[EXTERNAL EMAIL] Dear Dell OMSA team, I need to agree with Zbigniew's post... OMSA should really use the system JRE. We require the GUI for our non-technical end users to do their system checklists, but we've had to strip OMSA because our the security team keeps flagging our systems.
-With kind regards, Peter Brunnengräber ----- Original Message ----- From: [email protected] To: [email protected] Sent: Saturday, March 14, 2020 1:00:01 PM Subject: Linux-PowerEdge Digest, Vol 184, Issue 6 ------------------------------ Message: 3 Date: Sat, 14 Mar 2020 08:07:49 +0000 From: <[email protected]> To: <[email protected]>, <[email protected]> Subject: Re: [Linux-PowerEdge] [Security Alert] Latest Dell's srvadmin-jre-9.4.0-3787.15943.el7.x86_64.rpm vulnerable Message-ID: <[email protected]> Content-Type: text/plain; charset="us-ascii" Dell Customer Communication - Confidential Hi Zbigniew Are you using GUI function of OMSA? Or only command line? If latter, I'd suggest to remove GUI related packages (include Java/Tomcat etc). This avoids Java vulnerabilities. Thanks, -----Original Message----- From: linux-poweredge-bounces-Lists <[email protected]> On Behalf Of mr.zbiggy Sent: Friday, March 13, 2020 5:19 PM To: linux-poweredge-Lists Subject: [Linux-PowerEdge] [Security Alert] Latest Dell's srvadmin-jre-9.4.0-3787.15943.el7.x86_64.rpm vulnerable [EXTERNAL EMAIL] Dear Dell, Nessus Security Scanner found your package: srvadmin-jre-9.4.0-3787.15943.el7.x86_64.rpm vulnerable. Please update. Java JRE 1.11.0_4 from Dell's package: srvadmin-jre-9.4.0-3787.15943.el7.x86_64.rpm has several vulnerabilities. Please update to fixed Java JRE 1.11.0_6 or stop distributing Java JRE and start using Java from Operating System which is faster maintained. Package : srvadmin-jre-9.4.0-3787.15943.el7.x86_64.rpm Path : /opt/dell/srvadmin/lib64/openmanage/ Installed version : 1.11.0_4 Fixed version : 1.11.0_6 The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 11 Update 6. It is, therefore, affected by multiple vulnerabilities related to the following components: - 2D - Libraries - Kerberos - Networking - JavaFX - Hotspot - Scripting - Javadoc - Deployment - Concurrency - JAXP - Serialization - Security Nessus has not tested for these issues but has instead relied only on the application's self-reported version number. - Oracle Java SE and Java SE Embedded are prone to a severe division by zero, over 'Multiple' protocol. This issue affects the 'SQLite' component.(CVE-2019-16168) - Oracle Java SE and Java SE Embedded are prone to format string vulnerability, leading to a read uninitialized stack data over 'Multiple' protocol. This issue affects the 'libxst' component. (CVE-2019-13117, CVE-2019-13118) - Oracle Java SE and Java SE Embedded are prone to a remote security vulnerability. An unauthenticated remote attacker can exploit this over 'Kerberos' protocol. This issue affects the 'Security' component. (CVE-2020-2601, CVE-2020-2590) - Oracle Java SE/Java SE Embedded are prone to a remote security vulnerability. An unauthenticated remote attacker can exploit this overmultiple protocols. This issue affects the 'Serialization' component. (CVE-2020-2604, CVE-2020-2583) - Oracle Java SE/Java SE Embedded are prone to a remote security vulnerability. Tn unauthenticated remote attacker can exploit this over multiple protocols. This issue affects the 'Networking' component. (CVE-2020-2593, CVE-2020-2659) - Oracle Java SE are prone to a remote security vulnerability. An unauthenticated remote attacker can exploit this over multiple protocols. This issue affects the 'Libraries' component. (CVE-2020-2654) - Oracle Java SE are prone to a multiple security vulnerability. An unauthenticated remote attacker can exploit this over multiple protocols. This issue affects the 'JavaFX' component. (CVE-2020-2585) - Oracle Java SE are prone to a multiple security vulnerability. An unauthenticate remote attacker can exploit this over 'HTTPS' protocols. This issue affects the 'JSSE' component. (CVE-2020-2655) iava: 2019-A-0385 cve: CVE-2019-11068 cve: CVE-2019-2894 cve: CVE-2019-2933 cve: CVE-2019-2945 cve: CVE-2019-2949 cve: CVE-2019-2958 cve: CVE-2019-2962 cve: CVE-2019-2964 cve: CVE-2019-2973 cve: CVE-2019-2975 cve: CVE-2019-2977 cve: CVE-2019-2978 cve: CVE-2019-2981 cve: CVE-2019-2983 cve: CVE-2019-2987 cve: CVE-2019-2988 cve: CVE-2019-2989 cve: CVE-2019-2992 cve: CVE-2019-2996 cve: CVE-2019-2999 bid: 109323 iava: 2020-A-0023 cve: CVE-2019-13117 cve: CVE-2019-13118 cve: CVE-2019-16168 cve: CVE-2020-2583 cve: CVE-2020-2585 cve: CVE-2020-2590 cve: CVE-2020-2593 cve: CVE-2020-2601 cve: CVE-2020-2604 cve: CVE-2020-2654 cve: CVE-2020-2655 cve: CVE-2020-2659 greetings, Zbigniew _______________________________________________ Linux-PowerEdge mailing list [email protected] https://lists.us.dell.com/mailman/listinfo/linux-poweredge ------------------------------ Subject: Digest Footer _______________________________________________ Linux-PowerEdge mailing list [email protected] https://lists.us.dell.com/mailman/listinfo/linux-poweredge ------------------------------ End of Linux-PowerEdge Digest, Vol 184, Issue 6 *********************************************** _______________________________________________ Linux-PowerEdge mailing list [email protected] https://lists.us.dell.com/mailman/listinfo/linux-poweredge
