RHEL7: Check if a system is vulnerable to a CVE.

Share this link

Presentation

CVE stands for Common Vulnerabilities and Exposure. It’s a dictionary of publicly known information security vulnerabilities and exposures.

CVE’s common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services.

Procedure

To check whether a RHEL 7 or CentOS 7 system is vulnerable or not to a CVE, first install the following yum plugin:

# yum install yum-plugin-security

Then, check whether the vulnerability is present (here openssl security update):

# yum updateinfo info --cve CVE-2014-0224
===============================================
 Important: openssl security update
===============================================
 Update ID : RHSA-2014:0679
 Release : 
 Type : security
 Status : final
 Issued : 2014-06-10 00:00:00
 Bugs : 1087195 - CVE-2010-5298 openssl: freelist misuse causing 
        a possible use-after-free
 : 1093837 - CVE-2014-0198 openssl: SSL_MODE_RELEASE_BUFFERS NULL
   pointer dereference in do_ssl3_write()
 : 1103586 - CVE-2014-0224 openssl: SSL/TLS MITM vulnerability
 : 1103593 - CVE-2014-0221 openssl: DoS when sending invalid DTLS
   handshake
 : 1103598 - CVE-2014-0195 openssl: Buffer overflow via DTLS 
   invalid fragment
 : 1103600 - CVE-2014-3470 openssl: client-side denial of service 
   when using anonymous ECDH
 CVEs : CVE-2014-0224
 : CVE-2014-0221
 : CVE-2014-0198
 : CVE-2014-0195
 : CVE-2010-5298
 : CVE-2014-3470
Description : OpenSSL is a toolkit that implements the Secure 
Sockets Layer

Note: In the case of a non vulnerable system, nothing is displayed.

At any time, you can check a particular CVE to get more information:

https://access.redhat.com/security/cve/CVE-2014-0224

All CVEs are available at the Red Hat CVE page.

Source: Red Hat Security blog.

You can also check for critical security updates:

# yum --security --sec-severity=Critical check-update
...
1 package(s) needed for security, out of 686 available

epel-release.noarch                       7-9                             extras
game-music-emu.x86_64                     0.6.1-1.el7                     epel  

Or get the advisory references:

# yum –sec-severity=Critical updateinfo list
Loaded plugins: fastestmirror, langpacks
updateinfo list done

Source: The justsomestuff.co.uk website.

Finally, you can directly patch for a specific RHSA (Security), RHBA (Bug) or RHEA (Enhancement) or even given a specific CVE id:

# yum update --cve="CVE-2018-XYZW"
# yum update --advisory="RHSA-2018-XYZW"

Note: This is mainly for RHEL 7 because CentOS 7 repositories don’t provide the necessary metadata.

Additional Resources

You can also read Sunil Kumar‘s article about differences between RHEL versions concerning security updates.

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 4.00 out of 5)
Loading...
2 comments on “RHEL7: Check if a system is vulnerable to a CVE.
  1. kwakou says:

    Thank you for this article.
    I want just to add some points:
    1- I think you only need yum-plugin-security on RHEL 6.x systems.
    2- we can also directly patch for a specific RHSA (Security), RHBA (Bug) or RHEA (Enhancement) or even given a specific CVE id:
    yum update –cve=”CVE-2018-XYZW”
    yum update –advisory=”RHSA-2018-XYZW”

Leave a Reply

RHCSA7: Task of the day

Allowed time: 10 minutes.
Create an EXT4 file system mounted by UUID in /etc/fstab under /vol based on a logical volume of 28 logical extents.

RHCE7: Task of the day

Allowed time: 10 minutes.
Configure a system to forward all email to a central mail server at 192.168.1.1 (change the IP address accordingly).

Follow me on Twitter

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...

Archives