Java Vulnerability for BigFix

BregBF 2019-10-09 19:24:50 UTC #1

Within my organization, I received a communication regarding a Java Vulnerability for BigFix. For starters is anyone aware of such an issue. If so, how would this vulnerability impact endpoints if the server was exploited.

Pete_F 2019-10-09 19:53:23 UTC #2

There was one back in April for Bigfix Remote Control… Perhaps you would care to share some details ?

BregBF 2019-10-09 20:32:15 UTC #3

The issue centers around Oracle Java SE Multiple Vulnerabilities being discovered on the BigFix Server. The discovered CVE-2019 vulnerabilities are -2602, -2684, -2697 and cve-2019-2698. This is associated with our BigFix Inventory server running IBM Java 8.0.5.25. The server was recently updated to version 9.2.16 and I believe Java is embedded in the application. Thank you

f.pezzotti 2019-10-10 11:40:19 UTC #4

The Inventory server probably runs on Liberty which has an embedded IBM SDK which in turn is based on the Oracle JRE. This might be the component which is affected by the CVE. If you are running the application on a stand-alone Liberty or WAS you can upgrade it manually otherwise you need to contact the customer support for further investigation.