Java Update - Vulnerability detected on our Experian Dev/Prod Server

HussainSyed
HussainSyed Member
edited December 2023 in General

This version has been detected as vulnerable by - OCPU-2022-JUL: Oracle Java Critical Patch Update Advisory - July 2022

when we try to update this,

I am receiving this notification,


Do we need to switch to OpenJDK,

or can we keep using below, and proceed with Updated,


I am confused how all of this affects Jar files we have in experian installation folders, and how much dependent Experian Aperture Data studio and Find Duplicates is on all of this and change of version or if we move to OpenJDK or Java 17 LTS versions.


Please tell us if it is ok to install the above and keep updating the non-commercial version.

Don t want to mess with any Aperture Data Studio configurations by switching to other version or wrong updated,


as current version is scanned vulnerable by our scanning routines and it is recommending to do above update.


@Henry Simms ,

Please advise in above situation what should we do?

Comments

  • Josh Boxer
    Josh Boxer Administrator

    Hi

    Thanks for sharing, we have not yet seen this vulnerability but have been planning a Java version upgrade for a while that will hopefully be available in the coming weeks. I would suggest waiting for that then upgrading as normal

    -Josh

  • Ian Hayden
    Ian Hayden Experian Super Contributor
    edited November 2022

    Hi,

    Aperture Data Studio is distributed with and uses a fairly recent Open JDK Java distribution which hasn't had this vulnerability raised against it.

    Depending on how Find Duplicates has been setup it may or may not be using your Oracle Java installation.

    As the dialog says, you have the free version of Oracle Java. If your organisation is happy to continue with this, you should upgrade it. It should not break Data Studio or Find Duplicates. Alternatively, if you want to install an Open JDK, we use the Zulu distribution which works perfectly.

    Java upgrades should be painless and cause you no problems, however if you do run into issues (around certificates or anything else) please let us know.

    Regards,

    Ian

  • @Ian Hayden

    "Depending on how Find Duplicates has been setup it may or may not be using your Oracle Java installation."

    How can I check that my Find Duplicates and Aperture Data Studio are using Oracle Java Installation?

    @Josh Boxer ,

    " have been planning a Java version upgrade for a while that will hopefully be available in the coming weeks. I would suggest waiting for that then upgrading as normal"

    Do you mean we should wait for next ADS and FD upgrades before doing any Oracle Java Upgrades that we are seeing in our notifications?

  • Ian Hayden
    Ian Hayden Experian Super Contributor

    @HussainSyed Hi, Aperture Data Studio will use the bundled JRE included in the distribution - this is a Open JDK so not affected by the vulnerability.

    If you are using integrated Find Duplicates (i.e. not installed separately) this will use the same Open JDK.

    If you are using a separate standalone Find Duplicates instance, there are two ways it can be installed - using the distributed installer (which will use the bundled Open JDK) or by integrating it into an existing Tomcat installation which will likely use the Oracle JDK. You can check for the latter by looking at task manager for Tomcat processes.

    Generally though, if you can rename the Oracle JDK folder it means it's not being used by anything and it's safe to upgrade or remove.

  • @Ian Hayden ,

    We have separate Find Duplicates Instance Installed.

    We are not using Tomcat anymore.

    I just wanted to be sure Java 8 version 1.8.0_333 upgrade to above mentioned 1.8.0_351 does not disrupt anything in ADS and FD.

    " Aperture Data Studio will use the bundled JRE included in the distribution - this is a Open JDK so not affected by the vulnerability"

    does this mean we are not using above Java 8, version and already using OpenJDK,

    My real question is, how do I make sure above Java 8 is not being used anywhere in ADS and FD installations and by updating it I will just be getting rid of vulnerability scanned by our Scanning agents.

  • Ian Hayden
    Ian Hayden Experian Super Contributor

    @HussainSyed

    It sounds like both ADS and FD are using their bundled Open JDK installations, so you are good to upgrade your Oracle JDK without affecting either of them.

  • @Ian Hayden @Josh ,

    Thank you for help.

    I have removed the above Java 8 version 1.8.0_333 from both Dev and Prod and everything is working fine.

    Thanks for your response to my questions.