Azul Zulu OpenJDK vulnerabilities on untrusted code and network API.

Description

Some security scanners, executed directly on the server hosting Command Enterprise, detect the Azul version from its configuration files and list all the potential CVEs disclosed in Azul release notes without checking if the related components are impacted, used, or even installed.

In general, these issues are related to executing network API loading data or to loading untrusted code from the network. Command Enterprise services based on WSDL do sanity checks on data and don’t execute untrusted code. In some cases, affected components are not even installed.

Command Enterprise 2.15, 2.16, and 2.17 use Azul Zulu OpenJDK version 11.48 (CA), for which several fixes for known CVE were released. See the ones related to Azul Zulu 11 in:

• https://docs.azul.com/core/release/july-2021/release-notes
• https://docs.azul.com/core/release/october-2021/release-notes
• https://docs.azul.com/core/release/january-2022/release-notes
• https://docs.azul.com/core/release/april-2022/release-notes
• https://docs.azul.com/core/release/july-2022/release-notes
• https://docs.azul.com/core/release/october-2022/release-notes
• https://docs.azul.com/core/release/january-2023/release-notes
• https://docs.azul.com/core/release/april-2023/release-notes
• https://docs.azul.com/core/release/july-2023/release-notes

All the CVEs related to Azul Zulu 11 listed in the above links either do not impact Command Enterprise 2.15, 2.16, 2.17, or are low and medium vulnerabilities. All of them have been fixed since Command Enterprise 2.18.

Command Enterprise 2.18 and 2.19 use Azul Zulu OpenJDK version 11.66 (CA), for which several fixes for known CVE were released. See the ones related to Azul Zulu 11 in:

• https://docs.azul.com/core/release/october-2023/release-notes
• https://docs.azul.com/core/release/january-2024/release-notes
• https://docs.azul.com/core/release/april-2024/release-notes

All the CVEs related to Azul Zulu 11 listed in the above links do not impact Command Enterprise 2.18 or 2.19.

March Networks continuously monitors new issues in software components used in our products and services and communicates their impact according to our security policies. For high and critical vulnerabilities, we send a notification over our Partner Portal in advance of a public disclosure. For medium and low vulnerabilities, we recommend updating to our latest released versions.

Impact

Below, we exhaustively list in detail all the CVE with a fix delivered in Azul Zulu releases from 11.50 to 11.72, with the impact on Command Enterprise.

Azul Zulu release 11.50
CVE-2021-2388 CVE-2021-2341 CVE-2021-2369	Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network.
Azul Zulu release 11.52
CVE-2021-3517 CVE-2021-35556 CVE-2021-3522	Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network.
CVE-2021-35567 CVE-2021-35564 CVE-2021-35559 CVE-2021-35586	Apply to data loaded over a network API. No impact on Command Enterprise, since related to components or protocols not used by it.
CVE-2021-35561 CVE-2021-35578 CVE-2021-35565 CVE-2021-35603	Apply to data loaded over a network API. Low or medium risk vulnerabilities closed with Command Enterprise 2.18.
Azul Zulu release 11.54
CVE-2022-21277 CVE-2022-21360 CVE-2022-21282 CVE-2022-21365 CVE-2022-21296 CVE-2022-21366 CVE-2022-21299	Apply to data loaded over a network API. No impact on Command Enterprise, since related to components or protocols not used by it.
CVE-2022-21283 CVE-2022-21305 CVE-2022-21291 CVE-2022-21340 CVE-2022-21293 CVE-2022-21341 CVE-2022-21294 CVE-2022-21248	Apply to data loaded over a network API. Low or medium risk vulnerabilities closed with Command Enterprise 2.18.
Azul Zulu release 11.56
CVE-2022-21426	Applies to data loaded over a network API. No impact on Command Enterprise, since related to components or protocols not used by it.
CVE-2018-25032	Applies only if the zlib library is used outside the Azul Zulu Java environment. No impact on Command Enterprise, since it doesn’t provide access to this library outside the Azul Zulu Java environment.
CVE-2022-21476	Applies to data loaded over a network API. No impact on Command Enterprise, since it uses the API only with trusted data.
CVE-2022-21434 CVE-2022-21443 CVE-2022-21496	Apply to data loaded over a network API. Low or medium risk vulnerabilities closed with Command Enterprise 2.18.
Azul Zulu release 11.58
CVE-2022-34169	Applies to data loaded over a network API. No impact on Command Enterprise, since related to components or protocols not used by it.
CVE-2022-21541 CVE-2022-21540	Apply to data loaded over a network API. No impact on Command Enterprise.
Azul Zulu release 11.60
CVE-2022-21628 CVE-2022-39399	Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network.
CVE-2022-21618	Applies to data loaded over a network API. No impact on Command Enterprise, since related to components or protocols not used by it.
CVE-2022-21626 CVE-2022-21624 CVE-2022-21619	Apply to data loaded over a network API. Low or medium risk vulnerabilities, closed with Command Enterprise 2.18.
Azul Zulu release 11.62
CVE-2023-21835 CVE-2023-21843	Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network.
Azul Zulu release 11.64
CVE-2023-21938	Applies only when loading untrusted code. No impact on Command Enterprise.
CVE-2023-21939	Applies to data loaded over a network API. No impact on Command Enterprise, since related to components or protocols not used by it.
CVE-2023-21930	Applies to data received or sent over a half-duplex TLS session. No impact on Command Enterprise, since it receives or sends sensitive data only on authenticated full-duplex TLS sessions.
CVE-2023-21954 CVE-2023-21937 CVE-2023-21967 CVE-2023-21968	Apply to data loaded over a network API. Low or medium risk vulnerabilities, closed with Command Enterprise 2.18.
Azul Zulu release 11.66 (used since Command Enterprise 2.18)
CVE-2023-22043 CVE-2023-22006 CVE-2023-22041	Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network.
CVE-2023-25193	Apply to data loaded over a network API. No impact on Command Enterprise, since related to components or protocols not used by it.
CVE-2023-22036 CVE-2023-22045 CVE-2023-22044 CVE-2023-22049	Apply to data loaded over a network API. Low risk vulnerabilities, closed with Command Enterprise 2.18.
Azul Zulu release 11.68
CVE-2023-22081	Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network.
Azul Zulu release 11.70
CVE-2024-20952 CVE-2024-20923 CVE-2024-20919 CVE-2024-20925 CVE-2024-20945 CVE-2024-20922	Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network.
CVE-2024-20926	Applies to data loaded over a network API. No impact on Command Enterprise, since related to components or protocols not used by it.
CVE-2024-20918 CVE-2024-20921	Apply to data loaded over a network API. No impact on Command Enterprise, since it uses the API only with trusted data.
Azul Zulu release 11.72
CVE-2023-41993 CVE-2024-21005 CVE-2024-21012 CVE-2024-21002 CVE-2024-21003 CVE-2024-21004	Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network.
CVE-2024-21011 CVE-2024-21085 CVE-2024-21068 CVE-2024-21094	Apply to data loaded over a network API. No impact on Command Enterprise, since it uses the API only with trusted data.

Revision

May 22, 2024 – Initial public report

Disclaimer

March Networks’ assessment of this security vulnerability is contingent on the March Networks products being updated to the recommended release and/or security patch level and the system being deployed and configured in accordance with March Networks security recommendations and industry best practices. IT IS THE CUSTOMER’S RESPONSIBILITY TO EVALUATE THE EFFECT OF ANY SECURITY VULNERABILITY. A failure to update March Networks products and/or to follow March Networks recommendations or industry best practices may increase the risk associated with a security vulnerability. March Networks follows industry-leading practices in addressing security vulnerabilities in our products. While March Networks cannot guarantee that our products will be free from security vulnerabilities, we are committed to providing updates and security fixes for our supported products if and when a high-security vulnerability is determined to affect March Networks products.