Summary
The JRE version (1.7.0_79) bundled with the Machine Agent download for Solaris 32-bit has a security vulnerability. The Oracle advisory related to this vulnerability can be found in the Oracle Critical Patch Update Advisory - January 2016. Oracle recommends updating the JRE to 1.7.0_95.
Oracle has stopped public updates for this version of JRE/SE, and requires customers to download the patched version from a registered Oracle Support Account.
AppDynamics cannot redistribute the patch due to Oracle licensing restrictions (see Java 7 SE - End of Public Updates). AppDynamics will no longer ship bundled downloads of the Machine Agent for Solaris 32-bit that include the JRE.
Customers are requested to use the Machine Agent download without the JRE, and download the patched version of the JRE from the Oracle Support Site.
Affected Software
| Product | Component | Version | Exploitability | Severity |
|---|
| Machine Agent | AppDynamics Standalone Machine Agent | | Known | High |
Key/Legend for Ratings and Vulnerabilities
Exploitability Rating
| Exploitability | Description |
|---|
| Known | AppDynamics is aware of a known exploit. Customers should treat known exploits with the highest priority. |
| High | AppDynamics believes there is a high probability that a vulnerability is exploitable by an attacker. |
| Medium | AppDynamics believes there is a moderate probability that a vulnerability is exploitable by an attacker. |
| Low | AppDynamics believes there is a low probability that a vulnerability is exploitable by an attacker. |
Severity Rating
| Severity | Description |
|---|
| High | Exploit allows an attacker to compromise confidentiality, integrity, accountability, or availability of user data, or of the integrity or availability of processing resources without any mitigations like notifications, audits, and/or authentication. |
| Medium | Exploit allows an attacker to compromise confidentiality, integrity, accountability, or availability of user data, or of the integrity or availability of processing resources with reasonable mitigations like notifications, and/or authentication mechanisms. |
| Low | Exploit allows an attacker to compromise confidentiality, integrity, accountability, or availability of user data, or of the integrity or availability of processing resources, however, significant mitigations like notifications, and/or authentication mechanisms are in place to reduce severity of the impact. |
See the Oracle Critical Patch Update Advisory - January 2016 for details.
Mitigating Factors and Workarounds
Stop using the bundled ZIP version of the Machine Agent for Solaris 32 bit. Download the latest patched JRE (1.0.7_95) from the Oracle Support site, and use the unbundled ZIP version of the Machine Agent.
Disclaimer
The information provided in this security advisory is provided “as is” without warranty of any kind. AppDynamics disclaims all representations or warranties, either express, implied, statutory, or otherwise with respect thereto, including the warranties of merchantability and fitness for a particular purpose. In no event shall AppDynamics, its affiliates, or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits, or special damages, even if the other party has been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply to you.
Revision History
1.0 - 2/17/2016 Initial Revision