Go to All Forums

On-Premise Poller Java JRE version - Possible security vulnerability

Hi

 

Are there any plans to update the JRE version used by Site24x7 Pollers?

Our security team has flagged possible vulnerabilities with older JRE versions

Last update mentioned on your roadmap was August 2021

  • On-Premise Poller Java JRE version upgraded to 11.0.11

 

 

www.site24x7.com/community/site24x7-on-premise-poller-version-updates-and-release-notes#18151000001728599

www.site24x7.com/community/site24x7-on-premise-poller-version-updates-and-release-notes#18151000001728599

Hello all,

We have released On-Premise Poller 5.0.0. Check out what's in this release.

The month of release: August 2021

Version: 5.0.0

Enhancement:

  • On-Premise Poller Java JRE version upgraded to 11.0.11

Issue fix (Network monitoring)

  • Fixed the security vulnerabilities.
Like (1) Edit Delete Reply
Replies (2)

Re: On-Premise Poller Java JRE version - Possible security vulnerability

I would like to vote this concern up

Relates to oracle/java vulnerability 

cve-2022-21449

Details

securityonline.info/cve-2022-21449-oracle-java-se-authentication-bypass-vulnerability/

Site24x7 Pollers appear to be based on 1.11.0_11

 

Fixed version : 1.7.0_341 / 1.8.0_331 / 1.11.0_15 / 1.17.0_3 / 1.18.0_1

Will this be fixed on newer poller versions?

A comment would be appreciated

Like (0) Edit Delete Reply

Re: Re: On-Premise Poller Java JRE version - Possible security vulnerability

Hi,
The vulnerability (CVE-2022-21449) is specific to the jvm and is because of a flaw in signature checking for ECDSA. Java applications are vulnerable only if they use any variation of the ECDSA algorithm with Java’s getInstance() signature API.
Site24x7 Applications doesn't use ECDSA algorithm for verification or authentication and is not affected by this vulnerability.

Thanks,

Vinoth,

Site24x7 Security Team

Like (0) Reply

Was this post helpful?