Data Protection Advisor (DPA): Security scans indicate that Data Protection Advisor uses Java 1.8u271 which has know vulnerabilities
摘要: Security scans indicate that Data Protection Advisor uses Java 1.8u271 which has vulnerabilities.
本文章適用於
本文章不適用於
本文無關於任何特定產品。
本文未識別所有產品版本。
症狀
Security scanner (example: Nessus) indicates that Data Protection Advisor (DPA) uses Java version 1.8u271 (DPA 19.4 b36 and later) which has known vulnerabilities. The scan references the below vulnerability for Java 1.8 u271.
Further details on this vulnerability are found on the NIST’s National Vulnerability Database at https://nvd.nist.gov/vuln/detail/CVE-2020-14803.
Oracle Java SE Risk Matrix
This Critical Patch Update contains 1 new security patch for Oracle Java SE. This vulnerability is remotely exploitable without authentication, that is, may be exploited over a network without requiring user credentials.
CVE-2020-14803 Java SE, Java SE Embedded Libraries Multiple Yes 5.3 Network Low None None Un-changed Low None None Java SE: 7u281, 8u271; Java SE Embedded: 8u271
Notes: This vulnerability applies to Java deployments that load and run untrusted code (such as, code that comes from the Internet) and rely on the Java sandbox for security.
This Critical Patch Update contains 1 new security patch for Oracle Java SE. This vulnerability is remotely exploitable without authentication, that is, may be exploited over a network without requiring user credentials.
CVE-2020-14803 Java SE, Java SE Embedded Libraries Multiple Yes 5.3 Network Low None None Un-changed Low None None Java SE: 7u281, 8u271; Java SE Embedded: 8u271
Notes: This vulnerability applies to Java deployments that load and run untrusted code (such as, code that comes from the Internet) and rely on the Java sandbox for security.
Further details on this vulnerability are found on the NIST’s National Vulnerability Database at https://nvd.nist.gov/vuln/detail/CVE-2020-14803.
原因
While the version of Java used by DPA is 1.8 u271 (as of DPA 19.4 b36), the DPA Java JVM is not affected by this vulnerability. See the following:
This vulnerability is applicable to Java Webstart applications and not to DPA. As noted in the CVE description from the NIST National Vulnerability Database at https://nvd.nist.gov/vuln/detail/CVE-2020-14803, it reads as below:
This is also confirmed in the security alert description that is issued by Oracle at https://www.oracle.com/security-alerts/cpujan2021.html.
DPA’s Java JVM does not load or allow the running of untrusted code. Here are more specific details on DPA’s JVM implementation with regard to the CVE description.
DPA Engineering has performed third-Party Library scans, Source Code Analysis, and Web Application Security Testing around this vulnerability report. These scans and tests that are performed against DPA has shown that such attacks are not possible.
This vulnerability is applicable to Java Webstart applications and not to DPA. As noted in the CVE description from the NIST National Vulnerability Database at https://nvd.nist.gov/vuln/detail/CVE-2020-14803, it reads as below:
This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (such as, code that comes from the Internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code.
This is also confirmed in the security alert description that is issued by Oracle at https://www.oracle.com/security-alerts/cpujan2021.html.
DPA’s Java JVM does not load or allow the running of untrusted code. Here are more specific details on DPA’s JVM implementation with regard to the CVE description.
Java Sandbox - DPA uses the Dell BSafe crypto library. This runs in the same JVM where DPA application server runs on. There is no secluded space by itself called as Sandbox wherein DPA maintains 'code security'. It comes into play when plausible untrusted code could run on a JVM.
Untrusted Code - Scope of this comes into consideration typically when Java Applets are downloaded and run inside a Java Program. In such cases, since the source is not known, the downloaded piece that is often seen as untrusted code. In DPA's paradigm, the installation and or deployment happens on-site barring the option of having any such applet code that is downloaded and run in DPA server's JVM.
Untrusted Code - Scope of this comes into consideration typically when Java Applets are downloaded and run inside a Java Program. In such cases, since the source is not known, the downloaded piece that is often seen as untrusted code. In DPA's paradigm, the installation and or deployment happens on-site barring the option of having any such applet code that is downloaded and run in DPA server's JVM.
DPA Engineering has performed third-Party Library scans, Source Code Analysis, and Web Application Security Testing around this vulnerability report. These scans and tests that are performed against DPA has shown that such attacks are not possible.
解析度
While the vulnerability exists in Java 1.8u271, the DPA Java JVM is not affected by this vulnerability.
Resolved in Data Protection Advisor 19.5 and later. DPA 19.5 and later ships with Java 1.8u281 or later.
Contact Dell Technical Support for further details or information.
Resolved in Data Protection Advisor 19.5 and later. DPA 19.5 and later ships with Java 1.8u281 or later.
Contact Dell Technical Support for further details or information.
產品
Data Protection Advisor文章屬性
文章編號: 000187683
文章類型: Solution
上次修改時間: 01 6月 2021
版本: 1
向其他 Dell 使用者尋求您問題的答案
支援服務
檢查您的裝置是否在支援服務的涵蓋範圍內。