topic Re: jmp_python.exe vulnerabilities reported by Microsoft Defender Enterprise in Discussions

jmp_python.exe vulnerabilities reported by Microsoft Defender Enterprise

RobbCGO — Mon, 27 Jan 2025 18:07:19 GMT

Microsoft Defender has been reporting vulnerabilities which can be reconciled by updating Python. We have 6 devices affected, but only 1 had Python installed manually. The other 5 trace back to jmp_python.exe.

The JMP update function doesn't appear to affect Python. How do you intend to resolve the vulnerability reported?

Re: jmp_python.exe vulnerabilities reported by Microsoft Defender Enterprise

jthi — Mon, 27 Jan 2025 18:59:18 GMT

Have you contacted JMP Support?

Re: jmp_python.exe vulnerabilities reported by Microsoft Defender Enterprise

Paul_Nelson — Mon, 27 Jan 2025 19:25:44 GMT

Upgrade your version of JMP. The latest release of JMP 18.x contains Python 3.11.11, JMP 19 EA 6 contains Python 3.13.1. They are the latest security releases of Python as of today 27 Jan 2025. We are monitoring Python's security releases and when a security fix is released, we update in the next JMP security maintenance release.

A friendly reminder. It is considered a responsible security disclosure practice to inform the developer first of potential security issues before spreading to the world. In the future please contact JMP technical support first for security issues. In this case we have already addressed, but please give us time to address before potentially putting your colleagues at risk.

Re: jmp_python.exe vulnerabilities reported by Microsoft Defender Enterprise

Paul_Nelson — Mon, 27 Jan 2025 19:43:49 GMT

While the CVEs mentioned, have been created, they are not yet verified. As such, it's likely even the latest Python distribution does not have any updates to these issues even if they are found to be legitimate vulnerabilities. Until such time as Python makes an update there is no way for JMP to make an update. But again please disclose to JMP Technical support first. Typical public disclosure timeframe is at least 90 days after a fix is available.

https://nvd.nist.gov/vuln/detail/cve-2024-9287 This vulnerability is currently awaiting analysis.

https://nvd.nist.gov/vuln/detail/cve-2024-8088 This vulnerability is currently awaiting analysis.

https://nvd.nist.gov/vuln/detail/cve-2024-3219 This vulnerability is currently awaiting analysis.

https://nvd.nist.gov/vuln/detail/cve-2024-6923 This vulnerability is currently awaiting analysis.

https://nvd.nist.gov/vuln/detail/cve-2024-4030 This vulnerability is currently awaiting analysis.