| CVE | See the impact section in the advisory |
|---|---|
| Advisory Summary | Some security scanners, executed run directly in the server hosting Command Enterprise, detect the Azul version from its configuration files, and list all the potential CVE disclosed in Azul release notes, without checking if the related components are installed or how they are used. |
| Products or Components | Command Enterprise |
| Addressed in Release | No Impact to March Networks products |
| Severity | N/A |
| Ticket | SV-116 |
Description
Some security scanners, executed directly on the server hosting Command Enterprise, detect the Azul version from its configuration files and list all the potential CVEs disclosed in Azul release notes without checking if the related components are impacted, used, or even installed. In general, these issues are related to executing network API loading data or to loading untrusted code from the network. Command Enterprise services based on WSDL do sanity checks on data and don’t execute untrusted code. In some cases, affected components are not even installed. Command Enterprise 2.15, 2.16, and 2.17 use Azul Zulu OpenJDK version 11.48 (CA), for which several fixes for known CVE were released. See the ones related to Azul Zulu 11 in:
- https://docs.azul.com/core/release/july-2021/release-notes
- https://docs.azul.com/core/release/october-2021/release-notes
- https://docs.azul.com/core/release/january-2022/release-notes
- https://docs.azul.com/core/release/april-2022/release-notes
- https://docs.azul.com/core/release/july-2022/release-notes
- https://docs.azul.com/core/release/october-2022/release-notes
- https://docs.azul.com/core/release/january-2023/release-notes
- https://docs.azul.com/core/release/april-2023/release-notes
- https://docs.azul.com/core/release/july-2023/release-notes
All the CVEs related to Azul Zulu 11 listed in the above links either do not impact Command Enterprise 2.15, 2.16, 2.17, or are low and medium vulnerabilities. All of them have been fixed since Command Enterprise 2.18. Command Enterprise 2.18 and 2.19 use Azul Zulu OpenJDK version 11.66 (CA), for which several fixes for known CVE were released. See the ones related to Azul Zulu 11 in:
- https://docs.azul.com/core/release/october-2023/release-notes
- https://docs.azul.com/core/release/january-2024/release-notes
- https://docs.azul.com/core/release/april-2024/release-notes
- https://docs.azul.com/core/release/october-2024/release-notes
All the CVEs related to Azul Zulu 11 listed in the above links do not impact Command Enterprise 2.18 or 2.19, aside 1 medium and 3 low severity issues that may have impact, that will be resolved with an Azul Java update in a future release, following our security policy. March Networks continuously monitors new issues in software components used in our products and services and communicates their impact according to our security policies. For high and critical vulnerabilities, we send a notification over our Partner Portal in advance of a public disclosure. For medium and low vulnerabilities, we recommend updating to our latest released versions.
Impact
Below, we exhaustively list in detail all the CVE with a fix delivered in Azul Zulu releases from 11.50 to 11.74, with the impact on Command Enterprise.
| Azul Zulu release 11.50 | |
|---|---|
| Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network. | |
| Azul Zulu release 11.52 | |
| Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network. | |
| Apply to data loaded over a network API. No impact on Command Enterprise, since related to components or protocols not used by it. | |
| Apply to data loaded over a network API. Low or medium risk vulnerabilities closed with Command Enterprise 2.18. | |
| Azul Zulu release 11.54 | |
| Apply to data loaded over a network API. No impact on Command Enterprise, since related to components or protocols not used by it. | |
| Apply to data loaded over a network API. Low or medium risk vulnerabilities closed with Command Enterprise 2.18. | |
| Azul Zulu release 11.56 | |
| Applies to data loaded over a network API. No impact on Command Enterprise, since related to components or protocols not used by it. | |
| Applies only if the zlib library is used outside the Azul Zulu Java environment. No impact on Command Enterprise, since it doesn’t provide access to this library outside the Azul Zulu Java environment. | |
| Applies to data loaded over a network API. No impact on Command Enterprise, since it uses the API only with trusted data. | |
| Apply to data loaded over a network API. Low or medium risk vulnerabilities closed with Command Enterprise 2.18. | |
| Azul Zulu release 11.58 | |
| Applies to data loaded over a network API. No impact on Command Enterprise, since related to components or protocols not used by it. | |
| Apply to data loaded over a network API. No impact on Command Enterprise. | |
| Azul Zulu release 11.60 | |
| Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network. | |
| Applies to data loaded over a network API. No impact on Command Enterprise, since related to components or protocols not used by it. | |
| Apply to data loaded over a network API. Low or medium risk vulnerabilities, closed with Command Enterprise 2.18. | |
| Azul Zulu release 11.62 | |
| Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network. | |
| Azul Zulu release 11.64 | |
| Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network. | |
| Applies to data loaded over a network API. No impact on Command Enterprise, since related to components or protocols not used by it. | |
| Applies to data received or sent over a half-duplex TLS session. No impact on Command Enterprise, since it receives or sends sensitive data only on authenticated full-duplex TLS sessions. | |
| Apply to data loaded over a network API. Low or medium risk vulnerabilities, closed with Command Enterprise 2.18. | |
| Azul Zulu release 11.66 (used since Command Enterprise 2.18) | |
| Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network. | |
| Apply to data loaded over a network API. No impact on Command Enterprise, since related to components or protocols not used by it. | |
| Apply to data loaded over a network API. Low risk vulnerabilities, closed with Command Enterprise 2.18. | |
| Azul Zulu release 11.68 | |
| Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network. | |
| Azul Zulu release 11.70 | |
| Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network. | |
| Applies to data loaded over a network API. No impact on Command Enterprise, since related to components or protocols not used by it. | |
| Apply to data loaded over a network API. No impact on Command Enterprise, since it uses the API only with trusted data. | |
| Azul Zulu release 11.72 | |
| Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network. | |
| Apply to data loaded over a network API. No impact on Command Enterprise, since it uses the API only with trusted data. | |
| Azul Zulu release 11.74 | |
| Applies only when loading untrusted code. No impact on Command Enterprise. | |
| Apply only when loading untrusted code. Likely no impact on Command Enterprise, since it runs only trusted code installed on its hosting server without loading anything from the network. In any case this is a low risk vulnerability, that will be resolved updating Azul Java in a future release. | |
| Apply to data loaded over a network API. Likely no impact on Command Enterprise, since it uses the API only with trusted data. In any case there are a medium or low risk vulnerability, that will be resolved updating Azul Java in a future release. |
Revision
October 18, 2024 – Initial public report
Disclaimer
March Networks’ assessment of this security vulnerability is contingent on the March Networks products being updated to the recommended release and/or security patch level and the system being deployed and configured in accordance with March Networks security recommendations and industry best practices. IT IS THE CUSTOMER’S RESPONSIBILITY TO EVALUATE THE EFFECT OF ANY SECURITY VULNERABILITY. A failure to update March Networks products and/or to follow March Networks recommendations or industry best practices may increase the risk associated with a security vulnerability. March Networks follows industry-leading practices in addressing security vulnerabilities in our products. While March Networks cannot guarantee that our products will be free from security vulnerabilities, we are committed to providing updates and security fixes for our supported products if and when a high-security vulnerability is determined to affect March Networks products.