Presentation
CVE stands for Common Vulnerabilities and Exposure. It’s a dictionary of publicly known information security vulnerabilities and exposures.
CVE’s common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services.
Procedure
To check whether a RHEL 7 or CentOS 7 system is vulnerable or not to a CVE, first install the following yum plugin:
# yum install yum-plugin-security
Then, check whether the vulnerability is present (here openssl security update):
# yum updateinfo info --cve CVE-2014-0224 =============================================== Important: openssl security update =============================================== Update ID : RHSA-2014:0679 Release : Type : security Status : final Issued : 2014-06-10 00:00:00 Bugs : 1087195 - CVE-2010-5298 openssl: freelist misuse causing a possible use-after-free : 1093837 - CVE-2014-0198 openssl: SSL_MODE_RELEASE_BUFFERS NULL pointer dereference in do_ssl3_write() : 1103586 - CVE-2014-0224 openssl: SSL/TLS MITM vulnerability : 1103593 - CVE-2014-0221 openssl: DoS when sending invalid DTLS handshake : 1103598 - CVE-2014-0195 openssl: Buffer overflow via DTLS invalid fragment : 1103600 - CVE-2014-3470 openssl: client-side denial of service when using anonymous ECDH CVEs : CVE-2014-0224 : CVE-2014-0221 : CVE-2014-0198 : CVE-2014-0195 : CVE-2010-5298 : CVE-2014-3470 Description : OpenSSL is a toolkit that implements the Secure Sockets Layer
Note: In the case of a non vulnerable system, nothing is displayed.
At any time, you can check a particular CVE to get more information:
https://access.redhat.com/security/cve/CVE-2014-0224
All CVEs are available at the Red Hat CVE page.
Source: Red Hat Security blog.
You can also check for critical security updates:
# yum --security --sec-severity=Critical check-update ... 1 package(s) needed for security, out of 686 available epel-release.noarch 7-9 extras game-music-emu.x86_64 0.6.1-1.el7 epel
Or get the advisory references:
# yum –sec-severity=Critical updateinfo list Loaded plugins: fastestmirror, langpacks updateinfo list done
Source: The justsomestuff.co.uk website.
Finally, you can directly patch for a specific RHSA (Security), RHBA (Bug) or RHEA (Enhancement) or even given a specific CVE id:
# yum update --cve="CVE-2018-XYZW" # yum update --advisory="RHSA-2018-XYZW"
Note: This is mainly for RHEL 7 because CentOS 7 repositories don’t provide the necessary metadata.
Additional Resources
You can also read Sunil Kumar‘s article about differences between RHEL versions concerning security updates.
Thank you for this article.
I want just to add some points:
1- I think you only need yum-plugin-security on RHEL 6.x systems.
2- we can also directly patch for a specific RHSA (Security), RHBA (Bug) or RHEA (Enhancement) or even given a specific CVE id:
yum update –cve=”CVE-2018-XYZW”
yum update –advisory=”RHSA-2018-XYZW”
Thanks for this information.