Washington DC and Java 17.0.8 vulnerability

Seb
Tera Contributor

Hi all,

 

We have been using the bundled package that includes java for our MID servers for a while. Just recently, the 17.0.8 Java version that comes with the Washington release has been flagged by our enterprise security tool as vulnerable and had to switch to our own version (17.0.13) by following the steps outlined in KB0719830. This newly installed Java version has been recently flagged as vulnerable and now I need to install 17.0.14 which requires commercial license and an Oracle account to login to the download webpage. Even in the hypothetical event of upgrading to Yokohama which comes bundled with Java 17.0.12 it'll still be flagged as vulnerable by our internal security tool. How is everyone else dealing with this?

Thanks!

2 REPLIES 2

Community Alums
Not applicable

Hi @Seb ,

Java updates on MID servers are a constant challenge due to frequent vulnerabilities. Long-term, containerization or VMs offer the best solution by isolating Java versions. Shorter-term strategies include automating Java updates, establishing a regular patching schedule, considering Java LTS releases or OpenJDK, and staying informed about vulnerabilities. ServiceNow documentation and support are valuable resources. Addressing licensing issues, especially with Oracle JDK, is crucial. Prioritize security through regular updates and thorough testing to minimize downtime and ensure MID server functionality.

jcmings
Mega Sage

I would encourage you to reach out to HIWAVE support.