vulnerability issues

Question

vulnerability issues

Closed this issue 3 years ago · 3 comments

praveensubramaniam commented 3 years ago

Hi ,

I have come to know 1.8.0_322 has some vulnerability issues so my team recommended us to install 8.322.06.3 or greater but for windows there is no release for the same.so can we assume windows jdk or jre does not affected or how it is

Answer 1 · 2022-04-12T07:48:48.000Z

Just wanted to report the same for Linux (CentOS) package.
Nessus marked it with High severity - https://www.tenable.com/plugins/nessus/159405

Answer 2 · 2022-04-12T16:07:54.000Z

Hi, thanks for contacting us about this.

The 8.322.06.3 release was specific to Amazon Linux 2, and was to correct a release which unintentionally shipped an older version of JavaFX. It is possible that this old version contained known vulnerabilities which are being detected by Nessus. However all other platforms shipped with the latest build in 8.322.06.2.

The 8.322.06.4 release was also platform specific for our initial launch on macos m1.

In short, I believe this is likely a false positive for platforms other than Amazon Linux 2. The next quarterly Corretto 8 release, 8.332, is scheduled for Tuesday April 19 and should resolve this issue either way.

Answer 3 · 2022-04-20T14:01:57.000Z

8u332 was released for all platforms (including Windows) yesterday. See https://github.com/corretto/corretto-8/releases.