Patching Java 8 JRE + JDK Question

Hi Guys,

So first let me lay out my environment, we have some internal programs that require Java JDK8 and the standlone JRE to co-exist on one machine. It seems that Automox will find one of the JRE’s and correctly report it / remediate it. However, if the standalone + embedded both exist on one machine, it won’t correctly find both out of date JRE’s and patch. It will pick seemingly one random one and patch that, and call it good. This causes our vuln scanner to correctly find an out of JRE and alert on it.

TL;DR: Two instances of JRE live on one machine, AM will find and patch one of them, but not the other.

Paths:
C:\Program Files\Java\jre1.8.0_201
C:\Program Files\Java\jdk1.8.0_201\jre

Not sure a way around this, or if this is even supported to have multiple “patchable” apps with the same name? Trying to see if anyone else has this issue or any workarounds.

Thanks!

Hi rmatthews,
Currently Automox does not patch the JDK, we will only patch the JRE. So the JRE embedded in the JDK will be missed in patching.

1 Like

Well correct you are!

I was testing and thought I could get AM to find that JRE inside of the JDK… I guess I was mistaken, any plans to include the JDK in automated patching? It seems fairly close to the same process as the standalone JRE?

Thanks!

What’s the process these days for updating the JDK? That might be something doable via a worklet, although you might have to manually swap out the installer file every time a new version comes out.

In this case with would need to be done by a worklet for the near future. There are not any plans currently to support patching for the JDK. I am sorry.

So looks like an easy enough install
.\jdk-8u261-windows-x64.exe /s REMOVEOUTOFDATEJRES=1 AUTO_UPDATE=1

However, the real issue I am running into here is, I don’t have a good way to nuke the existing vulnerable versions of java. (The flag above will nuke standalone JRE’s, but not old JDK’s).

Any thoughts on how we could identify multiple versions exist and nuke the oldest one? This is probably our top vulnerability in Nessus and would be a nice win.

image