Java Vulnerability

[Paola Andrea Hernandez Ospitia]

Información Confidencial

Hi Team

 

Our detection systems vulnerabilities are detected three CVE associate with QZ Tray with version Embedded Java (Process)

 

CVE-2025-50059

CVE-2025-30749
CVE-2025-50106

 

 

 

 

 

Check if Embedded Java (Process) is running

Find the Embedded Java (Process)

No Expected States

command_line="C:\Program Files\QZ Tray\runtime\bin\javaw.exe" -Xms512m -Djna.nosys%3dtrue --add-exports java.desktop/sun.swing%3dALL-UNNAMED -jar "C:\Program Files\QZ Tray/qz-tray.jar",name=javaw

1

Read java.exe/ javaw.exe/ javaws.exe from install root

Read java.exe/ javaw.exe/ javaws.exe from install root

No Expected States

filename=java.exe,filepath=C:\Program Files\QZ Tray\runtime\bin\java.exe,path=C:\Program Files\QZ Tray\runtime\bin

1

Read java.exe/ javaw.exe/ javaws.exe from install root

Read java.exe/ javaw.exe/ javaws.exe from install root

No Expected States

filename=javaw.exe,filepath=C:\Program Files\QZ Tray\runtime\bin\javaw.exe,path=C:\Program Files\QZ Tray\runtime\bin

1

Check if Embedded Java (Process) version is greater than or equal to 11.0.0

Object holds the 11.x version of Embedded Java (Process)

State holds if the version is greater than or equal to 11.0.0

filename=java.exe,filepath=C:\Program Files\QZ Tray\runtime\bin\java.exe,path=C:\Program Files\QZ Tray\runtime\bin,product_version=11.0.27

1

Check if Embedded Java (Process) version is greater than or equal to 11.0.0

Object holds the 11.x version of Embedded Java (Process)

State holds if the version is greater than or equal to 11.0.0

filename=javaw.exe,filepath=C:\Program Files\QZ Tray\runtime\bin\javaw.exe,path=C:\Program Files\QZ Tray\runtime\bin,product_version=11.0.27

1

Check if Embedded Java (Process) version is less than or equal to 11.0.27

Object holds the 11.x version of Embedded Java (Process)

State holds if the version is less than or equal to 11.0.27

filename=java.exe,filepath=C:\Program Files\QZ Tray\runtime\bin\java.exe,path=C:\Program Files\QZ Tray\runtime\bin,product_version=11.0.27

1

Check if Embedded Java (Process) version is less than or equal to 11.0.27

Object holds the 11.x version of Embedded Java (Process)

State holds if the version is less than or equal to 11.0.27

filename=javaw.exe,filepath=C:\Program Files\QZ Tray\runtime\bin\javaw.exe,path=C:\Program Files\QZ Tray\runtime\bin,product_version=11.0.27

1

 

 

Can you help me about a possible remediation ??

 

 

Cordialmente,     Paola Andrea Hernandez O.   Ingeniera de Proyectos de Infraestructura   pandreah@colmedica.com

 

 

Este mensaje y cualquier archivo adjunto son confidenciales, por lo que la información no puede ser utilizada por personas diferentes a su destinatario, ni esta autorizada su divulgación. Si usted no es la persona a la cual esta dirigido este mensaje, por favor notifique inmediatamente al remitente con respuesta a este mensaje y, en tal caso, por favor destruya todas las copias del mismo y los archivos adjuntos. Cualquier uso, divulgación,copia, distribución, impresión o acto derivado del conocimiento total o parcial de este mensaje sin autorización de Colmédica Medicina Prepagada será sancionado de acuerdo con las normas legales vigentes. Al destinatario de este mensaje se le considera custodio de la información contenida y debe velar por su confidencialidad, integridad y privacidad. Las opiniones contenidas en este mensaje electrónico no relacionadas con la actividad de nuestra organización, no necesariamente representan la opinión de Colmédica Medicina Prepagada. http://www.colmedica.com

Información Confidencial

[Tres Finocchiaro]

Fixing these will require an update to QZ Tray with a newer bundled JDK.  While CVE-2025-50106 and CVE-2025-30749 only impact potential buffer overflow from successful connections (i.e. websites that you said are ALLOWED to talk to QZ Tray), CVE-2025-50059 is a leaking of header information for redirects, a component we do not use.

These will be patched with the next QZ Tray release.  Due to the low-impact of these on QZ Tray, we do not have a timeline for this release.

--
You received this message because you are subscribed to the Google Groups "qz-print" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qz-print+u...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/qz-print/MN0PR19MB6311570B5D14B416CE319B87D717A%40MN0PR19MB6311.namprd19.prod.outlook.com.