Burp Suite User Forum

Login to post

Regarding Java version

Rummy | Last updated: Oct 27, 2022 05:40PM UTC

Hi, Recently we are seeing nessus vulnerability issue regarding the oracle java version as below: Plugins: 166316 Oracle Java SE Multiple Vulnerabilities (October 2022 CPU). "<plugin_output> Path : /app/burpsuite_enterprise/ Installed version : 11.0.15 Fixed version : Upgrade to version 11.0.17 or greater </plugin_output>" We have the burpsuite enterprise edition that updates automatically and has the current version 2022.9. And Java is 11.0.15 with this version. We would like to know if Java would be updated with the next release of new version and how soon can we expect that new update?

Maia, PortSwigger Agent | Last updated: Oct 28, 2022 03:15PM UTC

Hi, Thank you for your message. In Burp Suite Enterprise Edition version 2022.8 we upgraded the JRE to version 17.0.4. We will be updating to 17.0.5 soon, but this may not make the next release. As you are using version 11.0.15, we recommend updating to the latest version of Burp Suite Enterprise Edition and then performing a repair installation to remove all older java versions.

Rummy | Last updated: Oct 28, 2022 05:16PM UTC

It would be great if you can let us know on steps how we can perform the repair installation?

Maia, PortSwigger Agent | Last updated: Oct 28, 2022 05:25PM UTC

To perform a repair installation you run the installer (same or greater version) over the top of your existing installation. This will uninstall your current installation (while keeping the data and log directories) and then reinstall the installation directory. If you are using any extensions with Burp Suite Enterprise Edition then you will need to re-add these after the repair or backup the "burp" folder in the installation directory and restore the contents after the repair installation.

Rummy | Last updated: Oct 31, 2022 04:28PM UTC

Last time James provided few steps as per the below post. Would the same steps work for this repair installation? https://forum.portswigger.net/thread/clear-existing-database-for-fresh-install-6c2482f0 !---- Below is the message from James -----! Thanks for your message. You can perform the below to remove Java 9 and keep your data, without requiring any changes to the database. 1) Take a backup of your database 2) Check Burp Enterprise is running the latest version (Currently v2022.6 in Settings > Updates) 3) Download the matching version installer: e.g v2022.6 4) Run the installer (right click and run as administrator for Windows, or run using sudo for Linux). 5) Please check and make sure to specify the existing installation directory. Unless you changed this, the default is: Windows: C:\Program Files\burpsuite_enterprise Linux: /opt/burpsuite_enterprise - or - /usr/local/burp_enterprise 6) The existing installation will be detected and you will see a prompt to overwrite the installation. Select OK. 7) The installation files will be replaced, but your data preserved. This will also remove any old Java 9 directories. Please let me know if that worked for you?

Maia, PortSwigger Agent | Last updated: Oct 31, 2022 05:31PM UTC

Hi, Yes, that is the same process :)

Rummy | Last updated: Nov 03, 2022 07:03PM UTC

Hi, I did a repair installation and the active jre is 17.0.4 but still I see some old jres in the burpsuite folder under jres # find . -type f -name "java" ./burpsuite_enterprise/jres/9.0.4/bin/java ./burpsuite_enterprise/jres/11.0.10.9.1/bin/java ./burpsuite_enterprise/jres/11.0.13.8.1/bin/java ./burpsuite_enterprise/jres/11.0.14.1/bin/java ./burpsuite_enterprise/jres/11.0.15/bin/java Is it safe to remove the old jre version directories?

Maia, PortSwigger Agent | Last updated: Nov 04, 2022 11:55AM UTC

Hi, The oldest and newest versions will still be in use. It is safe to remove the other versions. The repair installation should have completely uninstalled and removed your installation directory. Did you specify the correct installation directory and were you prompted that an installation already existed?

Rummy | Last updated: Nov 08, 2022 03:09PM UTC

Yes, I did. I saved the output when I did the repair installation and here it is. ==================================================================================== ./burpsuite_enterprise_linux_v2022_9.sh Unpacking JRE ... Starting Installer ... Welcome to the Burp Suite Enterprise Edition Setup Wizard This will install Burp Suite Enterprise Edition on your computer Select the folder where you would like Burp Suite Enterprise Edition to be installed. Where should Burp Suite Enterprise Edition be installed? [/app/burpsuite_enterprise] => (Just hit enter) The specified directory already contains an installation of Burp Suite Enterprise Edition. Continuing with this installation will replace the current version. OK [o, Enter], Quit Installation [q] => (Type o as in letter and hit enter) o Uninstalling previous version Extracting files ... Starting Enterprise scanning service ... Starting Enterprise Server service ... Starting Web Server service ... Waiting for Enterprise Server to start ... Waiting for Web Server to start ... Setup has finished installing Burp Suite Enterprise Edition on your computer. Burp Suite Enterprise Edition is a web application. It can be launched by selecting the installed icons or by going to the IP address and port number of the Enterprise server in your browser. For example, https://localhost:8080. Finishing installation ... ========================================================================================== But still I see these folders in the below directory. cd /app/burpsuite_enterprise/jres/ ls -lrt total 0 drwxrwxr-x. 7 burpsuite burpsuite 83 Apr 10 2021 9.0.4 drwxrwxr-x. 7 burpsuite burpsuite 83 Jun 26 2021 11.0.10.9.1 drwxrwxr-x. 7 burpsuite burpsuite 83 Jan 22 2022 11.0.13.8.1 drwxrwxr-x. 7 burpsuite burpsuite 135 May 6 2022 11.0.14.1 drwxrwxr-x. 7 burpsuite burpsuite 135 Jun 7 02:01 11.0.15 drwxrwxr-x. 6 burpsuite burpsuite 124 Aug 25 02:01 17.0.4

Maia, PortSwigger Agent | Last updated: Nov 08, 2022 04:50PM UTC

Hi, Thank you for the detailed output. I recommend backing up the installation and then uninstalling manually using the uninstaller in the installation directory. When prompted, you will need to choose to keep the data and the log directory. Once the application has been installed, check to see if there are any files left in the installation directory and manually delete them if needed. You can then reinstall, and the old files should no longer be present. Please let me know if you have any issues.

Rummy | Last updated: Nov 09, 2022 12:38PM UTC

Hi, I have couple of questions regarding this recommended procedure. 1. How do I take back up of installation? 2. I usually install burpsuite with response file would that throw an error that DB already exist? 3. Also would this again ask for license details to enter? 4. Do my orginal admin password credentials work after re-install to login to burpsuite console? Thanks, Rummy

Maia, PortSwigger Agent | Last updated: Nov 10, 2022 10:59AM UTC

Hi, To backup the installation you can make a copy of the installation directory, data directory, and optionally the log directory. You can check your response file for the location of these directories. Using the response file with existing directories/database should prompt you to continue, rather than throwing an error. So long as the data directory and database are used from the previous installation, then you do not need to reactivate your license, and your administrator credentials will remain the same.

Rummy | Last updated: Nov 11, 2022 04:22AM UTC

Hi, I followed all the steps mentioned. After re-installation burpsuite doesnot seem to be accessible via console. I see below error in the enterpriseAgent log 2022-11-10 23:18:49 ERROR b.common.websocket.WebSocketHandler - EnterpriseServerSocket.onWebSocketError [HttpClient@3ad36948-52] org.eclipse.jetty.websocket.api.UpgradeException: Failed to upgrade to websocket: Unexpected HTTP Response Status Code: 404 Not Found at org.eclipse.jetty.websocket.client.WebSocketUpgradeRequest.onComplete(WebSocketUpgradeRequest.java:537) at org.eclipse.jetty.client.ResponseNotifier.notifyComplete(ResponseNotifier.java:218) at org.eclipse.jetty.client.ResponseNotifier.notifyComplete(ResponseNotifier.java:210) at org.eclipse.jetty.client.HttpReceiver.terminateResponse(HttpReceiver.java:481) at org.eclipse.jetty.client.HttpReceiver.terminateResponse(HttpReceiver.java:461) at org.eclipse.jetty.client.HttpReceiver.responseSuccess(HttpReceiver.java:424) at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.messageComplete(HttpReceiverOverHTTP.java:374) at org.eclipse.jetty.http.HttpParser.handleContentMessage(HttpParser.java:597) at org.eclipse.jetty.http.HttpParser.parseContent(HttpParser.java:1722) at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:1551) at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.parse(HttpReceiverOverHTTP.java:208) at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.process(HttpReceiverOverHTTP.java:148) at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.receive(HttpReceiverOverHTTP.java:80) at org.eclipse.jetty.client.http.HttpChannelOverHTTP.receive(HttpChannelOverHTTP.java:131) at org.eclipse.jetty.client.http.HttpConnectionOverHTTP.onFillable(HttpConnectionOverHTTP.java:172) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:555) at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:410) at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:164) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:409) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034) at java.base/java.lang.Thread.run(Unknown Source) It would be great if you can help me on this.

Maia, PortSwigger Agent | Last updated: Nov 11, 2022 03:07PM UTC

Hi, Can you email us a full copy of the following logs to support@portswigger.net, please? enterpriseServer.log webServer.log databaseServer.log enterpriseAgent.log

You need to Log in to post a reply. Or register here, for free.