[CentOS] A Blast from the past

Wed Aug 18 14:32:18 UTC 2021
Johnny Hughes <johnny at centos.org>

On 8/17/21 11:14 AM, Jonathan Billings wrote:
> On Tue, Aug 17, 2021 at 05:02:02PM +0100, Mark Woolfson wrote:
>> Unfortunately the manufacturer of our application software will only support
>> it on RHEL/CentOS 7.0. I have asked and that is all they say.
> This is absurd.  The 7.0 kernel has so many vulnerabilities that are
> well known and well documented, they're forcing you to run a kernel
> that can be trivially exploited.  I would seriously push back with the
> manufacturer.  Does it have a custom kernel module that it requires?
> Or did they only test it on RHEL or CentOS 7.0 and never updated their
> documentation?
> In the past, I've asked vendors that tried this kind of nonsense if
> they're willing to indemnify their customers for any security issues
> that arise as a result of using their product. Feel free to list all
> the CVEs in the current CentOS 7 kernel.  I see there are 1,125 CVEs
> mentioned in the kernel changelog. It won't hold any legal water, most
> likely, but it might get someone to at least look closer at the issue. 

Both Stephen and Jonathon have hit on this .. But you need to tell your
vendor that a 7.0 kernel is vulnerable and that they need to support
newer versions.

There are so many security vulnerabilities in RHEL/CentOS from 7.0 to
7.9 .. many of them remotely exploitable.  And this is true for all
packages, not just the kernel.

If you have a RHEL/CentOS 7.0 machine running and touching the internet
without security updates .. you probably no longer are running it.
Certainly, not by yourself.