1. Satya Yendamuri
  2. PowerBuilder
  3. Tuesday, 22 March 2022 15:57 PM UTC

Hi team,

 

Our Threat and Vulnerability Management Unit (TMVU) scans our devices and monitors for any potential threats on a regular basis. Recently the TMVU has identified potential security vulnerabilities with the installations of the PowerBuilder IDE (for developers) and InfoMaker. The vulnerability is finding a JAVA executable that is part of the software product that was installed on our devices.

The TMVU is showing that we have this following vulnerability listed under CVE-2011-3544

Path              : C:\Program Files (x86)\Appeon\shared\PowerBuilder\jdk1.6.0_24\jre\bin\java.exe

Installed version : 1.6.0_24

 

Is this a vulnerability? Can we simply delete these files ? Or do we need to upgrade our PowerBuilder and Info maker to mitigate this?

 

Our current environment:

PowerBuilder Version: 2017R3 Build 1880

OS: Windows 10 Enterprise

Roland Smith Accepted Answer Pending Moderation
  1. Tuesday, 22 March 2022 16:56 PM UTC
  2. PowerBuilder
  3. # 1

The only features of PB/IM that use Java are the JDBC database connection and saving to PDF using the XSL-FO method. It was used for EJB clients but I am pretty sure that feature is no longer supported.

Comment
  1. Roland Smith
  2. Thursday, 24 March 2022 19:22 PM UTC
I second what Armeen said.

SaveAs to PDF usually means Ghostscript which does not use Java. As long as you are not using JDBC for your database connection or SaveAs with XSL-FO option, you are not using Java.
  1. Helpful 1
  1. Julie Jiang @Appeon
  2. Monday, 28 March 2022 01:19 AM UTC
Hi Satya,

If you use PowerBuilder 2019 R3 o2 2021, as a temporary workaround, please delete the Java.exe file to avoid the vulnerability issue. Our team has confirmed that the SaveAs XSLFOP can still work even after the file is removed (as long as the JAVAHome environment variable and path have been configured correctly). You may verify whether it is true.

PowerBuilder 2022 will discontinue the Java feature (https://www.appeon.com/developers/obsolete-and-discontinued-features-in-powerbuilder-2022.html). So later when PowerBuilder 2022 comes out, the vulnerability issue will be completely gone.

Best regards, Julie
  1. Helpful 2
  1. Satya Yendamuri
  2. Thursday, 31 March 2022 17:03 PM UTC
Hi

What level can we remove this? Our scans identified the following path:

C:\Program Files (x86)\Appeon\shared\PowerBuilder\jdk1.6.0_24\jre\bin\java.exe

is Is it fine just removing java.exe? Will that suffice or do we need to remove the entire jdk1.6.0_24 folder?



Thankyou
  1. Helpful
There are no comments made yet.
  • Page :
  • 1


There are no replies made for this question yet.
However, you are not allowed to reply to this question.