0

I got this type of vulnerabilities on a rhel server after scan "(CVE-2020-2781) ** Upgrade IBM Java to version 7.0.10.65 Download and apply the upgrade from: https://www.ibm.com/developerworks/java/jdk/""

Can I fix this vulnerability by install or upgrade the openjdk from repository or this need separate RPM to upgrade

current java version is below -

java -version java version "1.8.0_231" Java(TM) SE Runtime Environment (build 8.0.6.0 - pxa6480-201*_01(S**)) IBM J9 VM (build 2.9, JRE 1.8.0 Linux amd64-64-Bit Compressed References 2*****_4**** (JIT enabled, AOT enabled) OpenJ9 - f0b6be7 OMR - 18d8f94 IBM - 233dfb5)

Newlinux-men
  • 15
  • 1
  • 5
  • The directions were perfectly clear. Why do you question them? – Michael Hampton Aug 27 '21 at 18:00
  • Thanks for reply - The Reason is DB folks are saying it should be patch by OS admin but I think there is no patch available in redhat to patch this but I am not so sure . If package needs to be download and upgrade and then I can say its not my scope – Newlinux-men Aug 27 '21 at 18:11
  • It doesn't say anything about Red Hat! It says IBM. This is not a Red Hat vulnerability. – Michael Hampton Aug 27 '21 at 18:12
  • How to patch and who should patch are different questions. – joeqwerty Aug 27 '21 at 18:44
  • 2
    The finding is for Java 7, but the Java version you show is version 8. https://www.ibm.com/support/pages/java-sdk-downloads-version-80 – Greg Askew Aug 27 '21 at 18:57

1 Answers1

0

I guess a kind of SAST scanning has been introduced lately, and you are the administrator which owns the server. The finding indicates that most likely more than one java version is installed on the server, as the standard version installed is for java 8, but the scan result is for java 7.

Either ask for more details (as file locations) from the scan, or scan by yourself for other java files.

It is possible that a certain application has been installed on the server, which brings its own version of Java embedded inside the installation.

Another possibility is that the scan is incorrect - I know SAST scanners that are really bad and detect false or false positive.

Lutz Willek
  • 683
  • 2
  • 10