Since a couple of months we are using a vulnerability scanner (Rapid 7) which is complaining about the bcel package being vulnerable. Red Hat released an update package, but hasn't found it's way to the Centos 7 repository. The only suggestion so far I can find is update to the latest version of bcel in the Centos repository, which ain't helpful as the latest version seems vulnerable. Also I can't find a rpm to install manually.
The info I found at Red Hat: https://access.redhat.com/security/cve/cve-2022-42920
Currently installed:
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.nforce.com
* epel: ftp.nluug.nl
* extras: centos.mirror.transip.nl
* updates: centos.mirror.transip.nl
Installed Packages
Name : bcel
Arch : noarch
Version : 5.2
Release : 18.el7
Size : 525 k
Repo : installed
From repo : base
Summary : Byte Code Engineering Library
URL : http://commons.apache.org/proper/commons-bcel/
License : ASL 2.0
Description : The Byte Code Engineering Library (formerly known as JavaClass) is
: intended to give users a convenient possibility to analyze, create, and
: manipulate (binary) Java class files (those ending with .class). Classes
: are represented by objects which contain all the symbolic information of
: the given class: methods, fields and byte code instructions, in
: particular. Such objects can be read from an existing file, be
: transformed by a program (e.g. a class loader at run-time) and dumped to
: a file again. An even more interesting application is the creation of
: classes from scratch at run-time. The Byte Code Engineering Library
: (BCEL) may be also useful if you want to learn about the Java Virtual
: Machine (JVM) and the format of Java .class files. BCEL is already
: being used successfully in several projects such as compilers,
: optimizers, obsfuscators and analysis tools, the most popular probably
: being the Xalan XSLT processor at Apache.
Anybody has a suggestion how to deal with such situations? This seems to happen more often then I realized.
