How does Qualys handle scanning for Java 6 with extended support? Does the scanner pick up the newer non-public versions? And, does the scanner relate vulnerabilities that are remediated by the extended support versions?
Thanks for posting. The short answer is no, we don't create generally signatures for extended support (non-public) notifications.
In our experience, some non-public extended support information cannot be legally disclosed since the information isn't supposed to be freely available to everyone.
In order to ensure are customers are aware of risks associated with software like this, We do raise a Severity 5 vulnerability when we detect unsupported, end-of-life, or obsolete software. In this particular situation we have QID 105490 EOL/Obsolete Software: Oracle Java SE/JRE/JDK 6/1.6 Detected. If a customer has an extended support contract, they can ignore or downgrade the severity in their QualysGuard VM account.
If there is a "new" Zero Day affecting Java 6, then we would add it into QualysGuard. The solution might be to upgrade to a support version of Java, unless Sun MicroSystems (makers of Java) decides to release a patch to the public.
Let me know if you need more details.
Retrieving data ...