If you get the alert "ET POLICY Vulnerable Java Version 1.8.x Detected"

Some PCs in your network use an outdated version of Java 8 JDK/JRE.

The version numbers are a bit confusing because for historical reasons the internal version has a leading 1, e.g. “Build 1.8.0_381-b09” for Version 8 Update 381 (64-bit) (8.0.3810.9).

You may also wonder why we’re still at Java version 8 when the current version is 20 according to the version history:

This article explains it in detail: Why Java 8 Still Dominates? Reasons and Causes

If you’re on Windows you can track down the affected PC with the following command in the console:

ping -a 192.168.xxx.xxx

Use the source IP that was detected in the alert.

If you found the corresponding hostname update or uninstall Java JDK/JRE 8.

If some program still relies on Java you can also install the open-source version of Java:


I just noticed the latest Java 8 build is also detected by this signature because the rule contains an old build version.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.8.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/1.8.0_"; content:!"361"; within:3; reference:url,www.oracle.com/java/technologies/javase/8u-relnotes.html; classtype:bad-unknown; sid:2019401; rev:37; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2014_10_15, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2023_03_07;)

The content:!"361" should be updated to the latest build 381.

Thanks, this will go out today!