Java Vulnerability for BigFix

Within my organization, I received a communication regarding a Java Vulnerability for BigFix. For starters is anyone aware of such an issue. If so, how would this vulnerability impact endpoints if the server was exploited.

There was one back in April for Bigfix Remote Control… Perhaps you would care to share some details ?

The issue centers around Oracle Java SE Multiple Vulnerabilities being discovered on the BigFix Server. The discovered CVE-2019 vulnerabilities are -2602, -2684, -2697 and cve-2019-2698. This is associated with our BigFix Inventory server running IBM Java 8.0.5.25. The server was recently updated to version 9.2.16 and I believe Java is embedded in the application. Thank you

The Inventory server probably runs on Liberty which has an embedded IBM SDK which in turn is based on the Oracle JRE. This might be the component which is affected by the CVE. If you are running the application on a stand-alone Liberty or WAS you can upgrade it manually otherwise you need to contact the customer support for further investigation.

1 Like