Vulnerability management, backported patches, and SCAP

Support for security such as Firewalls and securing linux
Post Reply
Posts: 7
Joined: 2015/05/05 18:49:42
Location: Minneapolis, MN, USA

Vulnerability management, backported patches, and SCAP

Post by cherdt » 2020/02/21 17:08:42

The vulnerability management solution I am currently working with reports a lot of false positives for packages because it is evaluating the version number only.

For example, the current httpd package on CentOS 7 is Apache 2.4.6, many versions behind the current version, but it includes backported patches. This can be seen by viewing the RPM changelog:

Code: Select all

$ rpm -q --changelog httpd | grep CVE
- Resolves: #1566317 - CVE-2018-1312 httpd: Weak Digest auth nonce generation
- Resolves: #1696141 - CVE-2019-0217 httpd: mod_auth_digest: access control
- Resolves: #1696096 - CVE-2019-0220 httpd: URL normalization inconsistency
- Resolves: #1493065 - CVE-2017-9798 httpd: Use-after-free by limiting
- Resolves: #1463194 - CVE-2017-3167 httpd: ap_get_basic_auth_pw()
It appears that I can use SCAP files (e.g. OVAL and XCCDF files) with the vulnerability management system. RHEL provides some files that appear to address this issue:

Are there similar files for CentOS? Would the RHEL files work for CentOS? Wondering if anyone has experience with this.
Chris Herdt
@cherdt - sometimes I forget that I have a twitter account

Posts: 2018
Joined: 2015/02/17 15:14:33
Location: Bulgaria

Re: Vulnerability management, backported patches, and SCAP

Post by hunter86_bg » 2020/02/22 19:58:01

CentOS does not provide such data, but you have 2 options:
1. Use RedHat's solution, but keep in mind that it might not work
2. Use Uyuni (upstream of SuSE Manager - spacewalk based)

The second option allows running SCAP or analyze the system based on installed packages . CVE report is taking data from the rpms and is quite reliable.

Post Reply

Return to “CentOS 7 - Security Support”