How to remediate – AdoptOpenJDK Java Detection (Windows)

1. Introduction

AdoptOpenJDK Java is a distribution of Java installed on Windows hosts. Its presence indicates that Java applications are running, which may introduce security risks if not kept up to date. This vulnerability highlights the need for awareness of installed Java versions and potential private JREs bundled with JDKs. A compromise could lead to confidentiality, integrity, or availability loss depending on the application using Java.

2. Technical Explanation

The presence of AdoptOpenJDK Java indicates a Java runtime environment is available on the system. While not an exploit in itself, it represents a potential attack surface if vulnerable versions are present. An attacker could leverage known Java vulnerabilities to execute code remotely or locally, depending on the specific application and its configuration. Preconditions include having access to a system running a vulnerable version of AdoptOpenJDK Java and a suitable exploit targeting that version.

• Root cause: The installation of Java itself is not inherently a fault; however, older versions may contain known vulnerabilities.
• Exploit mechanism: An attacker could craft malicious code within a Java application or leverage existing applications to execute arbitrary code on the system.
• Scope: Windows systems with AdoptOpenJDK Java installed are affected. Specific JDK and JRE versions determine vulnerability status.

3. Detection and Assessment

Confirming the presence of AdoptOpenJDK Java can be done through several methods. A quick check involves examining installed programs, while a thorough assessment requires identifying specific versions and associated vulnerabilities.

• Quick checks: Check the “Programs and Features” control panel to see if any AdoptOpenJDK Java installations are listed.
• Scanning: Nessus plugin ID 16384 can identify installed Java versions. This is an example only; other scanners may also provide similar functionality.
• Logs and evidence: Examine application logs for Java-related errors or warnings that might indicate a vulnerable version.

wmic product get name,version where "name like '%AdoptOpenJDK%'"

4. Solution / Remediation Steps

The primary solution is to ensure AdoptOpenJDK Java is up-to-date or replaced with a supported version of Java from a trusted vendor. These steps aim to minimize the risk associated with outdated Java installations.

4.1 Preparation

• Roll back plan: Document the current Java version and configuration for easy restoration if needed.

4.2 Implementation

1. Step 1: Check the AdoptOpenJDK website (https://adoptopenjdk.net/) for the latest supported versions of Java.
2. Step 2: Download and install the latest version of Java from a trusted vendor (e.g., Oracle, Eclipse Temurin).
3. Step 3: Uninstall older AdoptOpenJDK Java installations through “Programs and Features”.
4. Step 4: Verify that applications continue to function correctly with the new Java version.

4.3 Config or Code Example

Before

(Example: AdoptOpenJDK 8 installed)
wmic product get name,version where "name like '%AdoptOpenJDK%'"
Name                      Version
AdoptOpenJDK Java 8        8.0.312.7

After

(Example: Eclipse Temurin 17 installed)
wmic product get name,version where "name like '%Eclipse Temurin%'"
Name                      Version
Eclipse Temurin Java 17    17.0.6+10

4.4 Security Practices Relevant to This Vulnerability

Several security practices can mitigate risks associated with Java installations. These include least privilege, patch cadence, and secure configuration management.

• Practice 1: Least privilege – Run applications using the minimum necessary permissions to limit potential damage from exploitation.
• Practice 2: Patch cadence – Regularly update Java installations to address known vulnerabilities.

4.5 Automation (Optional)

# Example PowerShell script to uninstall AdoptOpenJDK Java
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*AdoptOpenJDK*"} | Uninstall-Package

5. Verification / Validation

Confirming the fix involves verifying that older versions of AdoptOpenJDK Java are uninstalled and that the new version is functioning correctly. A smoke test ensures core application functionality remains intact.

• Post-fix check: Run `wmic product get name,version where “name like ‘%AdoptOpenJDK%'”`. The output should be empty or show only newer Java versions.
• Re-test: Re-run the initial scan (Nessus plugin ID 16384) to confirm that older AdoptOpenJDK versions are no longer detected.
• Smoke test: Launch a key application that relies on Java and verify it starts and functions as expected.

wmic product get name,version where "name like '%AdoptOpenJDK%'"
(No output)

6. Preventive Measures and Monitoring

Preventive measures include establishing security baselines, incorporating checks into CI/CD pipelines, and maintaining a robust asset and patch management process. For example: regularly scan for outdated Java versions as part of vulnerability management.

• Baselines: Update security baselines to require the latest supported Java version.
• Pipelines: Add SAST or SCA checks in CI/CD pipelines to identify vulnerable Java dependencies.
• Asset and patch process: Implement a regular patch review cycle for Java installations.

7. Risks, Side Effects, and Roll Back

Potential risks include application incompatibility with newer Java versions. Roll back steps involve restoring the previous Java version if compatibility issues arise.

8. References and Resources

• Vendor advisory or bulletin: https://adoptopenjdk.net/