KB Article #182415
Secure Relay Router Agent 2.7.4 Java (jre8_u275) could be reported by security scanning tools
Problem
Secure Relay Router Agent 2.7.4 comes with Java version jre8_u275, which could be reported by some security scanning tools as vulnerable to
- https://nvd.nist.gov/vuln/detail/CVE-2021-35550 - vulnerability for Oracle GraalVM Enterprise Edition - Secure Relay Router Agent is not vulnerable to this because: "This
vulnerability applies to Java deployments, typically in clients running
sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. " and Secure Relay Router Agent does not run other code than its own.
- https://nvd.nist.gov/vuln/detail/CVE-2021-3517 - vulnerability for library libxml2 - Secure Relay Router Agent is not vulnerable to this because it is not being used, it is only part of the delivered java
Resolution
Secure Relay R&D has discovered the only way to prevent security scanning tools from reporting the Secure Relay Router Agent 2.7.4 Java (jre8_u275) as vulnerable would be delivering a new Java version. This is possible only in a major release (i.e. SRRA 2.40 with ETA sometime next year).
Until then, there is a workaround that can be used - manually replace the existing Java version from Secure Relay Router Agent 2.7.4 with a newer Java that will not be flagged as vulnerable to the above (i.e. jre8_u332_64 , delivered with TSIM SP26)
Below are the steps that can be taken to achieve this:
1) Verify in <SRRA_install_dir>/bin/profile.sh the current values for p_secure_relay_home and p_secure_relay_java_home variables
i.e.
p_secure_relay_home=/home/editst/Axway/2.7.4/SecureRelayRA
p_secure_relay_java_home=/home/editst/Axway/2.7.4/Java/linux-x86/jre8_u275/
2) Stop Secure Relay Router Agent and under the location specified by the p_secure_relay_java_home variable (i.e. /home/editst/Axway/2.7.4/Java/linux-x86/) you can archive the existing java (jre8_u275) and add he new desired version (i.e. jre8_u332_64)
!!! To consider that usually the MA and RA run on the same java version.
!!! The SR RA was not tested with another Java 8 version.
3) Update the paths from point 1 to reference the new java
i.e.
p_secure_relay_home=/home/editst/Axway/2.7.4/SecureRelayRA
p_secure_relay_java_home=/home/editst/Axway/2.7.4/Java/linux-x86/jre8_u332_64
4) Start Secure Relay Router Agent and verify everything is working as expected