Skip to main content

Azul Zulu OpenJDK vulnerabilities on untrusted code and network API.

CVE See the impact section in the advisory
Advisory Summary Some security scanners, executed run directly in the server hosting Command Enterprise, detect the Azul version from its configuration files, and list all the potential CVE disclosed in Azul release notes, without checking if the related components are installed or how they are used.
Products or Components Command Enterprise
Addressed in Release No Impact to March Networks products
Severity N/A
Ticket SV-116

Description

Some security scanners, executed directly on the server hosting Command Enterprise, detect the Azul version from its configuration files and list all the potential CVEs disclosed in Azul release notes without checking if the related components are impacted, used, or even installed.

In general, these issues are related to executing network API loading data or to loading untrusted code from the network. Command Enterprise services based on WSDL do sanity checks on data and don’t execute untrusted code. In some cases, affected components are not even installed.

Command Enterprise 2.15, 2.16, and 2.17 use Azul Zulu OpenJDK version 11.48 (CA), for which several fixes for known CVE were released. See the ones related to Azul Zulu 11 in:

All the CVEs related to Azul Zulu 11 listed in the above links either do not impact Command Enterprise 2.15, 2.16, 2.17, or are low and medium vulnerabilities. All of them have been fixed since Command Enterprise 2.18.

Command Enterprise 2.18 and 2.19 use Azul Zulu OpenJDK version 11.66 (CA), for which several fixes for known CVE were released. See the ones related to Azul Zulu 11 in:

All the CVEs related to Azul Zulu 11 listed in the above links do not impact Command Enterprise 2.18 or 2.19, aside 1 medium and 3 low severity issues that may have impact, that will be resolved with an Azul Java update in a future release, following our security policy.

March Networks continuously monitors new issues in software components used in our products and services and communicates their impact according to our security policies. For high and critical vulnerabilities, we send a notification over our Partner Portal in advance of a public disclosure. For medium and low vulnerabilities, we recommend updating to our latest released versions.

Impact

Below, we exhaustively list in detail all the CVE with a fix delivered in Azul Zulu releases from 11.50 to 11.74, with the impact on Command Enterprise.

Azul Zulu release 11.50
CVE-2021-2388 CVE-2021-2341
CVE-2021-2369
Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network.
Azul Zulu release 11.52
CVE-2021-3517 CVE-2021-35556
CVE-2021-3522
Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network.
CVE-2021-35567 CVE-2021-35564
CVE-2021-35559 CVE-2021-35586
Apply to data loaded over a network API. No impact on Command Enterprise, since related to components or protocols not used by it.
CVE-2021-35561 CVE-2021-35578
CVE-2021-35565 CVE-2021-35603
Apply to data loaded over a network API. Low or medium risk vulnerabilities closed with Command Enterprise 2.18.
Azul Zulu release 11.54
CVE-2022-21277 CVE-2022-21360
CVE-2022-21282 CVE-2022-21365
CVE-2022-21296 CVE-2022-21366
CVE-2022-21299
Apply to data loaded over a network API. No impact on Command Enterprise, since related to components or protocols not used by it.
CVE-2022-21283 CVE-2022-21305
CVE-2022-21291 CVE-2022-21340
CVE-2022-21293 CVE-2022-21341
CVE-2022-21294 CVE-2022-21248
Apply to data loaded over a network API. Low or medium risk vulnerabilities closed with Command Enterprise 2.18.
Azul Zulu release 11.56
CVE-2022-21426
Applies to data loaded over a network API. No impact on Command Enterprise, since related to components or protocols not used by it.
CVE-2018-25032
Applies only if the zlib library is used outside the Azul Zulu Java environment. No impact on Command Enterprise, since it doesn’t provide access to this library outside the Azul Zulu Java environment.
CVE-2022-21476
Applies to data loaded over a network API. No impact on Command Enterprise, since it uses the API only with trusted data.
CVE-2022-21434 CVE-2022-21443
CVE-2022-21496
Apply to data loaded over a network API. Low or medium risk vulnerabilities closed with Command Enterprise 2.18.
Azul Zulu release 11.58
CVE-2022-34169
Applies to data loaded over a network API. No impact on Command Enterprise, since related to components or protocols not used by it.
CVE-2022-21541 CVE-2022-21540
Apply to data loaded over a network API. No impact on Command Enterprise.
Azul Zulu release 11.60
CVE-2022-21628 CVE-2022-39399
Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network.
CVE-2022-21618
Applies to data loaded over a network API. No impact on Command Enterprise, since related to components or protocols not used by it.
CVE-2022-21626 CVE-2022-21624
CVE-2022-21619
Apply to data loaded over a network API. Low or medium risk vulnerabilities, closed with Command Enterprise 2.18.
Azul Zulu release 11.62
CVE-2023-21835 CVE-2023-21843
Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network.
Azul Zulu release 11.64
CVE-2023-21938
Applies only when loading untrusted code. No impact on Command Enterprise.
CVE-2023-21939
Applies to data loaded over a network API. No impact on Command Enterprise, since related to components or protocols not used by it.
CVE-2023-21930
Applies to data received or sent over a half-duplex TLS session. No impact on Command Enterprise, since it receives or sends sensitive data only on authenticated full-duplex TLS sessions.
CVE-2023-21954 CVE-2023-21937
CVE-2023-21967 CVE-2023-21968
Apply to data loaded over a network API. Low or medium risk vulnerabilities, closed with Command Enterprise 2.18.
Azul Zulu release 11.66 (used since Command Enterprise 2.18)
CVE-2023-22043 CVE-2023-22006
CVE-2023-22041
Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network.
CVE-2023-25193
Apply to data loaded over a network API. No impact on Command Enterprise, since related to components or protocols not used by it.
CVE-2023-22036 CVE-2023-22045
CVE-2023-22044 CVE-2023-22049
Apply to data loaded over a network API. Low risk vulnerabilities, closed with Command Enterprise 2.18.
Azul Zulu release 11.68
CVE-2023-22081
Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network.
Azul Zulu release 11.70
CVE-2024-20952 CVE-2024-20923
CVE-2024-20919 CVE-2024-20925
CVE-2024-20945 CVE-2024-20922
Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network.
CVE-2024-20926
Applies to data loaded over a network API. No impact on Command Enterprise, since related to components or protocols not used by it.
CVE-2024-20918 CVE-2024-20921
Apply to data loaded over a network API. No impact on Command Enterprise, since it uses the API only with trusted data.
Azul Zulu release 11.72
CVE-2023-41993 CVE-2024-21005
CVE-2024-21012 CVE-2024-21002
CVE-2024-21003 CVE-2024-21004
Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network.
CVE-2024-21011 CVE-2024-21085
CVE-2024-21068 CVE-2024-21094
Apply to data loaded over a network API. No impact on Command Enterprise, since it uses the API only with trusted data.
Azul Zulu release 11.74
CVE-2023-42950 CVE-2024-25062
Applies only when loading untrusted code. No impact on Command Enterprise.
CVE-2024-21208
Apply only when loading untrusted code. Likely no impact on Command Enterprise, since it runs only trusted code installed on its hosting server without loading anything from the network. In any case this is a low risk vulnerability, that will be resolved updating Azul Java in a future release.
CVE-2024-21235 CVE-2024-21210
CVE-2024-21217
Apply to data loaded over a network API. Likely no impact on Command Enterprise, since it uses the API only with trusted data. In any case there are a medium or low risk vulnerability, that will be resolved updating Azul Java in a future release.

Revision

October 18, 2024 – Initial public report

Disclaimer

March Networks’ assessment of this security vulnerability is contingent on the March Networks products being updated to the recommended release and/or security patch level and the system being deployed and configured in accordance with March Networks security recommendations and industry best practices. IT IS THE CUSTOMER’S RESPONSIBILITY TO EVALUATE THE EFFECT OF ANY SECURITY VULNERABILITY. A failure to update March Networks products and/or to follow March Networks recommendations or industry best practices may increase the risk associated with a security vulnerability. March Networks follows industry-leading practices in addressing security vulnerabilities in our products. While March Networks cannot guarantee that our products will be free from security vulnerabilities, we are committed to providing updates and security fixes for our supported products if and when a high-security vulnerability is determined to affect March Networks products.

Sign up for our newsletter here Get the latest news and information on our IP video products with March Networks News. Subscribe now
Return to top