On 8/17/21 11:14 AM, Jonathan Billings wrote: > On Tue, Aug 17, 2021 at 05:02:02PM +0100, Mark Woolfson wrote: >> Unfortunately the manufacturer of our application software will only support >> it on RHEL/CentOS 7.0. I have asked and that is all they say. > > This is absurd. The 7.0 kernel has so many vulnerabilities that are > well known and well documented, they're forcing you to run a kernel > that can be trivially exploited. I would seriously push back with the > manufacturer. Does it have a custom kernel module that it requires? > Or did they only test it on RHEL or CentOS 7.0 and never updated their > documentation? > > In the past, I've asked vendors that tried this kind of nonsense if > they're willing to indemnify their customers for any security issues > that arise as a result of using their product. Feel free to list all > the CVEs in the current CentOS 7 kernel. I see there are 1,125 CVEs > mentioned in the kernel changelog. It won't hold any legal water, most > likely, but it might get someone to at least look closer at the issue. > Both Stephen and Jonathon have hit on this .. But you need to tell your vendor that a 7.0 kernel is vulnerable and that they need to support newer versions. There are so many security vulnerabilities in RHEL/CentOS from 7.0 to 7.9 .. many of them remotely exploitable. And this is true for all packages, not just the kernel. If you have a RHEL/CentOS 7.0 machine running and touching the internet without security updates .. you probably no longer are running it. Certainly, not by yourself.