Azul Zulu Java Vulnerabilities in 23.4

Our Zone and agents are all running 23.4, with these patches:
ZCM_23.4.0_FTF_Server_95
ZCM_23.4.0_FTF_Agent_Defect_488018
ZCM_23.4.0_FTF_Agent_Defect_693002_726008
ZCM_23.4.0_FTF_Agent_Defect_710035
ZCM_23.4.0_FTF_Agent_Defect_717009
ZCM_23.4.0_FTF_Agent_Defect_721010a
ZCM_23.4.0_FTF_Agent_Defect_748009


The Linux managed devices all run the Tenable Nessus agent, this scans for vulnerabilitires. It has found the following (truncated for sanity purposes!):

"
Azul Zulu Java Multiple Vulnerabilities (2024-04-16) Azul Zulu OpenJDK is affected by multiple vulnerabilities. "The version of Azul Zulu installed on the remote host is prior to 6 < 6.63.0.14 / 7 < 7.69.0.14 / 8 < 8.77.0.14 / 11 < 11.71.14 / 17 < 17.49.16 / 21 < 21.33.14 / 22 < 22.30.14. It is, therefore, affected by multiple vulnerabilities as referenced in the 2024-04-16 advisory.

CVE-2023-41993
CVE-2024-21002
CVE-2024-21004
CVE-2024-21003
CVE-2024-21005
CVE-2024-21011
CVE-2024-21012
CVE-2024-21068
CVE-2024-21085
CVE-2024-21094

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number." Apply the appropriate patch according to the April 2024 Azul Zulu OpenJDK Patch Update advisory. docs.azul.com/.../release-notes "
Path : /opt/novell/zenworks/share/zmd/
Installed version : 8.72.0.17 (CA)
Fixed version : Upgrade to a version 8.78.0.19 (CA) and above
"


Checking this file version:

# /opt/novell/zenworks/share/zmd/java/bin/java -version
openjdk version "1.8.0_382"
OpenJDK Runtime Environment (Zulu 8.72.0.17-CA-linux64) (build 1.8.0_382-b05)
OpenJDK 64-Bit Server VM (Zulu 8.72.0.17-CA-linux64) (build 25.382-b05, mixed mode)

# rpm -qf /opt/novell/zenworks/share/zmd/java/bin/java
novell-zenworks-jre-1.8.0_382-1.x86_64


Is there a fix for this vulnerability?
I see ZCM 24.2 has been released, does this include a later (fixed) version?


Thanks!

  • 0  

    This is what I have on my 24.2 lab server:

    # /opt/novell/zenworks/share/zmd/java/bin/java -version
    openjdk version "1.8.0_402"
    OpenJDK Runtime Environment (Zulu 8.76.0.17-CA-linux64) (build 1.8.0_402-b06)
    OpenJDK 64-Bit Server VM (Zulu 8.76.0.17-CA-linux64) (build 25.402-b06, mixed mode)

    # rpm -qf /opt/novell/zenworks/share/zmd/java/bin/java
    novell-zenworks-jre-1.8.0_402-1.x86_64

    pgappliance:~ # cat /etc/opt/novell/zenworks/version.txt
    24.2.0.184

    If you want to stay on 23.4 maybe open a support case please, because I'm not aware of plans to update that version but we could try to make the case for this if needed due to long term support etc.

  • 0

    The upgrade to 24.2 did not remediate this Nessus finding in our environment.

    We too were seeing the "Azul Zulu Java Multiple Vulnerabilities (2024-04-16) (193814)" Nessus finding on our Windows devices while running ZENworks 23.4, and I was hoping the update to version 24.2 would remediate this. 

    After upgrading to ZENworks 24.2 and deploying the agent update to the devices Nessus is still showing "Azul Zulu Java Multiple Vulnerabilities (2024-04-16) (193814)" as a critical vulnerability.  The plugin output has changed slightly, it now reads:

    "Path              : C:\Program Files (x86)\Novell\ZENworks\share\java\
      Installed version : 8.0.402.06
      Fixed version     : Upgrade to a version 8.77.0.14 (SA) and above"

    It appears the Azul Java version has been updated in 24.2, but not to a current enough version to remediate this Nessus finding.

  • 0 in reply to   

    Thanks Susan.

    I've raised this as a case: 02913209