vpx
September 20, 2023, 12:47pm
1
Some PCs in your network use an outdated version of Java 8 JDK/JRE.
The version numbers are a bit confusing because for historical reasons the internal version has a leading 1, e.g. “Build 1.8.0_381-b09” for Version 8 Update 381 (64-bit) (8.0.3810.9).
You may also wonder why we’re still at Java version 8 when the current version is 20 according to the version history:
The Java language has undergone several changes since JDK 1.0 as well as numerous additions of classes and packages to the standard library. Since J2SE 1.4, the evolution of the Java language has been governed by the Java Community Process (JCP), which uses Java Specification Requests (JSRs) to propose and specify additions and changes to the Java platform. The language is specified by the Java Language Specification (JLS); changes to the JLS are managed under JSR 901. In September 2017, Mark Rei...
This article explains it in detail: Why Java 8 Still Dominates? Reasons and Causes
If you’re on Windows you can track down the affected PC with the following command in the console:
ping -a 192.168.xxx.xxx
Use the source IP that was detected in the alert.
If you found the corresponding hostname update or uninstall Java JDK/JRE 8.
If some program still relies on Java you can also install the open-source version of Java:
Eclipse Adoptium provides prebuilt OpenJDK binaries from a fully open source set of build scripts and infrastructure. Supported platforms include Linux, macOS, Windows, ARM, Solaris, and AIX.
2 Likes
vpx
September 21, 2023, 6:54am
2
I just noticed the latest Java 8 build is also detected by this signature because the rule contains an old build version.
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.8.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/1.8.0_"; content:!"361"; within:3; reference:url,www.oracle.com/java/technologies/javase/8u-relnotes.html; classtype:bad-unknown; sid:2019401; rev:37; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2014_10_15, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2023_03_07;)
The content:!"361" should be updated to the latest build 381.
vpx:
2019401
Thanks, this will go out today!