Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2121
Views
8
Helpful
3
Replies

IME includes old JRE and MySQL versions with known vulnerabilities?

Go to solution
MARTIN GEIL
Level 1
Level 1

‎02-08-2011 11:50 PM - edited ‎03-10-2019 05:15 AM

Cisco IME experts,

     I just installed IME, and noticed that it includes an old 2009-vintage MySQL version that has known security vulnerabilities.  It also uses a private JRE version that is fairly old (1.6u7, IIRC).  I would like to use IME, but I have to meet fairly stringent security requirements, and these vulnerable versions of bundled products are going to raise red flags.  Can I delete the private JRE directory and modify the .ini files to point to the 1.6u23 JRE installed on the system?  Can the MySQL version be upgraded to >= v5.1.52, or can you explain why it is not a threat to system security?  Granted, the system running IME is within a protected network, but we are trying to implement defense-in-depth principles, and attacks can sometimes come from insiders with a flash drive or CD.  Thanks for your answers in advance!

Martin

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ronald Anthony
Level 1
Level 1

‎02-15-2011 11:31 AM

IME 7.1.1 is going to include JRE 1.6u23.  We do not support any modification of IME like replacing the JRE as you have suggested.

We have entered a bug to make sure we are updating the database on a schedule, so updates like these can be made periodically.  The bug is CSCtn26880.  

We think that the current version of MySQL is not a threat to system security for several reasons:

- The server is configured to accept only local connections.

- There is no default admin login.

- The admin password is unique to each installation and is not available to the user.

However, security can be enhanced by installing on a Win 7 box since only admin users will have access to the IME files. This will be available when Windows 7 is supported in IME 7.1(1).

IME 7.1.1 is due out this month--maybe even this week.

View solution in original post

3 Replies 3

Go to solution
fadlouni
Level 1
Level 1

‎02-11-2011 06:57 AM

Hi Martin.

Usually we don't support modifying the underlying subsystems, as they are not tested together and problems might happen.

If you are already running on latest IME (7.0.3), please open a TAC Service request (you can do it from this thread). this way we can discuss with development about fixing this in IME to either upgrade the JRE/MYSQL or at least patch them to fix any known vulnerabilities there.

Regards,

Fadi.

Go to solution
MARTIN GEIL
Level 1
Level 1
In response to fadlouni

‎02-11-2011 12:53 PM

Thanks for your response.  I created a TAC Service Request 616824527.

0 Helpful

Go to solution
Ronald Anthony
Level 1
Level 1

‎02-15-2011 11:31 AM

IME 7.1.1 is going to include JRE 1.6u23.  We do not support any modification of IME like replacing the JRE as you have suggested.

We have entered a bug to make sure we are updating the database on a schedule, so updates like these can be made periodically.  The bug is CSCtn26880.  

We think that the current version of MySQL is not a threat to system security for several reasons:

- The server is configured to accept only local connections.

- There is no default admin login.

- The admin password is unique to each installation and is not available to the user.

However, security can be enhanced by installing on a Win 7 box since only admin users will have access to the IME files. This will be available when Windows 7 is supported in IME 7.1(1).

IME 7.1.1 is due out this month--maybe even this week.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card