Hi
Are there any plans to update the JRE version used by Site24x7 Pollers?
Our security team has flagged possible vulnerabilities with older JRE versions
Last update mentioned on your roadmap was August 2021
- On-Premise Poller Java JRE version upgraded to 11.0.11
www.site24x7.com/community/site24x7-on-premise-poller-version-updates-and-release-notes#18151000001728599
Hello all,
We have released On-Premise Poller 5.0.0. Check out what's in this release.
The month of release: August 2021
Version: 5.0.0
Enhancement:
- On-Premise Poller Java JRE version upgraded to 11.0.11
Issue fix (Network monitoring)
- Fixed the security vulnerabilities.
I would like to vote this concern up
Relates to oracle/java vulnerability
cve-2022-21449
Details
securityonline.info/cve-2022-21449-oracle-java-se-authentication-bypass-vulnerability/
Site24x7 Pollers appear to be based on 1.11.0_11
Fixed version : 1.7.0_341 / 1.8.0_331 / 1.11.0_15 / 1.17.0_3 / 1.18.0_1
Will this be fixed on newer poller versions?
A comment would be appreciated
Hi,
The vulnerability (CVE-2022-21449) is specific to the jvm and is because of a flaw in signature checking for ECDSA. Java applications are vulnerable only if they use any variation of the ECDSA algorithm with Java’s getInstance() signature API.
Site24x7 Applications doesn't use ECDSA algorithm for verification or authentication and is not affected by this vulnerability.
Thanks,
Vinoth,
Site24x7 Security Team
Hi,
In addition to Vinoth's reply, I would like to add that our development team is also working on upgrading the On-Premise Poller JRE version to 15.0.6. You can expect this upgrade to be live before the end of next month, i.e., June 2022.
Regards,
Krishna.