Windows Defender identifying Mirth Connect Administrator Launcher v1.4.1 as being vulnerable under CVE-2023-43208

[pduncliffe]

It appears Windows Defender is falsely identifying Mirth Connect Administrator Launcher v1.4.1 as being vulnerable under CVE-2023-43208. Has anyone else dealt with this or reported to Microsoft? It appears to have started after [https://learn.microsoft.com/en-us/defender-vulnerability-management/fixed-reported-inaccuracies] was posted.

[rjkroll]

It is probably showing up now because this was just discovered last week it seems:

https://nvd.nist.gov/vuln/detail/CVE-2023-43208

"NextGen Healthcare Mirth Connect before version 4.4.1 is vulnerable to unauthenticated remote code execution. Note that this vulnerability is caused by the incomplete patch of CVE-2023-37679."

[jonbartels]

Does the launcher have files from an affected version in its local cache?

@pduncliffe and @DanEdomHodge - Before you get all gloomy, can you get your scan tools to say exactly which file(s) are being detected for the CVE within the Launcher?

When the Launcher starts the actual Admin client, it downloads and caches JARs for the Admin client. That cache is checksummed and has signatures validated. Then on subsequent launches, the cached files are used for a faster start. If an older version of MC was used at some point in the past, then there may still be old files in cache that are tripping your security scanners.

If it is detecting cached files, then just nuke the cache directory or the targeted files.

If your security scanner won't tell you what files are suspect then try:

• just nuking the cache anyway
• uninstalling and reinstalling MCAL, run the scan on a clean install BEFORE you launch anything with it. If MCAL has never been used to launch the Admin then it has to be caching. If MCAL does trip the scan, then MCAL itself includes these files.

At this point our choices are to uninstall the Administrator launcher

If you think the problem is MCAL (the launcher), try the alternative Ballista launcher from https://github.com/kayyagari/ballista . It's faster and has a few other options. It is also fully open sourced unlike MCAL. Also since its written in Rust, Ballista itself won't trigger Java CVEs for anything other than cached files. MCAL is also Java so it can be confusing to sort out if a vuln is from cache or from the MCAL app itself.

No comments from NextGen either, nor MS.

Can you share references or links to where you have shared this with NG and MS? (Assuming they are like public forums and not private tickets)

[JackieK5]

We have reviewed this issue and confirmed that MCAL is not at risk. MS Defender is returning this as a false positive and we are working to get this reported to Microsoft so it can stop being listed as an issue.

[pduncliffe]

I've received a response from Nextgen (Sales) regards my query with them. They've asked MS to correct the false positive. So I would say as soon as MS respond, issue closed.

[pduncliffe]

And thanks @JackieK5

[DanEdomHodge]

Thank you @pduncliffe @JackieK5 @jonbartels
For reference this was a clean install of 1.4 of the launcher. I believe that MS Defender is flagging that 1.4<4.4.1 for "mirth connect", it's not differentiating between the launcher and server as it scans the registry uninstall settings.