RHEL7: Check if a system is vulnerable to a CVE.

Last updated on June 26, 2018 (52,263 views) - CertDepot — 2 Comments ↓

Presentation

CVE stands for Common Vulnerabilities and Exposure. It’s a dictionary of publicly known information security vulnerabilities and exposures.

CVE’s common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services.

Procedure

To check whether a RHEL 7 or CentOS 7 system is vulnerable or not to a CVE, first install the following yum plugin:

# yum install yum-plugin-security

Then, check whether the vulnerability is present (here openssl security update):

# yum updateinfo info --cve CVE-2014-0224
===============================================
 Important: openssl security update
===============================================
 Update ID : RHSA-2014:0679
 Release : 
 Type : security
 Status : final
 Issued : 2014-06-10 00:00:00
 Bugs : 1087195 - CVE-2010-5298 openssl: freelist misuse causing 
        a possible use-after-free
 : 1093837 - CVE-2014-0198 openssl: SSL_MODE_RELEASE_BUFFERS NULL
   pointer dereference in do_ssl3_write()
 : 1103586 - CVE-2014-0224 openssl: SSL/TLS MITM vulnerability
 : 1103593 - CVE-2014-0221 openssl: DoS when sending invalid DTLS
   handshake
 : 1103598 - CVE-2014-0195 openssl: Buffer overflow via DTLS 
   invalid fragment
 : 1103600 - CVE-2014-3470 openssl: client-side denial of service 
   when using anonymous ECDH
 CVEs : CVE-2014-0224
 : CVE-2014-0221
 : CVE-2014-0198
 : CVE-2014-0195
 : CVE-2010-5298
 : CVE-2014-3470
Description : OpenSSL is a toolkit that implements the Secure 
Sockets Layer

Note: In the case of a non vulnerable system, nothing is displayed.

At any time, you can check a particular CVE to get more information:

https://access.redhat.com/security/cve/CVE-2014-0224

All CVEs are available at the Red Hat CVE page.

Source: Red Hat Security blog.

You can also check for critical security updates:

# yum --security --sec-severity=Critical check-update
...
1 package(s) needed for security, out of 686 available

epel-release.noarch                       7-9                             extras
game-music-emu.x86_64                     0.6.1-1.el7                     epel

Or get the advisory references:

# yum –sec-severity=Critical updateinfo list
Loaded plugins: fastestmirror, langpacks
updateinfo list done

Source: The justsomestuff.co.uk website.

Finally, you can directly patch for a specific RHSA (Security), RHBA (Bug) or RHEA (Enhancement) or even given a specific CVE id:

# yum update --cve="CVE-2018-XYZW"
# yum update --advisory="RHSA-2018-XYZW"

Note: This is mainly for RHEL 7 because CentOS 7 repositories don’t provide the necessary metadata.

Additional Resources

You can also read Sunil Kumar‘s article about differences between RHEL versions concerning security updates.

(1 votes, average: 4.00 out of 5)

2 comments on “RHEL7: Check if a system is vulnerable to a CVE.”

kwakou says:

June 25, 2018 at 3:03 pm

Thank you for this article.
I want just to add some points:
1- I think you only need yum-plugin-security on RHEL 6.x systems.
2- we can also directly patch for a specific RHSA (Security), RHBA (Bug) or RHEA (Enhancement) or even given a specific CVE id:
yum update –cve=”CVE-2018-XYZW”
yum update –advisory=”RHSA-2018-XYZW”

Log in to Reply
- CertDepot says:
  
  June 26, 2018 at 8:59 am
  
  Thanks for this information.
  
  Log in to Reply

RHEL7: Check if a system is vulnerable to a CVE.

Presentation

Procedure

Additional Resources

2 comments on “RHEL7: Check if a system is vulnerable to a CVE.”

Leave a Reply Cancel reply

Upcoming Events (Local Time)

Recent Comments

Recently Updated Pages

Follow me on Twitter

Archives

Meta