-
Title
Java Vulnerability in Foglight and/or vFoglight? -
Description
Our security dept. sent us a notice for a Java zero day vulnerability. Our Foglight server has been flagged in the past because it uses Java.Can you tell me if there is anything we can do to remedy this vulnerability within vFoglight?The link is: http://www.kb.cert.org/vuls/id/625617 -
Resolution
Security: Understanding the Foglight Platform’s relationship to Java
Foglight and vFoglight do not run Java code in the browser, and therefore are not vulnerable to Java applet security issues. The recently reported Vulnerability Note VU#625617 is one example of such an issue.
The Foglight platform uses the Java Runtime Engine (JRE) internally to run the Management Server and the Agent Manager(s). These are self-contained software systems that are fully isolated from the Foglight platform's content delivery system (the Web-based user interface) and as such they are not vulnerable to browser-based attacks. In particular, the Management Server and Agent Managers are not vulnerable to browser-based attacks that rely on the Java plug-in. Even when a Java plug-in is enabled in the browser, it cannot communicate with or influence the JRE instances that run Foglight in a separate process.
The Foglight platform’s Web-based user interface is a pure HTML interface which does not use Java. As such the Web-based user interface cannot be manipulated by Java plug-in–based attacks, and it remains fully operational when the Java plug-in is fully disabled. Customers using the Foglight platform’s Web-based user interface in their browsers may fully disable the Java plug-in without impacting their access to the Foglight platform.
-
Defect ID
FDOC-4909