Azul Zulu related false positives

In a recent webinar by Rapid7, the InsightVM product management mentioned about false positives as one of the topics and in there I saw that Azul Zulu was one of the products.

We are seeing potential false positives with Azul Zulu related vulnerabilities detected by InsightVM agents.

Does anyone have more information on what Rapid7 currently needs to have a conclusion on this topic?

Hi @svakharia - the current issue is that the version reported as “version” is the OpenJDK version, and not the Azul Zulu version. This is what we are currently using to trigger vulnerability content. There is a difference between these versions which is what is causing the false positives.

As a result of this, we have been working with Azul to fix this for our customers, and this work is currently in progress. Azul have provided a different location to get the Azul version from, which they will maintain, and we are in the process of updating our fingerprinting to pull from this new location.

Thank you Kevin.
Is there some log or data that Rapid7 team needs which can help them to speed up?

Thank you for the offer. We already have the information directly from Azul and having been working with them to ensure we provide the best solution possible

Hi @kevin_mccabe : What is the current status if I may ask?

Sorry to chase you, anything new from Rapid7, @kevin_mccabe?

Sorry for the delay in responding. The engineering work is pretty much complete. We are awaiting the next agent release as there are changes to the fingerprinting.

Unfortunately I do not have a date for this agent release, but will try and chase this up.

I see latest agent release notes containing information about Azul detection improvements, but it seems we still don’t see any difference (running the latest agent version).

Still investigating internally, but do you see any other customers also reporting this, @kevin_mccabe, by any chance?

The agent has indeed shipped with the collection improvements for Azul fingerprinting. This will not take effect until following todays (Wed 1) product has shipped.

Once you are running with the new version of the product, and last weeks Agent release, then you should see improved version detection for Azul.

We are also still looking internally at our content checks to ensure they reflect the version expected, however I am fairly confident this should just be a formality, as the content was generated using the “Azul Version” and not the OpenJDK version previously getting reported as the “version”