Jump to content

Security issue with JRE 9.0.1


Recommended Posts

We use 360Works ScriptMaster and SuperContainer Companion plugins with FileMaker Pro 18 Advanced running on Mac OS  X 10.15. On first run they download and install jre 9.0.1 into the User's Library/Application Support directory.

Everything is working well, but our IT Security requires us to run Rapid7 on all of our Macs and it's got a problem with the JRE. Specifically, it states:

Obsolete Version of the Java Runtime Environment. Versions of the Java Runtime Environment prior to 8 (1.8.0), in addition to versions 9 and 10 are no longer supported. Unsupported versions of Java may contain vulnerable security flaws.

Library/Application Support/360Works/Plug-ins/jre/9.0.1/Contents/Home/lib/jrt-fs.jar

Do the 360Works plugins require the presence of this jrt-fs.jar file? If not, can I just delete it to keep Rapid7 happy? If it's required, is there any way to replace it with a supported version?

Thanks.

Colin Hunter

Link to comment
Share on other sites

Hi Colin,

Our Mac plugins are compiled in Java 9 and need a Java 9 Runtime environment in order to operate so removing that file will cause issues or the plugin to not enable. I am unfamiliar with Rapid7 but perhaps it has a way to whitelist specific files?

Link to comment
Share on other sites

Thank you for your reply. Rapid7 is a cross-platform tool which scans our Macs and PCs for any software which is no longer supported by the manufacturer or which has a known security vulnerability. If it finds anything, we get a nastygram from IT Security warning us we have to update or remove the offending program.

Yes, we can ask for a flagged file to be whitelisted, but we have to justify the request. Are you saying Rapid7 is wrong about JRE 9.0.1? Is it still being supported by Oracle and therefore not a security risk?

Thanks.

Colin Hunter

Link to comment
Share on other sites

Hi Colin,

The JRE that gets downloaded by our plugins does not get installed onto the system. It runs only when our plugins are running and is used exclusively by them. This means that only the plugins could cause a security risk by doing something nefarious "behind the scenes" which I can assure you they don't. 

That said, our development roadmap does not currently include a change to the required JREs so it will need to be whitelisted in order for you to be able to use our plugins on your system.

Please let us know if you have any questions!

Link to comment
Share on other sites

Thank you for this additional information. I've passed it on to our IT Security people who will hopefully grant our whitelist request for JRE's jrt-fs.jar file.

Colin Hunter

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.