OpenJDK 8

Atempo teams are aware that several scanners report existing vulnerabilities regarding OpenJDK 8 currently used by several Atempo products.

Atempo products’ usage of Java is restricted to very specific actions, namely:

• Uninstall process, triggered only locally by an authenticated administrator. In such a case, no known vulnerability may be exploited by an external attacker.
• Access to a local third-party API either through JNI or a similar interface or through a local server not exposed.
• Apache Tomcat server, to interact with Tina processes. Our current understanding, relying on deep auditing actions around REST API testing, including penetration testing and other security audits, demonstrates that the vulnerabilities known at the time of publication of this post can’t lead to a successful exploit. Moreover, in this case Tomcat currently uses OpenJDK 17.

Hence, Atempo products do not need to be upgraded to OpenJDK 8u272 or more as suggested by the scanners, which report that the currently installed OpenJDK 8 version is outdated.