Hi team,
Our Threat and Vulnerability Management Unit (TMVU) scans our devices and monitors for any potential threats on a regular basis. Recently the TMVU has identified potential security vulnerabilities with the installations of the PowerBuilder IDE (for developers) and InfoMaker. The vulnerability is finding a JAVA executable that is part of the software product that was installed on our devices.
The TMVU is showing that we have this following vulnerability listed under CVE-2011-3544
Path : C:\Program Files (x86)\Appeon\shared\PowerBuilder\jdk1.6.0_24\jre\bin\java.exe
Installed version : 1.6.0_24
Is this a vulnerability? Can we simply delete these files ? Or do we need to upgrade our PowerBuilder and Info maker to mitigate this?
Our current environment:
PowerBuilder Version: 2017R3 Build 1880
OS: Windows 10 Enterprise
SaveAs to PDF usually means Ghostscript which does not use Java. As long as you are not using JDBC for your database connection or SaveAs with XSL-FO option, you are not using Java.
If you use PowerBuilder 2019 R3 o2 2021, as a temporary workaround, please delete the Java.exe file to avoid the vulnerability issue. Our team has confirmed that the SaveAs XSLFOP can still work even after the file is removed (as long as the JAVAHome environment variable and path have been configured correctly). You may verify whether it is true.
PowerBuilder 2022 will discontinue the Java feature (https://www.appeon.com/developers/obsolete-and-discontinued-features-in-powerbuilder-2022.html). So later when PowerBuilder 2022 comes out, the vulnerability issue will be completely gone.
Best regards, Julie
What level can we remove this? Our scans identified the following path:
C:\Program Files (x86)\Appeon\shared\PowerBuilder\jdk1.6.0_24\jre\bin\java.exe
is Is it fine just removing java.exe? Will that suffice or do we need to remove the entire jdk1.6.0_24 folder?
Thankyou