Presentation
CVE stands for Common Vulnerabilities and Exposure. It’s a dictionary of publicly known information security vulnerabilities and exposures.
CVE’s common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services.
Procedure
To check whether a RHEL 7 or CentOS 7 system is vulnerable or not to a CVE, first install the following yum plugin:
# yum install yum-plugin-security
Then, check whether the vulnerability is present (here openssl security update):
# yum updateinfo info --cve CVE-2014-0224
===============================================
Important: openssl security update
===============================================
Update ID : RHSA-2014:0679
Release :
Type : security
Status : final
Issued : 2014-06-10 00:00:00
Bugs : 1087195 - CVE-2010-5298 openssl: freelist misuse causing
a possible use-after-free
: 1093837 - CVE-2014-0198 openssl: SSL_MODE_RELEASE_BUFFERS NULL
pointer dereference in do_ssl3_write()
: 1103586 - CVE-2014-0224 openssl: SSL/TLS MITM vulnerability
: 1103593 - CVE-2014-0221 openssl: DoS when sending invalid DTLS
handshake
: 1103598 - CVE-2014-0195 openssl: Buffer overflow via DTLS
invalid fragment
: 1103600 - CVE-2014-3470 openssl: client-side denial of service
when using anonymous ECDH
CVEs : CVE-2014-0224
: CVE-2014-0221
: CVE-2014-0198
: CVE-2014-0195
: CVE-2010-5298
: CVE-2014-3470
Description : OpenSSL is a toolkit that implements the Secure
Sockets Layer
Note: In the case of a non vulnerable system, nothing is displayed.
At any time, you can check a particular CVE to get more information:
https://access.redhat.com/security/cve/CVE-2014-0224
All CVEs are available at the Red Hat CVE page.
Source: Red Hat Security blog.
You can also check for critical security updates:
# yum --security --sec-severity=Critical check-update ... 1 package(s) needed for security, out of 686 available epel-release.noarch 7-9 extras game-music-emu.x86_64 0.6.1-1.el7 epel
Or get the advisory references:
# yum –sec-severity=Critical updateinfo list Loaded plugins: fastestmirror, langpacks updateinfo list done
Source: The justsomestuff.co.uk website.
Finally, you can directly patch for a specific RHSA (Security), RHBA (Bug) or RHEA (Enhancement) or even given a specific CVE id:
# yum update --cve="CVE-2018-XYZW" # yum update --advisory="RHSA-2018-XYZW"
Note: This is mainly for RHEL 7 because CentOS 7 repositories don’t provide the necessary metadata.
Additional Resources
You can also read Sunil Kumar‘s article about differences between RHEL versions concerning security updates.
(1 votes, average: 4.00 out of 5)
Loading...
Upcoming Events (Local Time) 
Loading ...
Thank you for this article.
I want just to add some points:
1- I think you only need yum-plugin-security on RHEL 6.x systems.
2- we can also directly patch for a specific RHSA (Security), RHBA (Bug) or RHEA (Enhancement) or even given a specific CVE id:
yum update –cve=”CVE-2018-XYZW”
yum update –advisory=”RHSA-2018-XYZW”
Thanks for this information.