Hi All,
I’ve received a security vulnerability on my Chef server related to the embedded Java version. is there any way to upgrade the jre without upgrading chef-backend ?
affected version and path
chef-backend/embedded/jre/bin/java 1.8.0_144-b01 Enhanced
I don’t have a real answer but as a customer I know it took quite a while (multiple releases) to update the embedded Java. I would suspect the simple answer is “No”.
I’ve seen this sort of problem before - You could make a backup/snapshot in case you have issues. I’d create a test server to do this work so you get the process down pat. Once you have a safe place to work, install the openjdk version of java. Use alternatives to change it to be the default java on your OS. Now check to see chef will run on it. If not, check through the start up scripts/systemd config for JAVA_HOME paths and other JAVA related items. Just need to change the path to the openjdk version. This has worked in about 60% of our remediation efforts. So there are no guarantees. It may be better to build a replacement Chef server on a later community version that doesn’t have this dependency and move to it.
Chef-backend won’t use java in $PATH so alternatives doesn’t really apply. However, testing chef-infra installs on a test system is really easy, so experimenting with symlinking the embedded chef java executable path to the host java wouldn’t be hard to test. JAVA_HOME might be a little harder…