Skip to main content

Patching Java 8 JRE + JDK Question

M
Forum|alt.badge.img

Hi Guys,

So first let me lay out my environment, we have some internal programs that require Java JDK8 and the standlone JRE to co-exist on one machine. It seems that Automox will find one of the JRE’s and correctly report it / remediate it. However, if the standalone + embedded both exist on one machine, it won’t correctly find both out of date JRE’s and patch. It will pick seemingly one random one and patch that, and call it good. This causes our vuln scanner to correctly find an out of JRE and alert on it.

TL;DR: Two instances of JRE live on one machine, AM will find and patch one of them, but not the other.

Paths:
C:\Program Files\Java\jre1.8.0_201
C:\Program Files\Java\jdk1.8.0_201\jre

Not sure a way around this, or if this is even supported to have multiple “patchable” apps with the same name? Trying to see if anyone else has this issue or any workarounds.

Thanks!

    5 replies

    B

    Hi rmatthews,
    Currently Automox does not patch the JDK, we will only patch the JRE. So the JRE embedded in the JDK will be missed in patching.

    Nic-Automox
    1 person likes this
    • Nic-Automox
      Nic-Automox
    M
    Forum|alt.badge.img
    • Mrichards
    • Author
    • Power User
    • 58 replies
    • August 21, 2020

    Well correct you are!

    I was testing and thought I could get AM to find that JRE inside of the JDK… I guess I was mistaken, any plans to include the JDK in automated patching? It seems fairly close to the same process as the standalone JRE?

    Thanks!

    Nic-Automox
    • Nic-Automox
    • Former Automox Employee
    • 832 replies
    • August 21, 2020

    What’s the process these days for updating the JDK? That might be something doable via a worklet, although you might have to manually swap out the installer file every time a new version comes out.

    B

    In this case with would need to be done by a worklet for the near future. There are not any plans currently to support patching for the JDK. I am sorry.

    M
    Forum|alt.badge.img
    • Mrichards
    • Author
    • Power User
    • 58 replies
    • August 31, 2020

    So looks like an easy enough install
    .\jdk-8u261-windows-x64.exe /s REMOVEOUTOFDATEJRES=1 AUTO_UPDATE=1

    However, the real issue I am running into here is, I don’t have a good way to nuke the existing vulnerable versions of java. (The flag above will nuke standalone JRE’s, but not old JDK’s).

    Any thoughts on how we could identify multiple versions exist and nuke the oldest one? This is probably our top vulnerability in Nessus and would be a nice win.

    image

    Reply


    Terms & ConditionsCookie settings

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings