RHEL7: Check if a system is vulnerable to a CVE.

Share this link


CVE stands for Common Vulnerabilities and Exposure. It’s a dictionary of publicly known information security vulnerabilities and exposures.

CVE’s common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services.


To check whether a RHEL 7 or CentOS 7 system is vulnerable or not to a CVE, first install the following yum plugin:

# yum install yum-plugin-security

Then, check whether the vulnerability is present (here openssl security update):

# yum updateinfo info --cve CVE-2014-0224
 Important: openssl security update
 Update ID : RHSA-2014:0679
 Release : 
 Type : security
 Status : final
 Issued : 2014-06-10 00:00:00
 Bugs : 1087195 - CVE-2010-5298 openssl: freelist misuse causing 
        a possible use-after-free
 : 1093837 - CVE-2014-0198 openssl: SSL_MODE_RELEASE_BUFFERS NULL
   pointer dereference in do_ssl3_write()
 : 1103586 - CVE-2014-0224 openssl: SSL/TLS MITM vulnerability
 : 1103593 - CVE-2014-0221 openssl: DoS when sending invalid DTLS
 : 1103598 - CVE-2014-0195 openssl: Buffer overflow via DTLS 
   invalid fragment
 : 1103600 - CVE-2014-3470 openssl: client-side denial of service 
   when using anonymous ECDH
 CVEs : CVE-2014-0224
 : CVE-2014-0221
 : CVE-2014-0198
 : CVE-2014-0195
 : CVE-2010-5298
 : CVE-2014-3470
Description : OpenSSL is a toolkit that implements the Secure 
Sockets Layer

Note: In the case of a non vulnerable system, nothing is displayed.

At any time, you can check a particular CVE to get more information:


All CVEs are available at the Red Hat CVE page.

Source: Red Hat Security blog.

You can also check for critical security updates:

# yum --security --sec-severity=Critical check-update
1 package(s) needed for security, out of 686 available

epel-release.noarch                       7-9                             extras
game-music-emu.x86_64                     0.6.1-1.el7                     epel  

Or get the advisory references:

# yum –sec-severity=Critical updateinfo list
Loaded plugins: fastestmirror, langpacks
updateinfo list done

Source: The justsomestuff.co.uk website.

Finally, you can directly patch for a specific RHSA (Security), RHBA (Bug) or RHEA (Enhancement) or even given a specific CVE id:

# yum update --cve="CVE-2018-XYZW"
# yum update --advisory="RHSA-2018-XYZW"

Note: This is mainly for RHEL 7 because CentOS 7 repositories don’t provide the necessary metadata.

Additional Resources

You can also read Sunil Kumar‘s article about differences between RHEL versions concerning security updates.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Leave a Reply

Please Login to comment
1 Comment threads
1 Thread replies
Most reacted comment
Hottest comment thread
2 Comment authors
CertDepotkwakou Recent comment authors
newest oldest
Notify of

Thank you for this article.
I want just to add some points:
1- I think you only need yum-plugin-security on RHEL 6.x systems.
2- we can also directly patch for a specific RHSA (Security), RHBA (Bug) or RHEA (Enhancement) or even given a specific CVE id:
yum update –cve=”CVE-2018-XYZW”
yum update –advisory=”RHSA-2018-XYZW”

RHCSA7: Task of the day

Allowed time: 5 minutes.
Create a user called tom. Create a directory named /private. Use an acl to only allow access (rwx) to tom to the private directory.

RHCE7: Task of the day

Allowed time: 10 minutes.
Set up a default secure MariaDB database called maria with a user named muser with all privileges.

Follow me on Twitter

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...