8/21/2023 0 Comments Redhat openjdkWe have no source that states which Oracle Java-based CVE identifiers are affecting the Windows platform, in which version and Red Hat does not clarify which may be applicable. We have contradictory vulnerability information regarding Red Hat OpenJDK for Windows. The CVE-based links Red Hat provides in this context only report RHEL-based packages and not Windows platform.In the example, the CVE identifiers appear to be “icedtea-web” / Java WebStart related. However, there doesn’t appear to be Oracle Java-related CVE identifiers listed as one should expect. Release notes for Red Hat OpenJDK like this one may feature CVE identifiers irregularly.These RHSAs look to at least cover, e.g., the related Oracle Java CVE identifiers applicable to OpenJDK. Red Hat Security Advisories (RHSAs) like RHSA-2019:1840 seem to only cover the distinct OpenJDK package relevant for RHEL, however, not for the Windows platform.Recently, we have seen the following vulnerability reports that may be relevant for Red Hat OpenJDK ( officially supported on Windows platform by Red Hat) however, the CVE identifiers reported per platform are not consistent: Without a reliable product-focused security reporting on OpenJDK for non-RHEL versions (like the Red Hat does for JBoss for non-RHEL platforms), Flexera may not directly translate the upstream release cycles of OpenJDK to Red Hat security reporting. This problem makes the process of ascertaining which versions of OpenJDK have which vulnerabilities (on which platform) very unreliable – distribution version of packages on RHEL and “upstream” version releases differ broadly, and so do their weaknesses. There is factually no dedicated reporting of security vulnerabilities in the product OpenJDK for Windows systems coming from the originator/maintainer vendor Red Hat. Red Hat security advisories aim to report on security issues with the products that distribute Red Hat OpenJDK packages, e.g., Red Hat Enterprise Linux products but do not report on Red Hat OpenJDK itself as a full product. Flexera is reaching out to Red Hat to encourage more consistent handling of non-RHEL based versions of OpenJDK, but we also encourage any interested customers of Red Hat to do the same. While we do cover it on RHEL, we cannot adequately cover the Windows versions with Secunia Advisories.įor us to reliably track Windows versions of Red Hat OpenJDK in our SVR and SVM products, we require Red Hat to improve their security reporting process. Flexera understands the desire for coverage of Red Hat OpenJDK but is unable to effectively track it on Windows systems due to inconsistent and conflicting identification information coming from Red Hat.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |