Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Use openjdk in Burp Suite Enterprise edition

Prakash | Last updated: Apr 07, 2020 04:40PM UTC

Please provide instructions to configure Burp Suite Enterprise edition v2020_2 to use openjdk instead of using embedded Oracla java.

Liam, PortSwigger Agent | Last updated: Apr 08, 2020 10:26AM UTC

Thanks for your message. There is no way to use another version of Java. The embedded Java version has been customized/hardened for security. Please let us know if you need any further assistance.

Prakash | Last updated: Apr 10, 2020 04:25PM UTC

The embedded java version in Burp Suite Enterprise edition v2020_2 is 9.0.4 which is expired and our security scans marked this as critical vulnerability. How do we resolve this? $burpsuite_enterprise/jre/bin/java -version java version "9.0.4" Java(TM) SE Runtime Environment (build 9.0.4+11) Java HotSpot(TM) 64-Bit Server VM (build 9.0.4+11, mixed mode)

Uthman, PortSwigger Agent | Last updated: Apr 14, 2020 08:22AM UTC

Can you share more details on the security vulnerability you have uncovered?

Prakash | Last updated: Apr 14, 2020 09:10PM UTC

Tenable-64816 Oracle Java JRE Unsupported Version Detection Tenable Plugins:** Plugin ID Plugin Name Severity 64816 Oracle Java JRE Unsupported Version Detection (Unix) - CRITICAL Affected Hosts: Refer to attached spreadsheet (Detailed Tabs) Plugin output: The following Java JRE installation is unsupported : Path : /app/burpsuite_enterprise/ Installed version : 1.9.0_4 Latest versions : 1.8.0_231 / 1.11.0_05 / 1.12.0_1 / 1.13.0_1 Support dates : 2018-04-01 (end of life) Description According to its self-reported version number, at least one installation of Oracle (formerly Sun) Java JRE on the remote host is no longer supported. Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it is likely to contain security vulnerabilities. Note that Oracle does provide support contracts under the 'Oracle Lifetime Support' program. If the detected JRE is supported under this program, this may be a false positive. Solution Upgrade to a version of Oracle Java JRE that is currently supported.

Uthman, PortSwigger Agent | Last updated: Apr 15, 2020 09:20AM UTC

Hi Prakash, Thank you for that information. I have spoken to the development team and they are aware of the issue. It will be addressed in a future release (this year). The JRE will be upgraded to match Burp Pro (12.0.2). You will be notified when the fix is implemented.

Prakash | Last updated: May 07, 2020 03:49AM UTC

Do you have an expected date to upgrade embedded Oracle JRE and to support openjdk?

Uthman, PortSwigger Agent | Last updated: May 07, 2020 07:59AM UTC

Our development team is still working on this so I cannot provide an ETA.

Prakash | Last updated: Aug 18, 2020 05:34PM UTC

Hi, is there any update to using openjdk or providing latest embedded Oracle JRE version in BurpSuite Enterprise?

Uthman, PortSwigger Agent | Last updated: Aug 19, 2020 08:12AM UTC

Hi Prakash, We are working on making this available before the end of the year. The JRE will match Burp Pro.

Carlos | Last updated: Jun 02, 2021 03:02PM UTC

This vulnerability still exists even when running the latest Burp Enterprise. The last update was that this was going to be address by end of 2020. Do we have an update on this? Tenable reports: The following Java JRE installations are unsupported : Path : /opt/burpsuite_enterprise Installed version : 1.9.0_4 Latest versions : 1.8.x / 1.11.x / 1.15.x Support dates : 2018-03-01 (end of life)

Uthman, PortSwigger Agent | Last updated: Jun 02, 2021 03:11PM UTC

Hi Carlos, We fully appreciate this is still an issue. It is a bigger piece of work than we originally anticipated so apologies for the delay. Our development team is actively working on it and we'll update this thread when we have some more information.

Ted | Last updated: Mar 17, 2022 04:51PM UTC

I see there are active processes using both Java 9 and Java 11. However Java 9 has been out of support since January 2018 and we cannot continue to use it. How can we switch all processes to use Java 11?

Uthman, PortSwigger Agent | Last updated: Mar 17, 2022 07:33PM UTC

Ted | Last updated: Mar 18, 2022 02:52PM UTC

The processes are /app/burpsuite_enterprise/jre/bin/java -classpath /app/burpsuite_enterprise/.install4j/i4jruntime.jar:/app/burpsuite_enterprise/.install4j/launcher2ff15a18.jar:/app/burpsuite_enterprise/supervisor/* install4j.net.portswigger.Supervisor_burpsuiteenterpriseedition_webserver start webServer/.supervise /app/burpsuite_enterprise/jre/bin/java -classpath /app/burpsuite_enterprise/.install4j/i4jruntime.jar:/app/burpsuite_enterprise/.install4j/launcher7048aa1a.jar:/app/burpsuite_enterprise/supervisor/* install4j.net.portswigger.Supervisor_burpsuiteenterpriseedition_agent start enterpriseAgent/.supervise /app/burpsuite_enterprise/jre/bin/java -classpath /app/burpsuite_enterprise/.install4j/i4jruntime.jar:/app/burpsuite_enterprise/.install4j/launchered14aa48.jar:/app/burpsuite_enterprise/supervisor/* install4j.net.portswigger.Supervisor_burpsuiteenterpriseedition_enterpriseserver start enterpriseServer/.supervise We are on release 2022.2.1-9179 ./burp/2022.2.1-9179 ./webServer/2022.2.1-9179 ./enterpriseServer/2022.2.1-9179 ./enterpriseAgent/2022.2.1-9179

Ben, PortSwigger Agent | Last updated: Mar 18, 2022 04:14PM UTC

Hi Ted, Just to confirm, have you upgraded your Burp Enterprise installation from an older version (by using the upgrade functionality within the product) or is this a completely fresh installation using the 2022.2.1 installation file? If you perform a fresh installation of a later version of Burp Enterprise (one of the versions released since we updated the JRE in use) then Enterprise should only be using Java 11. If, however, you installed an earlier version of Burp Enterprise and have been upgrading since that point then Java 9 is still, unfortunately, being used (it is still required for some supervisor processes). You can, however, perform a reinstallation of Burp Enterprise (in your case, using the 2022.2.1 installation file) which will remove the use of Java 9. We would recommend you make a backup of your database prior to carrying this out in case of any unforeseen issues.

Ted | Last updated: Mar 21, 2022 01:35PM UTC

We are using the upgrade functionality within the product.

Uthman, PortSwigger Agent | Last updated: Mar 21, 2022 03:33PM UTC