Nessus scan against NAM 4.2.4 reports "96629 - Oracle Java SE Multiple Vulnerabilities (January 2017 CPU) (Unix) (SWEET32)"

  • 7020150
  • 01-Jun-2017
  • 01-Jun-2017

Environment

NetIQ Access Manager 4.2
NetIQ Access Manager Admin Console
NetIQ Access Manager Appliance
NetIQ Access Manager Identity Server
NetIQ Access Manager Access Gateway

Situation

Nessus scan run against NAM 4.2.4 and reports that a vulnerable java version has been detected. The output shows the it's available as part of edirectory.

The Nessus Plug in detecting it is 99589 and it reports an "Oracle Java SE Multiple Vulnerabilities (April 2017 CPU) (Unix)" with the following details:

Synopsis

The remote Unix host contains a programming platform that is affected by multiple vulnerabilities.

Description

The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 8 Update 121, 7 Update 131, or 6 Update 141. It is, therefore, affected by multiple vulnerabilities :

- A vulnerability exists in the Libraries subcomponent, known as SWEET32, in the 3DES and Blowfish algorithms due to the use of weak 64-bit block ciphers by default.
A man-in-the-middle attacker who has sufficient resources can exploit this vulnerability, via a 'birthday' attack, to detect a collision that leaks the XOR between the fixed secret and a known plaintext, allowing the disclosure of the secret text, such as secure HTTPS cookies, and possibly resulting in the hijacking of an authenticated session. (CVE-2016-2183)

- An unspecified flaw exists in the Libraries subcomponent that allows an unauthenticated, remote attacker to impact integrity. (CVE-2016-5546)

:
: includes all CVEs fixed in JDK 8 build 121.
:

Solution

Upgrade to Oracle JDK / JRE 8 Update 121 / 7 Update 131 / 6 Update 141 or later. If necessary, remove any affected versions.

Note that an Extended Support contract with Oracle is needed to obtain JDK / JRE 6 Update 95 or later.

Risk Factor

High

CVSS v3.0 Base Score

9.6 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVSS Base Score

9.3 (CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

6.9 (CVSS2#E:U/RL:OF/RC:C)

Resolution

NAM ships with an embedded JDK, already on the version that includes all the fixed as shown below:

nam42sba:~ # rpm -qa|grep jdk
novell-jdk-1.8.0_131-1

This Nessus warning can be ignored.