Running A CVE Scanner And It Keeps Flagging The Coherence Plugin File Even Though CPU Patch Applied.
(Doc ID 2762642.1)
Last updated on MARCH 29, 2021
Applies to:Oracle Coherence - Version 22.214.171.124.0 and later
Oracle WebLogic Server - Version 126.96.36.199.0 and later
Information in this document applies to any platform.
A customer has reported that even after using Coherence CPU patch, running a CVE scanner and scanner keeps flagging a file even though CPU <Patch 32124527> applied. In short, user is just looking for verification that Oracle is not updating the MANIFEST.MF files of few of the binaries (.jar) for its patches in some cases. Background is user is running a CVE checked tool to pass their security audit and he has applied all applicable FMW 12c patches he can apply and he still get flagged for certain jar files as the tool he is using is only looking at jar file names and the version listed in the MANIFEST.MF. If Oracle Coherence Support can confirm their suspicion that Oracle Coherence product is not updating the version in the MANIFEST.MF file that would allow us to get an exception where he can prove he applied a given patch.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document