do. This applies to the plugin server used to load the following plugins: DSM.FILTER (dsm.jar) BMC.ARDBC.ATRIUM.API (atrium-ar-kit.jar) AIS.FILTERAPI (ais.jar) RMDY.ITSM.RLE (rle.jar) And also to another plugin server used to load the following plugins: BMC.FILTERAPI.NORM.ENGINE (neplugin75.jar) Applicable Environment Information: - ARServer 7.5 Patch 3 - CMDB 7.5.00 Patch 005 - Platform: Solaris 10 Questions I have for anyone willing to answer: - Is the JVM bundled with later versions of the CMDB the same version or has it been updated? - Is it possible to use a different JVM for these 2 plugin servers without impacting the stability of the plugins or is there some inherent dependency on that specific JVM? I can easily re-point the plugin server to a later release of Java in these files: /path/to/AtriumCore/server/cmdb/server/bin/normeng.sh /path/to/AtriumCore/server/cmdb/server/bin/atriumplugin.sh Axton Grams _attend WWRUG12 www.wwrug.com<http://www.wwrug.com> ARSlist: "Where the Answers Are"_ _attend WWRUG12 www.wwrug.com ARSlist: "Where the Answers Are"_ _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are"
