IME includes old JRE and MySQL versions with known vulnerabilities?

Answered Question
Feb 8th, 2011

Cisco IME experts,

     I just installed IME, and noticed that it includes an old 2009-vintage MySQL version that has known security vulnerabilities.  It also uses a private JRE version that is fairly old (1.6u7, IIRC).  I would like to use IME, but I have to meet fairly stringent security requirements, and these vulnerable versions of bundled products are going to raise red flags.  Can I delete the private JRE directory and modify the .ini files to point to the 1.6u23 JRE installed on the system?  Can the MySQL version be upgraded to >= v5.1.52, or can you explain why it is not a threat to system security?  Granted, the system running IME is within a protected network, but we are trying to implement defense-in-depth principles, and attacks can sometimes come from insiders with a flash drive or CD.  Thanks for your answers in advance!

Martin

I have this problem too.
0 votes
Correct Answer by Ronald Anthony about 3 years 2 months ago

IME 7.1.1 is going to include JRE 1.6u23.  We do not support any modification of IME like replacing the JRE as you have suggested.

We have entered a bug to make sure we are updating the database on a schedule, so updates like these can be made periodically.  The bug is CSCtn26880.  

We think that the current version of MySQL is not a threat to system security for several reasons:

- The server is configured to accept only local connections.

- There is no default admin login.

- The admin password is unique to each installation and is not available to the user.

However, security can be enhanced by installing on a Win 7 box since only admin users will have access to the IME files. This will be available when Windows 7 is supported in IME 7.1(1).

IME 7.1.1 is due out this month--maybe even this week.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4 (2 ratings)
fadlouni Fri, 02/11/2011 - 06:57

Hi Martin.

Usually we don't support modifying the underlying subsystems, as they are not tested together and problems might happen.

If you are already running on latest IME (7.0.3), please open a TAC Service request (you can do it from this thread). this way we can discuss with development about fixing this in IME to either upgrade the JRE/MYSQL or at least patch them to fix any known vulnerabilities there.

Regards,

Fadi.

mgeil Fri, 02/11/2011 - 12:53

Thanks for your response.  I created a TAC Service Request 616824527.

Correct Answer
Ronald Anthony Tue, 02/15/2011 - 11:31

IME 7.1.1 is going to include JRE 1.6u23.  We do not support any modification of IME like replacing the JRE as you have suggested.

We have entered a bug to make sure we are updating the database on a schedule, so updates like these can be made periodically.  The bug is CSCtn26880.  

We think that the current version of MySQL is not a threat to system security for several reasons:

- The server is configured to accept only local connections.

- There is no default admin login.

- The admin password is unique to each installation and is not available to the user.

However, security can be enhanced by installing on a Win 7 box since only admin users will have access to the IME files. This will be available when Windows 7 is supported in IME 7.1(1).

IME 7.1.1 is due out this month--maybe even this week.

Actions

Login or Register to take actions

This Discussion

Posted February 8, 2011 at 11:50 PM
Stats:
Replies:3 Avg. Rating:4
Views:875 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 816
2 668
3 603
4 526
5 367
Rank Username Points
5
5
5
5