DCO vulnerable to CVE-2017-12149

DCIM_Support · ‎2020-07-04

This question was originally posted on DCIM Support by Garry Priestland on 2018-09-06

One of our customers has run a security scan over DCO v7.4.5 and it has highlighted this vulnerability.

https://www.tenable.com/plugins/nessus/109321

https://access.redhat.com/security/cve/cve-2017-12149

I can't find any reference to this in any version of DCO.

My initial advice would be to upgrade, assuming they are entitled to it, but I can't tell if the latest version of DCO will also have the same vulnerability. Can you please advise if DCO 8.5.0 has this issue or not?

Regards

DCIM_Support · ‎2020-07-04

This comment was originally posted on DCIM Support by Greg Sterling on 2018-09-06

Hello Gary. I'm hoping a representative from engineering will confirm my below statement.

DCO 7.4.5 is a very old revision of DCO. The DCO 7.x versions ran on a debian linux plaform and used an older jboss platform which may have show the vulnerability based on its description.

Current released version of DCO is version 8.2.7. This version is based on CentOS 7, and uses the Wildfly version of JBoss which is a much newer platform than the Jboss 5.x mentioned in the CVE. Based on what I read in the CVE description I do not believe its applicable to the Wildfly releases we include with DCO current DCO releases.

Regards

Greg Sterling

DCIM_Support · ‎2020-07-04

This question is closed for comments. You're welcome to start a new topic if you have further comments on this issue.