Hey all,
We recently had an external company do a security audit on some of our systems. They pulled several CVEs related to Java and Azul Zulu on our Linux systems but strangely not on a windows version.
Our Linux Ignitions are running on version 8.1.7 while the windows version is running on 8.0.17.
I’ve looked through the update release notes and seen that the embedded java has since been updated to a later version. Which we may consider doing to make our client happy. I’m aware the log4j vulnerabilities shouldn’t be an issue as they’re unused, but our client is more worried about appearing to ‘patch’ these issue even if they don’t need it.
But I’m wondering why this other windows Ignition hasn’t got these. Is there something different about the 8.0 that means these java libraries aren’t installed? Or perhaps the way our security is set up on that machine means the scans didn’t pick it up.
It’s possible that the scans didn’t pick it up. Another possibility is that the CVE was both introduced and then fixed in a later version. If you can’t provide CVEs for us to reference I’m not sure there’s much more I can tell you.
We continually update the embedded JDK as updates are released, so if you’re concerned about these then an upgrade is the easiest solution.
Looks like these are mostly related to some Java CVEs and Apache Log4j, I understand Log4J vulnerabilities aren’t a concern as these aren’t used in Ignition. But our client still gets concerned when these appear in the audits.