X
5

Regarding detected Oracle JRE vulnerabilities within ENVI and IDL

Vulnerabilities similar to the following may be detected within IDL or ENVI+IDL:

 

IT security team has identified a vulnerability in the installed version of IDL. The path to the affected component is as follows:
Path: /usr/local/nv5/idlXX/bin/bin.linux.x86_64/jre/lib/jrt-fs.jar
Vulnerable Component: Oracle JRE 21.0.2

 

However, this identification is misleading. Although the version number matches Oracle’s Java specification, IDL and ENVI do not ship Oracle JRE. They include the Eclipse Temurin JRE, whose implementation is maintained by the Eclipse Adoptium project.

The version alignment occurs because Temurin follows the Java specification versioning, but the underlying implementation is entirely from Eclipse, not Oracle.

 

Verifying the JRE Implementation

You can confirm the actual vendor by inspecting the manifest inside jrt-fs.jar. Administrator or root access is required.

 

Windows (via Administrator PowerShell)
     cd "C:\Program Files\NV5\ENVIXX\IDLXX\bin\bin.x86_64\jre\lib"
     Copy-Item jrt-fs.jar jrt-fs.zip; Expand-Archive jrt-fs.zip . -Force; Get-Content .\META-INF\MANIFEST.MF; Remove-Item jrt-fs.zip

macOS (via Apple Terminal)
     cd /Applications/nv5/idlXX/bin/bin.darwin.arm64/jre/lib
     sudo unzip -j jrt-fs.jar META-INF/MANIFEST.MF && cat MANIFEST.MF

Linux (via Terminal)
     cd /usr/local/nv5/enviXX/idlXX/bin/bin.linux.x86_64/jre/lib
     sudo unzip -j jrt-fs.jar META-INF/MANIFEST.MF && cat MANIFEST.MF

 

Expected Output

A typical manifest will contain entries similar to the following: 

 

Manifest-Version: 1.0

Specification-Title: Java Platform API Specification

Specification-Version: 21

Specification-Vendor: Oracle Corporation

Implementation-Title: Java Runtime Environment

Implementation-Version: 21.0.2

Implementation-Vendor: Eclipse Adoptium

Created-By: 20.0.2 (Eclipse Adoptium)

 

It shows that the Specification is by Oracle, but the Implementation is by Eclipse Adoptium, which is the parent vendor for the Temurin project.

 

Assessing Actual Vulnerability Exposure

Security scanners often map vulnerabilities based solely on version numbers and may incorrectly associate Temurin with Oracle JRE CVEs.

To determine whether IDL or ENVI are affected, you should consult the Eclipse Temurin vulnerability list:

If no vulnerabilities are listed for the Implementation-Version shown in the installed manifest (e.g., 21.0.2), then IDL and ENVI are not impacted by the Oracle JRE vulnerability flagged by automated scanners.

 

 

 

 

 

-----------------------------------------------

created by BC (EU) on 6/15/2026

reviewed by BC (US) on 6/16/2026

 

New ENVI Agent, IDL Agent, and GeoAgent Quick Guides New ENVI Agent, IDL Agent, and GeoAgent Quick Guides Workarounds if ENVI is frozen while starting SARscape tools.