General Network Management

 View Only
  • 1.  Oracle Critical Patch Update Advisory Jan 2022

    Posted 01-20-2022 04:17
    Oracle released their CPU Advisories for Jan 2022
    https://www.oracle.com/security-alerts/cpujan2022.html

    Besides others there are several CVEs for Java and Mysql listed.

    I would like to know if and how XMC is affected


  • 2.  RE: Oracle Critical Patch Update Advisory Jan 2022

    Posted 01-20-2022 08:38
    Hello, any Vulnerability Notices put out by Extreme can be found here. You can subscribe to that community to get an email every time there is a new VN identified.


  • 3.  RE: Oracle Critical Patch Update Advisory Jan 2022

    Posted 01-20-2022 09:26
    I thank you for the link, but checking the xmc versions of java and mysql looks like they are affected.


    Shurly a non announcement is no "not affected statement".

    The XMC installed java version is: openjdk version "1.8.0_222"

    Openjdk says:

    OpenJDK Vulnerability Advisory: 2022/01/18

    The following vulnerabilities in OpenJDK source code were fixed in this release. The affected versions are 17.0.1, 15.0.5, 13.0.9, 11.0.13, 8u312, 7u321, and earlier. Please note that defense-in-depth issues are not assigned CVEs. We recommend that you upgrade as soon as possible.


    The xmc installed mysql version is: Ver 14.14 Distrib 5.7.27, for linux-glibc2.12 (x86_64) using EditLine wrapper

    Oracle lists for example CVE-2021-22946 with a score of 7.5 witch is remote exploitable with mysql 5.7.36 and prior.




  • 4.  RE: Oracle Critical Patch Update Advisory Jan 2022

    Posted 01-20-2022 12:15
    I appreciate you elaborating for me. I spoke with our security team about this and they requested that we open a  support case so our support team can initiate a PSIRT/CVE review for this specifically. You can open a case on our Extreme Portal, under Support.


  • 5.  RE: Oracle Critical Patch Update Advisory Jan 2022

    Posted 01-21-2022 01:18
    I already opend a case: 02508098

    But thought maybe the topic was already discussed here.