On 8/17/21 11:14 AM, Jonathan Billings wrote:
On Tue, Aug 17, 2021 at 05:02:02PM +0100, Mark Woolfson wrote:
Unfortunately the manufacturer of our application software will only support it on RHEL/CentOS 7.0. I have asked and that is all they say.
This is absurd. The 7.0 kernel has so many vulnerabilities that are well known and well documented, they're forcing you to run a kernel that can be trivially exploited. I would seriously push back with the manufacturer. Does it have a custom kernel module that it requires? Or did they only test it on RHEL or CentOS 7.0 and never updated their documentation?
In the past, I've asked vendors that tried this kind of nonsense if they're willing to indemnify their customers for any security issues that arise as a result of using their product. Feel free to list all the CVEs in the current CentOS 7 kernel. I see there are 1,125 CVEs mentioned in the kernel changelog. It won't hold any legal water, most likely, but it might get someone to at least look closer at the issue.
Both Stephen and Jonathon have hit on this .. But you need to tell your vendor that a 7.0 kernel is vulnerable and that they need to support newer versions.
There are so many security vulnerabilities in RHEL/CentOS from 7.0 to 7.9 .. many of them remotely exploitable. And this is true for all packages, not just the kernel.
If you have a RHEL/CentOS 7.0 machine running and touching the internet without security updates .. you probably no longer are running it. Certainly, not by yourself.