![]() Recently, we have seen the following vulnerability reports that may be relevant for Red Hat OpenJDK ( officially supported on Windows platform by Red Hat) however, the CVE identifiers reported per platform are not consistent: Without a reliable product-focused security reporting on OpenJDK for non-RHEL versions (like the Red Hat does for JBoss for non-RHEL platforms), Flexera may not directly translate the upstream release cycles of OpenJDK to Red Hat security reporting. This problem makes the process of ascertaining which versions of OpenJDK have which vulnerabilities (on which platform) very unreliable – distribution version of packages on RHEL and “upstream” version releases differ broadly, and so do their weaknesses. ![]() ![]() There is factually no dedicated reporting of security vulnerabilities in the product OpenJDK for Windows systems coming from the originator/maintainer vendor Red Hat. Red Hat security advisories aim to report on security issues with the products that distribute Red Hat OpenJDK packages, e.g., Red Hat Enterprise Linux products but do not report on Red Hat OpenJDK itself as a full product. Flexera is reaching out to Red Hat to encourage more consistent handling of non-RHEL based versions of OpenJDK, but we also encourage any interested customers of Red Hat to do the same. While we do cover it on RHEL, we cannot adequately cover the Windows versions with Secunia Advisories.įor us to reliably track Windows versions of Red Hat OpenJDK in our SVR and SVM products, we require Red Hat to improve their security reporting process. Flexera understands the desire for coverage of Red Hat OpenJDK but is unable to effectively track it on Windows systems due to inconsistent and conflicting identification information coming from Red Hat.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |