Burp Suite User Forum

Login to post

java version with burp enterprise

scott | Last updated: Oct 16, 2019 04:08AM UTC

How do I upgrade the vulnerable java 9 version bundled with Burp Enterprise?

Mike, PortSwigger Agent | Last updated: Oct 16, 2019 08:28AM UTC

Hi Scott, Unfortunately, we don't have a mechanism to update the JRE bundled with Enterprise. Do you have any documentation about these vulnerabilities?

Burp User | Last updated: Oct 17, 2019 06:32PM UTC

Java9 is EOL as of march 2018, and therefore not being evaluated for security vulnerabilities. http://www.oracle.com/technetwork/java/eol-135779.html This is a security tool that I cannot run in my secure environment due to it running a non-compliant version of java.

Liam, PortSwigger Agent | Last updated: Oct 18, 2019 07:42AM UTC

Hi Scott We're currently reviewing your issue. We'll get back to you when we have something to share.

Liam, PortSwigger Agent | Last updated: Oct 22, 2019 02:46PM UTC

We are planning to upgrade the embedded Java version before long, unfortunately, we can't provide an ETA. Although Java 9 is no longer supported, we have reviewed the security issues that have been raised since the last release. These are mostly not relevant to server applications, and only affect applets running in the browser, etc. A remaining few issues are denial of service issues in the image decoding libraries which are not used in Enterprise. Our assessment is that there is currently not a significant risk in remaining on Java 9, but we will continue to monitor the situation.

Fernandez, | Last updated: Jul 13, 2020 04:39PM UTC

Hello, any update on this?

Liam, PortSwigger Agent | Last updated: Jul 14, 2020 09:48AM UTC

This update is planned during the Q4 of this year. We'll update you when this is released. Thanks for your patience.

You need to Log in to post a reply. Or register here, for free.