Rapid7 Collector - Old Java version

david_altanian · September 1, 2022, 11:22am

Hello together
Yesterday I installed the Insight Agent on the Rapid7 Insight Collector and today I saw that this server has many java related vulnerabilities. It turned out that with the installation of the collector application, apparently outdated java lib is included.

Has anyone else noticed this? If so, how do you deal with it?
For me, this finding is a bit embarrassing, as we push the patching of Java from our side. But we use systems that also work with outdated Java components.
Best regards
David

andrew_l · September 14, 2022, 11:53pm

I have also noticed this - will be watching if anyone has an answer.

david_altanian · September 15, 2022, 1:03pm

Interestingly, these vulnerabilities have now disappeared.

This is all what is left:

I do not know if Rapid7 already fixed this issue. In fact, I mentioned this in another support case and asked that they update the Java components in the software.

david_altanian · November 14, 2022, 7:55am

Hello again
The Insight Collector has over 150 Java vulnerabilities

And the number increases. Has no one else in the community noticed this? I will open a support case today.

Kvn59 · November 22, 2022, 8:31am

I do see the same behavior on all collectors. I have opened a support case for this end of September 2022.
It was closed with the comment, that there’s no solution yet, and the engineering team is currently working on this.

Would be interesting to hear what’s coming out from your support case.

david_altanian · November 22, 2022, 10:17am

Hi everyone
I have an answer from my support case which I want to share with all of you:

So I’ve checked with our development team, recently we did start to release the automatic upgrade to a lot of customer, mostly IDR customers however the JRE upgrades didn’t always go smooth and in certain cases broke a lot of collectors. This was then put on pause until it can be determined as reliable enough to roll out.
With that said, you are on version 2

{
"deployed-component-version" : "2.0.0.0"
}

As no auto deployment was sent to your collector:

{
"collector-folder-path" : “/opt/rapid7/collector”,
"collector-component-upgrader-status" : “non-active”,
"minimum-free-space-threshold-in-kb" : “1000000”,
"deployment-attempts" : { }
}
If these vulnerabilities are pressing for yourself, you are able to decommission this collector and then reinstall afresh using the latest installer which will contain version 3 and thus contain the updated JRE packages.

If I want the newest Java version installed, I have to re-install the collector with the newest installer. I have asked the support, if there is a way to manually update the collector:

The documentation is not clear wether an installer would work to “upgrade/repair” an existing installation. However what will work is to uninstall the old 2.0 collector entirely, then install fresh using the 3.0 installer and as the host name and address remain the same, your existing agents will not require any change.