Data Protection Advisor (DPA): Security scans indicate that Data Protection Advisor uses Java 1.8u271 which has know vulnerabilities
Riepilogo: Security scans indicate that Data Protection Advisor uses Java 1.8u271 which has vulnerabilities.
Questo articolo si applica a
Questo articolo non si applica a
Questo articolo non è legato a un prodotto specifico.
Non tutte le versioni del prodotto sono identificate in questo articolo.
Sintomi
Security scanner (example: Nessus) indicates that Data Protection Advisor (DPA) uses Java version 1.8u271 (DPA 19.4 b36 and later) which has known vulnerabilities. The scan references the below vulnerability for Java 1.8 u271.
Further details on this vulnerability are found on the NIST’s National Vulnerability Database at https://nvd.nist.gov/vuln/detail/CVE-2020-14803.
Oracle Java SE Risk Matrix
This Critical Patch Update contains 1 new security patch for Oracle Java SE. This vulnerability is remotely exploitable without authentication, that is, may be exploited over a network without requiring user credentials.
CVE-2020-14803 Java SE, Java SE Embedded Libraries Multiple Yes 5.3 Network Low None None Un-changed Low None None Java SE: 7u281, 8u271; Java SE Embedded: 8u271
Notes: This vulnerability applies to Java deployments that load and run untrusted code (such as, code that comes from the Internet) and rely on the Java sandbox for security.
This Critical Patch Update contains 1 new security patch for Oracle Java SE. This vulnerability is remotely exploitable without authentication, that is, may be exploited over a network without requiring user credentials.
CVE-2020-14803 Java SE, Java SE Embedded Libraries Multiple Yes 5.3 Network Low None None Un-changed Low None None Java SE: 7u281, 8u271; Java SE Embedded: 8u271
Notes: This vulnerability applies to Java deployments that load and run untrusted code (such as, code that comes from the Internet) and rely on the Java sandbox for security.
Further details on this vulnerability are found on the NIST’s National Vulnerability Database at https://nvd.nist.gov/vuln/detail/CVE-2020-14803.
Causa
While the version of Java used by DPA is 1.8 u271 (as of DPA 19.4 b36), the DPA Java JVM is not affected by this vulnerability. See the following:
This vulnerability is applicable to Java Webstart applications and not to DPA. As noted in the CVE description from the NIST National Vulnerability Database at https://nvd.nist.gov/vuln/detail/CVE-2020-14803, it reads as below:
This is also confirmed in the security alert description that is issued by Oracle at https://www.oracle.com/security-alerts/cpujan2021.html.
DPA’s Java JVM does not load or allow the running of untrusted code. Here are more specific details on DPA’s JVM implementation with regard to the CVE description.
DPA Engineering has performed third-Party Library scans, Source Code Analysis, and Web Application Security Testing around this vulnerability report. These scans and tests that are performed against DPA has shown that such attacks are not possible.
This vulnerability is applicable to Java Webstart applications and not to DPA. As noted in the CVE description from the NIST National Vulnerability Database at https://nvd.nist.gov/vuln/detail/CVE-2020-14803, it reads as below:
This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (such as, code that comes from the Internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code.
This is also confirmed in the security alert description that is issued by Oracle at https://www.oracle.com/security-alerts/cpujan2021.html.
DPA’s Java JVM does not load or allow the running of untrusted code. Here are more specific details on DPA’s JVM implementation with regard to the CVE description.
Java Sandbox - DPA uses the Dell BSafe crypto library. This runs in the same JVM where DPA application server runs on. There is no secluded space by itself called as Sandbox wherein DPA maintains 'code security'. It comes into play when plausible untrusted code could run on a JVM.
Untrusted Code - Scope of this comes into consideration typically when Java Applets are downloaded and run inside a Java Program. In such cases, since the source is not known, the downloaded piece that is often seen as untrusted code. In DPA's paradigm, the installation and or deployment happens on-site barring the option of having any such applet code that is downloaded and run in DPA server's JVM.
Untrusted Code - Scope of this comes into consideration typically when Java Applets are downloaded and run inside a Java Program. In such cases, since the source is not known, the downloaded piece that is often seen as untrusted code. In DPA's paradigm, the installation and or deployment happens on-site barring the option of having any such applet code that is downloaded and run in DPA server's JVM.
DPA Engineering has performed third-Party Library scans, Source Code Analysis, and Web Application Security Testing around this vulnerability report. These scans and tests that are performed against DPA has shown that such attacks are not possible.
Risoluzione
While the vulnerability exists in Java 1.8u271, the DPA Java JVM is not affected by this vulnerability.
Resolved in Data Protection Advisor 19.5 and later. DPA 19.5 and later ships with Java 1.8u281 or later.
Contact Dell Technical Support for further details or information.
Resolved in Data Protection Advisor 19.5 and later. DPA 19.5 and later ships with Java 1.8u281 or later.
Contact Dell Technical Support for further details or information.
Prodotti
Data Protection AdvisorProprietà dell'articolo
Numero articolo: 000187683
Tipo di articolo: Solution
Ultima modifica: 01 giu 2021
Versione: 1
Trova risposta alle tue domande dagli altri utenti Dell
Support Services
Verifica che il dispositivo sia coperto dai Servizi di supporto.