On 8/17/21 11:14 AM, Jonathan Billings wrote:
> On Tue, Aug 17, 2021 at 05:02:02PM +0100, Mark Woolfson wrote:
>> Unfortunately the manufacturer of our application software will only support
>> it on RHEL/CentOS 7.0. I have asked and that is all they say.
>
> This is absurd. The 7.0 kernel has so many vulnerabilities that are
> well known and well documented, they're forcing you to run a kernel
> that can be trivially exploited. I would seriously push back with the
> manufacturer. Does it have a custom kernel module that it requires?
> Or did they only test it on RHEL or CentOS 7.0 and never updated their
> documentation?
>
> In the past, I've asked vendors that tried this kind of nonsense if
> they're willing to indemnify their customers for any security issues
> that arise as a result of using their product. Feel free to list all
> the CVEs in the current CentOS 7 kernel. I see there are 1,125 CVEs
> mentioned in the kernel changelog. It won't hold any legal water, most
> likely, but it might get someone to at least look closer at the issue.
>
Both Stephen and Jonathon have hit on this .. But you need to tell your
vendor that a 7.0 kernel is vulnerable and that they need to support
newer versions.
There are so many security vulnerabilities in RHEL/CentOS from 7.0 to
7.9 .. many of them remotely exploitable. And this is true for all
packages, not just the kernel.
If you have a RHEL/CentOS 7.0 machine running and touching the internet
without security updates .. you probably no longer are running it.
Certainly, not by yourself.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
