OMSA: Mitigating Java vulnerabilities in OpenManage Server Administrator by upgrading Java Runtime

Third-party security scanner application may detect the presence of Dell OpenManage Server Administrator's bundled Java 11 Runtime Environment libraries and identify many security vulnerabilities. Many scanners typically list all the known vulnerabilities documented by OpenJDK 11 projects.

Java is an application programming environment, so it is typically found that most Java security vulnerabilities do not apply to Server Administrator because the vulnerability applies to a particular library or function that Server Administrator does not use.

OMSA can load an alternative Java Runtime Environment, version 11, installed within the operating system that can be newer than the Java version bundled within OMSA. This can be achieved in the Resolution steps below.

Some third-party security scanners still report false-positive warnings due to simple file-based scans within the operating system and detecting the outdated bundled Java 11 even though the newer alternative Java runtime is loaded instead. Swapping out the older bundled Java 11 can be achieved in the Resolution steps below.

Server Administrator 10.3 and newer versions were only tested and officially support the free Eclipse Temurin (formerly Adoptium) OpenJDK 11 project. Windows and Linux versions of the Temurin Java 11, Standard Edition install package can be downloaded from:

https://adoptium.net/temurin/releases/?version=11

Note: Server Administrator only supports Java 11 versions. Do not download or use Java 17 or newer OpenJDK projects as their Application Programming Interface contains newer, deprecated, and changed Java functions that could affect the Server Administrator graphical interface function.

Specifying Server Administrator Load an Alternative Temurin Java 11 Environment

1. From the Adoptium website, download the Windows or Linux version of the smaller "JRE" package with architecture "x64"
2. Follow the instructions to install the alternative Java runtime package into the operating system either on each host or using third-party deployment tools
3. Launch the Server Administrator web graphical interface from a browser.
4. Go to Preferences (upper right page) then General Settings (in the left margin)
5. Scroll down to the Java Runtime Environment section and enable System JRE/JDK
6. If Server Administrator recognizes an existing alternative Java runtime installed, it lists the version in the pulldown menu
7. Click the Apply button and a restart of the Server Administrator web service must occur.

Alternatively, this preference setting can also be changed with the Server Administrator command line programmatically. This is also useful if a mistake was made and the web interface is no longer accessible. To list the current alternative Java versions detected:

omreport preferences webserver attribute=getjrelist

To change the setting:

omconfig preferences webserver attribute=setjre jreversion=<version>

Restart "DSM SA Connection Service" in Windows or "dsm_om_connsvc.service" in Linux.

To change the preferred Java runtime back to the bundled version within OMSA, if a mistake was made and the web interface is no longer accessible:

omconfig preferences webserver attribute=setjre jreversion=<version>

 

Replacing the Java runtime bundled within Server Administrator

 

1. From the Adoptium website, download the Windows or Linux version of the smaller "JRE" package with architecture "x64." Make sure to choose the .zip or .tar.gz formats, respectively.
2. Extract the entire file contents to a folder renamed to "jre"
3. Stop "DSM SA Connection Service" in Windows or "dsm_om_connsvc.service" in Linux.
4. Rename to backup the existing folder C:\Program Files\Dell\SysMgmt\jre\ (Windows) or /opt/dell/srvadmin/lib64/openmanage/jre/ (Linux)
5. Swap with the newer downloaded Temurian Java 11 runtime package whose folder was recently renamed to "jre"
6. Start the Server Administrator web service.