Details
In response to the following Apache Tomcat security vulnerability:
CVE-2017-12617 (Apache Tomcat Remote Code Execution via JSP Upload)
As well as the following JRE security vulnerabilities:
CVE-2017-10346
CVE-2017-10285
CVE-2017-10388
CVE-2017-10309
VMware Identity Manager versions that ship with a version of Apache Tomcat that is affected by CVE-2017-12617:
As well as the following JRE security vulnerabilities:
CVE-2017-10346
CVE-2017-10285
CVE-2017-10388
CVE-2017-10309
VMware Identity Manager versions that ship with a version of Apache Tomcat that is affected by CVE-2017-12617:
- VMware Identity Manager version 3.0 (Linux)
- VMware Identity Manager version 9.2 (Windows)
- VMware Identity Manager Connector 2017.8.1.0 (Linux)
- VMware Identity Manager Connector component of VMware Enterprise Systems Connector 9.2 (Windows)
- VMware Identity Manager version 2.9, 2.9.1.0, or 2.9.2.0 (Linux)
- VMware Identity Manager version 9.1.x (Windows)
- VMware Identity Manager Connector 2017.4.1, 2017.5.1.0, 2017.7.1.0 (Linux)
- VMware Identity Manager Connector component of VMware Enterprise Systems Connector 9.1.x (Windows)
- VMware Identity Manager version 3.0 (Linux)
- VMware Identity Manager version 9.2 (Windows)
- VMware Identity Manager Connector 2017.8.1.0 (Linux)
- VMware Identity Manager Connector component of VMware Enterprise Systems Connector 9.2 (Windows)
- VMware Identity Manager version 2.9 to 2.9.2.1 (Linux)
- VMware Identity Manager version 9.1.x (Windows)
- VMware Identity Manager Connector 2017.4.1 to 2017.7.1.1 (Linux)
- VMware Identity Manager Connector component of VMware Enterprise Systems Connector 9.1.x (Windows)
Solution
This VMware KB article provides instructions on how to update the Apache Tomcat version and JRE versions in VMware Identity Manager to a version that is not affected by these CVEs. Further investigation has shown that these CVEs do not affect vIDM.
0 Comments