cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Vulnerability Coverage of Red Hat's "OpenJDK for Windows"

Vulnerability Coverage of Red Hat's "OpenJDK for Windows"

Problem Formulation

Flexera understands the desire for coverage of Red Hat OpenJDK but is unable to effectively track it on Windows systems due to inconsistent and conflicting identification information coming from Red Hat. While we do cover it on RHEL, we cannot adequately cover the Windows versions with Secunia Advisories.

For us to reliably track Windows versions of Red Hat OpenJDK in our SVR and SVM products, we require Red Hat to improve their security reporting process. Flexera is reaching out to Red Hat to encourage more consistent handling of non-RHEL based versions of OpenJDK, but we also encourage any interested customers of Red Hat to do the same.

Reporting Quality

Red Hat security advisories aim to report on security issues with the products that distribute Red Hat OpenJDK packages [1], e.g., Red Hat Enterprise Linux products but do not report on Red Hat OpenJDK itself as a full product. There is factually no dedicated reporting of security vulnerabilities in the product OpenJDK for Windows systems coming from the originator/maintainer vendor Red Hat.

[1] https://access.redhat.com/errata/RHSA-2019:0790

This problem makes the process of ascertaining which versions of OpenJDK have which vulnerabilities (on which platform) very unreliable – distribution version of packages on RHEL and “upstream” version releases differ broadly, and so do their weaknesses. Without a reliable product-focused security reporting on OpenJDK for non-RHEL versions (like the Red Hat does for JBoss for non-RHEL platforms), Flexera may not directly translate the upstream release cycles of OpenJDK to Red Hat security reporting.

Examples

Recently, we have seen the following vulnerability reports that may be relevant for Red Hat OpenJDK (officially supported on Windows platform by Red Hat); however, the CVE identifiers reported per platform are not consistent:

  • Red Hat Security Advisories (RHSAs) like RHSA-2019:1840 seem to only cover the distinct OpenJDK package relevant for RHEL, however, not for the Windows platform. These RHSAs look to at least cover, e.g., the related Oracle Java CVE identifiers applicable to OpenJDK.

  • Release notes for Red Hat OpenJDK like this one may feature CVE identifiers irregularly. However, there doesn’t appear to be Oracle Java-related CVE identifiers listed as one should expect. In the example, the CVE identifiers appear to be “icedtea-web” / Java WebStart related.

  • The CVE-based links Red Hat provides in this context only report RHEL-based packages and not Windows platform.

Recommendations

We have contradictory vulnerability information regarding Red Hat OpenJDK for Windows. We have no source that states which Oracle Java-based CVE identifiers are affecting the Windows platform, in which version and Red Hat does not clarify which may be applicable. The outcome is that we cannot ensure accurate vulnerability reports for Red Hat OpenJDK running on Windows, rather than risk providing inaccurate research. Flexera is required to exclude Red Hat OpenJDK for Windows from its tracking service until Red Hat resolves this. As a Red Hat customer, you have the power to help encourage Red Hat to track and report the product consistently, and so we encourage you to do so as well.

Good Alternatives

An alternative to the Red Hat's OpenJDK is the "Amazon Corretto JDK" package, which was already added for vulnerability tracking in the Flexera SVR database. Furthermore, Flexera currently evaluates the possibility of adding scan detection signatures and version security rules for the SVM 2019 product too. Customers who need to track and utilize an OpenJDK alternative for Java, are recommended to research Amazon Corretto as they will not have a problem with receiving vulnerability advisories with that package through the SVR and SVM products of Flexera. 

Was this article helpful? Yes No
No ratings
Version history
Revision #:
2 of 2
Last update:
‎Jan 29, 2020 05:26 AM
Updated by:
 
Contributors