Regarding detected Oracle JRE vulnerabilities within ENVI and IDL
Vulnerabilities similar to the following may be detected within IDL or ENVI+IDL:
IT security team has identified a vulnerability in the installed version of IDL. The path to the affected component is as follows:
Path: /usr/local/nv5/idlXX/bin/bin.linux.x86_64/jre/lib/jrt-fs.jar
Vulnerable Component: Oracle JRE 21.0.2
However, this identification is misleading. Although the version number matches Oracle’s Java specification, IDL and ENVI do not ship Oracle JRE. They include the Eclipse Temurin JRE, whose implementation is maintained by the Eclipse Adoptium project.
The version alignment occurs because Temurin follows the Java specification versioning, but the underlying implementation is entirely from Eclipse, not Oracle.
Verifying the JRE Implementation
You can confirm the actual vendor by inspecting the manifest inside jrt-fs.jar. Administrator or root access is required.
Windows (via Administrator PowerShell)
cd "C:\Program Files\NV5\ENVIXX\IDLXX\bin\bin.x86_64\jre\lib"
Copy-Item jrt-fs.jar jrt-fs.zip; Expand-Archive jrt-fs.zip . -Force; Get-Content .\META-INF\MANIFEST.MF; Remove-Item jrt-fs.zip
macOS (via Apple Terminal)
cd /Applications/nv5/idlXX/bin/bin.darwin.arm64/jre/lib
sudo unzip -j jrt-fs.jar META-INF/MANIFEST.MF && cat MANIFEST.MF
Linux (via Terminal)
cd /usr/local/nv5/enviXX/idlXX/bin/bin.linux.x86_64/jre/lib
sudo unzip -j jrt-fs.jar META-INF/MANIFEST.MF && cat MANIFEST.MF
Expected Output
A typical manifest will contain entries similar to the following:
Manifest-Version: 1.0
Specification-Title: Java Platform API Specification
Specification-Version: 21
Specification-Vendor: Oracle Corporation
Implementation-Title: Java Runtime Environment
Implementation-Version: 21.0.2
Implementation-Vendor: Eclipse Adoptium
Created-By: 20.0.2 (Eclipse Adoptium)
It shows that the Specification is by Oracle, but the Implementation is by Eclipse Adoptium, which is the parent vendor for the Temurin project.
Assessing Actual Vulnerability Exposure
Security scanners often map vulnerabilities based solely on version numbers and may incorrectly associate Temurin with Oracle JRE CVEs.
To determine whether IDL or ENVI are affected, you should consult the Eclipse Temurin vulnerability list:
If no vulnerabilities are listed for the Implementation-Version shown in the installed manifest (e.g., 21.0.2), then IDL and ENVI are not impacted by the Oracle JRE vulnerability flagged by automated scanners.
-----------------------------------------------
created by BC (EU) on 6/15/2026
reviewed by BC (US) on 6/16/2026