Qualys VMDR team has added support for the Red Hat OpenJDK that will help security teams to check the Red Hat OpenJDK instances installed on Windows and identify related vulnerabilities.
Red Hat OpenJDK is a free, open-source implementation of the Java Platform, Standard Edition (Java SE) for Linux, Windows, and macOS. It is based on the OpenJDK project, with additional features and enhancements from Red Hat.
Installation of Red Hat OpenJDK
Once the MSI installer is downloaded, it will install OpenJDK on the Windows machine by double-clicking on the installer file and following the prompts in the installation wizard.
It’s important to note that Red Hat OpenJDK is only available for specific versions of Windows. For example, it is not available for Windows 7 or Windows 8.1. Please check the supported platforms for your particular OpenJDK version before installing it.
According to Red Hat, below are the supported versions for windows:
- Red Hat OpenJDK Version 8
- Red Hat OpenJDK Version 11
- Red Hat OpenJDK Version 17
Red Hat Open JDK Life Cycle
- Red Hat Open JDK 8 will reach End of Support in November 2026
- Red Hat OpenJDK 11 will reach End of Support in October 2024
- Red Hat OpenJDK 17 will reach End of Support in October 2027
Qualys is adding support only for MSI Installer for Red Hat OpenJDK for windows.
For Red Hat OpenJDK 8, the detection will check the following details to identify the Vendor from the Windows Registry:
- Check if the Vendor for OpenJDK is “Red Hat.”
- If the Publisher matched as Red Hat, then check for the name and version as per the security advisories.
For Red Hat OpenJDK 11 and 17, the detection will check the following details to identify the Vendor and version:
- We will check the Vendor for a string match “Red Hat.”
- If the Vendor matches, the version will be extracted from “java.exe.”
Qualys plans to cover all Red Hat OpenJDK for Windows advisories starting from 2021.
Below is an example of the scan results for IG QID 45559. The scan results show Red Hat OpenJDK 8, 11, and 17. Please refer to the screenshots:
Qualys will start adding Vuln QIDs beginning April 3rd, 2023.