TrueSight Presentation Server (TSPS) - Is TSPS affected by CVE-2021-42392 H2 database remote code execution vulnerability? |
TrueSight Presentation Server does not use H2 console or the H2 data base. BMC did some sanity tests with removing the effected jar file from reference directory and there were no issues detected. If you wish, you can delete the jar file mentioned in the scan. This is documented as Defect DRTSV-956 to be addressed in the 11.3.05 release of TSPS. Scans report the following jar as being affected /opt/bmc/TrueSightPServer/truesightpserver/lib/dependencies/h2-1.3.176.jar Users can remove the jar and follow the steps below: 1. Stop the TSPS server 2. Remove h2-1.3.176.jar from /opt/bmc/TrueSightPServer/truesightpserver/lib/dependencies 3. Delete the entry vm.args.classpath.71="${truesight.home}/lib/dependencies/h2-1.3.176.jar" from \TrueSightPServer\truesightpserver\conf\services\csr.conf. 4. Restart TSPS server |