DFS ESA for Java Vulnerabilities
February 6, 2015 2 Comments
EMC published ESA-2015-017: EMC Documentum Foundation Services (DFS) Security Update for Oracle Java Runtime Environment (JRE) recommending an upgrade to Java JRE 7u72 on the DFS server and client machines. The vulnerabilities addressed by this update are described at Oracle CPU for October 2014.
I find this ESA puzzling. First, the ESA suggests upgrading DFS to v7.2. I can’t find DFS v7.2, can you? (DFS v7.1 patch 13 was issued in Jan 2015.) It is unclear whether DFS must be upgraded to the (mythical) v7.2 to work with Java JRE 7u72 or is simply upgrading the JRE sufficient to address the vulnerabilities. Second, Java 7u75 is the latest Java version, why doesn’t the ESA recommend updating to Java 7u75?
Can anyone shed some light on this?
Note, the end of public updates for Java 7 is scheduled for April 2015. At that point, I suspect EMC will provide ESAs or ETAs recommending upgrading to Java 8 and issuing the requisite patches for their products.
UPDATE: ESA-2015-016: EMC Documentum Content Server Security Update for Oracle Java Runtime Environment (JRE) covers essentially the same vulnerabilities for the Content Server platform.