Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Java vulnerability issue

Rummy | Last updated: Aug 09, 2021 05:41PM UTC

Hi, Recently we are seeing nessus vulnerability issue regarding the oracle java version as below: Plugins: 64816 Oracle Java JRE Unsupported Version Detection (Unix). The default Java version that is embedded with burpsuite enterprise edition seems to be as below $BURPSUITE_ENTERPRISE/jre/bin/java -version java version "9.0.4" Java(TM) SE Runtime Environment (build 9.0.4+11) Java HotSpot(TM) 64-Bit Server VM (build 9.0.4+11, mixed mode But under the jres folder I see multiple jre versions cd $BURPSUITE_ENTERPRISE/jres ls -lrt total 0 drwxrwxr-x. 7 burpsuite burpsuite 83 Apr 10 02:00 9.0.4 drwxrwxr-x. 7 burpsuite burpsuite 83 Jun 26 02:00 11.0.10.9.1 Is there a way that we can change the default java used by Burpsuite be changed to the latest one with 11.0.10.9.1?

James, PortSwigger Agent | Last updated: Aug 10, 2021 09:54AM UTC

Hello,

Thanks for getting in touch.

Which version of Burp Enterprise are you using?

The latest version, uses Java 11.

Please update Burp Enterprise to the latest version. Settings > Updates

If you need to complete an offline update you can download the required updater here to upload in the above menu:
https://portswigger.net/burp/releases/enterprise-edition-2021-6?requestededition=enterprise (Please select 'updater' for the Enterprise server and 'agent update' for any external agent machines if you have them).

Please let me know if you need any further assistance.

Rummy | Last updated: Aug 10, 2021 01:57PM UTC

The current version of Burp Enterprise Edition we have is below : Burp Suite Enterprise Edition v2021.6 But still I dont see it using Java 11 $BURPSUITE_ENTERPRISE/jre/bin/java -version java version "9.0.4" Java(TM) SE Runtime Environment (build 9.0.4+11) Java HotSpot(TM) 64-Bit Server VM (build 9.0.4+11, mixed mode

James, PortSwigger Agent | Last updated: Aug 11, 2021 03:15PM UTC

Hello,

Thanks for confirming.

Burp should be utilising the new Java version 11, but the old version 9 will still be in place for the supervisor which monitors and restarts the main processes as needed. Java 9 and Java 11 files will be present in the file system, this may be why it is showing up.

We do not clean up Java 9 automatically when moving to the new version, because it may still be needed for example for scans started before a version upgrade. We do have an internal development case to introduce automatic clean up of the old JRE and I have linked your case to it, so that you will be notified when the release/clean up is available.

To double check your instance of Burp Enterprise is running using Java 11 please can you send your Support Pack to support@portswigger.net? You can find this in Burp Enterprise under "?" (help menu) > Support Pack > Download

Ted | Last updated: Mar 17, 2022 04:50PM UTC

I see there are active processes using both Java 9 and Java 11. However Java 9 has been out of support since January 2018 and we cannot continue to use it. How can we switch all processes to use Java 11?

James, PortSwigger Agent | Last updated: Mar 17, 2022 05:26PM UTC

Hi Ted, Thanks for your message. Previous Java versions may still be used by supervisory processes. We are planning to look at cleaning up previously used Java versions later this year. A workaround would be to uninstall (leaving the database intact) and then install the latest version, which will only use Java 11. If you would like to explore this option, we can provide further guidance. Please send in an email to support@portswigger.net for assistance.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.