One of my commercial vendors has a product that they sell to us, which they have been saying that they are updating the java versions to keep up with security fixes.
They currently indicate that they are at 7u79, which is what java -version indicates as normal"
OpenJDK Runtime Environment (rhel-2.5.5.2.el5_11-x86_64 u79-b14)
OpenJDK 64-Bit Server VM (build 24.79-b02, mixed mode)
rpm -qa | grep -i jdk indicates that this is indeed installed (result = java-1.7.0-openjdk-1.7.0.79-2.5.5.2.el5_11)
They have a web-accessible process which uses java in an unusual location though, which appears to be 6u35, and does not appear as an installed package in rpm -qa.
The location is /usr/java/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin.
In this location, if you run "./java -version" from this directory, it indicates the following:
OpenJDK Runtime Environment (IcedTea6 1.13.7) (rhel-1.13.7.1.el5_11-x86_64)
OpenJDK 64-Bit Server VM (build 23.25-b01, mixed mode)
Is this product vulnerable to Java 6u35 vulnerabilities? Is the vendor trying to hide the fact that they are using Java 6u35 by having their process run from what appears to be a non-standard directory?
Thank you all for your thoughts and expertise.
Respectfully,
George Sypsomos