Summary

The JRE version (1.7.0_79) bundled with the Machine Agent download for Solaris 32-bit has a security vulnerability. The Oracle advisory related to this vulnerability can be found in the Oracle Critical Patch Update Advisory - January 2016. Oracle recommends updating the JRE to 1.7.0_95.

Oracle has stopped public updates for this version of JRE/SE, and requires customers to download the patched version from a registered Oracle Support Account.

AppDynamics cannot redistribute the patch due to Oracle licensing restrictions (see Java 7 SE - End of Public Updates). AppDynamics will no longer ship bundled downloads of the Machine Agent for Solaris 32-bit that include the JRE.

Customers are requested to use the Machine Agent download without the JRE, and download the patched version of the JRE from the Oracle Support Site.

Affected Software 

ProductComponentVersionExploitabilitySeverity
Machine Agent

AppDynamics Standalone Machine Agent

  • 4.1.x
  • 4.2.x
KnownHigh

Key/Legend for Ratings and Vulnerabilities

Exploitability Rating

ExploitabilityDescription
KnownAppDynamics is aware of a known exploit. Customers should treat known exploits with the highest priority.
HighAppDynamics believes there is a high probability that a vulnerability is exploitable by an attacker.
MediumAppDynamics believes there is a moderate probability that a vulnerability is exploitable by an attacker.
LowAppDynamics believes there is a low probability that a vulnerability is exploitable by an attacker.

Severity Rating

SeverityDescription
HighExploit allows an attacker to compromise confidentiality, integrity, accountability, or availability of user data, or of the integrity or availability of processing resources without any mitigations like notifications, audits, and/or authentication.
MediumExploit allows an attacker to compromise confidentiality, integrity, accountability, or availability of user data, or of the integrity or availability of processing resources with reasonable mitigations like notifications, and/or authentication mechanisms.
Low

Exploit allows an attacker to compromise confidentiality, integrity, accountability, or availability of user data, or of the integrity or availability of processing resources, however, significant mitigations like notifications, and/or authentication mechanisms are in place to reduce severity of the impact.

Vulnerability Information

See the Oracle Critical Patch Update Advisory - January 2016 for details. 

Mitigating Factors and Workarounds

Stop using the bundled ZIP version of the Machine Agent for Solaris 32 bit. Download the latest patched JRE (1.0.7_95) from the Oracle Support site, and use the unbundled ZIP version of the Machine Agent.

Disclaimer

The information provided in this security advisory is provided "as is" without warranty of any kind. AppDynamics disclaims all warranties with respect thereto, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall AppDynamics or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if AppDynamics or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply to you.

Revision History

1.0 - 2/17/2016  Initial Revision



  • No labels