Azul Zulu related false positives

In a recent webinar by Rapid7, the InsightVM product management mentioned about false positives as one of the topics and in there I saw that Azul Zulu was one of the products.

We are seeing potential false positives with Azul Zulu related vulnerabilities detected by InsightVM agents.

Does anyone have more information on what Rapid7 currently needs to have a conclusion on this topic?

Hi @svakharia - the current issue is that the version reported as “version” is the OpenJDK version, and not the Azul Zulu version. This is what we are currently using to trigger vulnerability content. There is a difference between these versions which is what is causing the false positives.

As a result of this, we have been working with Azul to fix this for our customers, and this work is currently in progress. Azul have provided a different location to get the Azul version from, which they will maintain, and we are in the process of updating our fingerprinting to pull from this new location.

Thank you Kevin.
Is there some log or data that Rapid7 team needs which can help them to speed up?

Thank you for the offer. We already have the information directly from Azul and having been working with them to ensure we provide the best solution possible

Hi @kevin_mccabe : What is the current status if I may ask?