Azul JRE v20.0.1 is vulnerable, 15 corresponding CVEs

Stephenc · August 5, 2023, 3:15pm

We deploy Cryptomator to our Apple fleet. The installed version is the latest
Cryptomator.app v1.9.1

We have multiple vulnerabilities being reported by our vulnerability management tool for the used version of Azul:

Vulnerable software installed: Azul Systems JRE 20.0.1 (/Applications/Cryptomator.app/Contents/runtime/Contents/Home/lib/jrt-fs.jar)

Vulnerability in the 2D (Harfbuzz) component (azul-zulu-cve-2023-25193) *
Vulnerability in JSSE component (azul-zulu-cve-2023-21967) **
Vulnerability in the libraries component (azul-zulu-cve-2023-21938) **
Vulnerability in Swing component (azul-zulu-cve-2023-21939) **
Vulnerability in the hotspot component (azul-zulu-cve-2023-21954) **
Vulnerability in the libraries component (azul-zulu-cve-2023-21968) **
Vulnerability in the networking component (azul-zulu-cve-2023-21937) **
Vulnerability in JSSE component (azul-zulu-cve-2023-21930) **
Vulnerability in the JavaFX component (azul-zulu-cve-2023-22043) *
Vulnerability in the Libraries component (azul-zulu-cve-2023-22049) *
Vulnerability in the Utility component (azul-zulu-cve-2023-22036) *
Vulnerability in the Hotspot component (azul-zulu-cve-2023-22044) *
Vulnerability in the Networking component (azul-zulu-cve-2023-22006) *
Vulnerability in the Hotspot component (azul-zulu-cve-2023-22041) *
Vulnerability in the Hotspot component (azul-zulu-cve-2023-22045) *

(*) Fixed in July 2023 release, see notes:

(**) Fixed in April 2023 release, see notes:

Is this a known issue? Is there a plan to upgrade the Azul JRE ?

overheadhunter · August 6, 2023, 7:00am

Thanks for the report, we will update the JDK and look into adding it to the dependency scanner to get such reports during the build.

That said, we use a stripped-down JRE via the jlink command. Some of the mentioned components may not even be a part of Cryptomator.

Stephenc · August 7, 2023, 2:47pm

Thanks for the feedback @overheadhunter
Any chance I can track to change in some way? Is this already tied to an “Issue”?
I don’t know the project well so not sure which repo this change will happen in.

infeo · August 7, 2023, 3:59pm

I don’t know the project well so not sure which repo this change will happen in.

If you discover a vulnerability or an exploit, you can contact us in a responsible way over our issue tracker Issues · cryptomator/cryptomator · GitHub or via mail (security@cryptomator.org).

Please do not just post vulnerabilites in the public, this creates a massive risks for Cryptomator users depending on the vulnerabillities. Of course, you can disclose them if we refuse to answer after a fair amount of time. See also our security policy and the general concept of Coordinated vulnerability disclosure - Wikipedia.

Regarding the CVEs: We are still evaluating, if Cryptomator is affected. We will update the used JDK anyway, but currently it is not clear, if the reported CVEs can be used with Cryptomator.

infeo · August 8, 2023, 3:56pm

@Stephenc We updated the formerly Windows-only release 1.9.3 to also contain versions for all operating systems with an updated JDK.

Stephenc · August 8, 2023, 6:30pm

First of all, apologies for not following the coordinated vuln discloslure guidelines. I will make sure to follow these in the future if needed. Thank you for the follow-up and swift actions @infeo @overheadhunter