On June 30th, 2024, CentOS 7 reaches its end-of-life (EOL) date. After this date, the platform will no longer receive updates or security fixes. Even though this planned EOL has been known for several years, by analyzing cloud assets scanned by the Orca Platform, we are still seeing nearly half of all organizations using CentOS. This places organizations in the undesirable situation of having workloads running an EOL platform which will start accumulating vulnerabilities that won’t be fixed.  This dramatically increases the risk to the CentOS cloud workloads, but also the cloud environment in general through possible lateral movement.

Why is CentOS Linux being discontinued?

CentOS 7 is the last supported version of CentOS, a community-driven, open-source Linux distribution based on Red Hat Enterprise Linux (RHEL) source code. In 2020, Red Hat announced that it was deprecating CentOS and focusing their investment on  CentOS Stream instead. 

While organizations have had four years to address this change, Orca’s data shows that there is still a significant presence in the cloud market for CentOS. Roughly 49% of organizations have some workloads running on CentOS (both the supported-until-June-30th CentOS 7.9 and, to a lesser extent, already-unsupported versions such as CentOS 6 and CentOS 8). 2.1% of all workloads are still running on CentOS and 0.7% of all the container images Orca sees are based on CentOS.

What to do with CentOS workloads

Red Hat recommends that organizations move CentOS workloads to another distribution immediately. Red Hat has tools available to shift workloads from CentOS to the paid Red Hat Enterprise Linux (RHEL) platform.

Other platforms, including AlmaLinux and Rocky Linux, are binary compatible with CentOS and RHEL and may make acceptable alternatives depending on an organization’s requirements.

While no organization should run on unsupported, End-of-Life platforms, the reality is that organizations sometimes do so for non-security reasons. If your organization cannot migrate before the EOL date, it’s important to:

  • Understand the scope of your EOL deployments
  • Go through threat-modeling exercises to understand how these workloads might be impacted
  • Develop plans for enhancing the posture of these workloads in line with the threat models
  • Isolate EOL workloads as much as possible, enforcing least privilege and least access aggressively and ensuring they’re not in any critical attack paths
  • Monitor the workloads closely for any anomalies
  • Plan an eventual migration to a supported platform

The risk of end-of-life platforms

Orca’s 2024 State of Cloud Security Report found that a whopping 84% of organizations have neglected assets, a category that includes assets running on EOL platforms as well as assets that haven’t been patched in an excessively long time (more than 180 days). 

By definition, an EOL platform is no longer supported and will no longer receive security or functionality updates. This will, over time, dramatically increase the risk of both compromise and instability; while it is difficult to quantify how much the risk will increase, it’s much easier to identify the impact if workloads are compromised or unavailable.

How Orca can help

Orca’s agentless approach to cloud security enables organizations to see every workload deployed in all of their cloud accounts. This enables a comprehensive view of where EOL (or near-EOL) operating systems are deployed. For example, if we need to find all CentOS workloads, we can quickly do this from Discovery:

Discovery query in the Orca Security console showing eleven compute assets found running CentOS
Organizations can use Orca Security to efficiently answer questions about what’s deployed in their cloud

For versions that are already out of support, Orca has a built-in alert to proactively identify workloads running on EOL platforms and notify teams. If an organization wishes, they can also create custom alerts to identify workloads on distributions and versions that violate policy even if they’re not EOL yet; for example, if there is a project to upgrade Ubuntu 20.04 before it’s EOL date in 2025, an organization could create a custom alert to track which workloads are still running this version and to catch any new deployments.

To see how Orca finds and alerts you to neglected assets in your cloud environment, schedule a 1:1 demo with an Orca expert.