cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2079
Views
8
Helpful
3
Replies

IME includes old JRE and MySQL versions with known vulnerabilities?

MARTIN GEIL
Level 1
Level 1

Cisco IME experts,

     I just installed IME, and noticed that it includes an old 2009-vintage MySQL version that has known security vulnerabilities.  It also uses a private JRE version that is fairly old (1.6u7, IIRC).  I would like to use IME, but I have to meet fairly stringent security requirements, and these vulnerable versions of bundled products are going to raise red flags.  Can I delete the private JRE directory and modify the .ini files to point to the 1.6u23 JRE installed on the system?  Can the MySQL version be upgraded to >= v5.1.52, or can you explain why it is not a threat to system security?  Granted, the system running IME is within a protected network, but we are trying to implement defense-in-depth principles, and attacks can sometimes come from insiders with a flash drive or CD.  Thanks for your answers in advance!

Martin

1 Accepted Solution

Accepted Solutions

Ronald Anthony
Level 1
Level 1

IME 7.1.1 is going to include JRE 1.6u23.  We do not support any modification of IME like replacing the JRE as you have suggested.

We have entered a bug to make sure we are updating the database on a schedule, so updates like these can be made periodically.  The bug is CSCtn26880.  

We think that the current version of MySQL is not a threat to system security for several reasons:

- The server is configured to accept only local connections.

- There is no default admin login.

- The admin password is unique to each installation and is not available to the user.

However, security can be enhanced by installing on a Win 7 box since only admin users will have access to the IME files. This will be available when Windows 7 is supported in IME 7.1(1).

IME 7.1.1 is due out this month--maybe even this week.

View solution in original post

3 Replies 3

fadlouni
Level 1
Level 1

Hi Martin.

Usually we don't support modifying the underlying subsystems, as they are not tested together and problems might happen.

If you are already running on latest IME (7.0.3), please open a TAC Service request (you can do it from this thread). this way we can discuss with development about fixing this in IME to either upgrade the JRE/MYSQL or at least patch them to fix any known vulnerabilities there.

Regards,

Fadi.

Thanks for your response.  I created a TAC Service Request 616824527.

Ronald Anthony
Level 1
Level 1

IME 7.1.1 is going to include JRE 1.6u23.  We do not support any modification of IME like replacing the JRE as you have suggested.

We have entered a bug to make sure we are updating the database on a schedule, so updates like these can be made periodically.  The bug is CSCtn26880.  

We think that the current version of MySQL is not a threat to system security for several reasons:

- The server is configured to accept only local connections.

- There is no default admin login.

- The admin password is unique to each installation and is not available to the user.

However, security can be enhanced by installing on a Win 7 box since only admin users will have access to the IME files. This will be available when Windows 7 is supported in IME 7.1(1).

IME 7.1.1 is due out this month--maybe even this week.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: