Washington DC and Java 17.0.8 vulnerability
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-06-2025 09:29 AM
Hi all,
We have been using the bundled package that includes java for our MID servers for a while. Just recently, the 17.0.8 Java version that comes with the Washington release has been flagged by our enterprise security tool as vulnerable and had to switch to our own version (17.0.13) by following the steps outlined in KB0719830. This newly installed Java version has been recently flagged as vulnerable and now I need to install 17.0.14 which requires commercial license and an Oracle account to login to the download webpage. Even in the hypothetical event of upgrading to Yokohama which comes bundled with Java 17.0.12 it'll still be flagged as vulnerable by our internal security tool. How is everyone else dealing with this?
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-11-2025 03:57 AM
Hi @Seb ,
Java updates on MID servers are a constant challenge due to frequent vulnerabilities. Long-term, containerization or VMs offer the best solution by isolating Java versions. Shorter-term strategies include automating Java updates, establishing a regular patching schedule, considering Java LTS releases or OpenJDK, and staying informed about vulnerabilities. ServiceNow documentation and support are valuable resources. Addressing licensing issues, especially with Oracle JDK, is crucial. Prioritize security through regular updates and thorough testing to minimize downtime and ensure MID server functionality.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-11-2025 02:33 PM
I would encourage you to reach out to HIWAVE support.