Legacy OSes, Legacy systems. We all know that it sucks having them. We all have to deal with them. Software companies do not always account for them though.

When you work internally in a medium to large business change happens slowly at times. I recently ran into a weird issue due to slow change. I went to update my CarbonBlack Response server in the mindset of security and fixing a few annoying bugs. I have done these updates without issue in the past. So when I got an OpenJDK dependency error I was rather taken aback. I tried to update OpenJDK, no go. The repos this version of Linux is using had no update to openJDK (1.8.0.r92 is what I needed). I decided to get CB support involved. We eventually set up a Webex so they could see directly what was going on, since none of the fixes they had sent me worked.

Turns out that it was not documented that the Linux version we were on will not get that version of OpenJDK, or anything newer available for it. Mind you the Linux version is a number of years old, but still supported by said Linux vendor. Nor is there a way around the issue with the upgrade process, so CarbonBlack basically cannot be updated unless I can get the proper change order pushed through to upgrade the Linux version. We tried everything, manually installing new versions of OpenJDK which succeeded but still was not being seen when the dependency check was being done.

The support person from CarbonBlack was going to let the devs there know about this and try to get documentation updated so others who might be looking to upgrade know they cannot with this version of Linux. The other thing that got me thinking was why is a security company like CarbonBlack relying on Java (OpenJDK) since it is so insecure? I like CarbonBlack’s products but this is a huge WTF in my book.