Question:
How can one ensure that Zulu Commercial Compatibility Kit (CCK) is patched and up-to-date?
Answer:
The CCK (Commercial Compatibility Kit) is simply a collection of fonts to bring an OpenJDK distribution (eg. Zulu8) up to par with Oracle's JDK distribution. OpenJDK does not include fonts due to licensing reasons, so Azul provides the CCK to our customers to make the transition as seamless as possible.
The CCK only comes with font files, which has an extremely low attack vector, so no patching or upgrades are expected. One exception is with the Java7 version (7.0.0.10) of CCK, as it also includes the Rhino Javascript Engine.
From a security standpoint, there are 3 things that can be done to minimize the impact of the CCK package:
(a) Firstly, our download page is the best place to check for any new CCK versions (although new versions are not ever expected).
(b) Our download page also contains SHA256 checksums for the CCK product which is the preferred method of validating the download package.
(c) Finally, it may be possible to eliminate the need for the CCK package by using System Fonts instead. Please review the instructions on the Fonts Knowledge Article for more details.
Add Comment
Comments
Please sign in to leave a comment.