Vulnerability Coverage of Red Hat's "OpenJDK for Windows"
Flexera understands the desire for coverage of Red Hat OpenJDK but is unable to effectively track it on Windows systems due to inconsistent and conflicting identification information coming from Red Hat. While we do cover it on RHEL, we cannot adequately cover the Windows versions with Secunia Advisories.
For us to reliably track Windows versions of Red Hat OpenJDK in our SVR and SVM products, we require Red Hat to improve their security reporting process. Flexera is reaching out to Red Hat to encourage more consistent handling of non-RHEL based versions of OpenJDK, but we also encourage any interested customers of Red Hat to do the same.
Red Hat security advisories aim to report on security issues with the products that distribute Red Hat OpenJDK packages , e.g., Red Hat Enterprise Linux products but do not report on Red Hat OpenJDK itself as a full product. There is factually no dedicated reporting of security vulnerabilities in the product OpenJDK for Windows systems coming from the originator/maintainer vendor Red Hat.
This problem makes the process of ascertaining which versions of OpenJDK have which vulnerabilities (on which platform) very unreliable – distribution version of packages on RHEL and “upstream” version releases differ broadly, and so do their weaknesses. Without a reliable product-focused security reporting on OpenJDK for non-RHEL versions (like the Red Hat does for JBoss for non-RHEL platforms), Flexera may not directly translate the upstream release cycles of OpenJDK to Red Hat security reporting.
Recently, we have seen the following vulnerability reports that may be relevant for Red Hat OpenJDK (officially supported on Windows platform by Red Hat); however, the CVE identifiers reported per platform are not consistent:
- Red Hat Security Advisories (RHSAs) like RHSA-2019:1840 seem to only cover the distinct OpenJDK package relevant for RHEL, however, not for the Windows platform. These RHSAs look to at least cover, e.g., the related Oracle Java CVE identifiers applicable to OpenJDK.
- Release notes for Red Hat OpenJDK like this one may feature CVE identifiers irregularly. However, there doesn’t appear to be Oracle Java-related CVE identifiers listed as one should expect. In the example, the CVE identifiers appear to be “icedtea-web” / Java WebStart related.
- The CVE-based links Red Hat provides in this context only report RHEL-based packages and not Windows platform.
We have contradictory vulnerability information regarding Red Hat OpenJDK for Windows. We have no source that states which Oracle Java-based CVE identifiers are affecting the Windows platform, in which version and Red Hat does not clarify which may be applicable. The outcome is that we cannot ensure accurate vulnerability reports for Red Hat OpenJDK running on Windows, rather than risk providing inaccurate research. Flexera is required to exclude Red Hat OpenJDK for Windows from its tracking service until Red Hat resolves this. As a Red Hat customer, you have the power to help encourage Red Hat to track and report the product consistently, and so we encourage you to do so as well.
An alternative to the Red Hat's OpenJDK is the "Amazon Corretto JDK" package, which was already added for vulnerability tracking in the Flexera SVR database. Furthermore, Flexera currently evaluates the possibility of adding scan detection signatures and version security rules for the SVM 2019 product too. Customers who need to track and utilize an OpenJDK alternative for Java, are recommended to research Amazon Corretto as they will not have a problem with receiving vulnerability advisories with that package through the SVR and SVM products of Flexera.