Kernal update

Support for security such as Firewalls and securing linux
Post Reply
optikab
Posts: 32
Joined: 2014/01/19 18:04:15

Kernal update

Post by optikab » 2020/10/06 11:17:41

I have a PCI compliance scan failing due to the following CVE's:

CVE-2017-7184
CVE-2017-5546
CVE-2018-10938
CVE-2017-7273

These seem to relate to a fairly old problem, so I'm not sure why they have just been found. I have run yum update and the same issue is flagged up, any ideas on what to do?

Same goes for this CVE which is an OpenSSH issue from 2017???

CVE-2017-15906
Last edited by optikab on 2020/10/06 11:23:55, edited 1 time in total.

optikab
Posts: 32
Joined: 2014/01/19 18:04:15

Re: Kernal update

Post by optikab » 2020/10/06 11:19:58

Release version is CentOS Linux release 7.8.2003

User avatar
jlehtone
Posts: 3107
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Kernal update

Post by jlehtone » 2020/10/06 12:33:33

Here are two out of those five:
https://access.redhat.com/security/cve/cve-2018-10938
https://access.redhat.com/security/cve/cve-2017-15906

The latter states that fix was provided in openssh-7.4p1-16.el7.x86_64 for RHEL 7.
CentOS 7 has now

Code: Select all

# rpm -q openssh
openssh-7.4p1-21.el7.x86_64
and its changelog says:

Code: Select all

# rpm -q --changelog openssh | grep -B1 -A1 CVE-2017-15906
* Fri Nov 24 2017 Jakub Jelen <jjelen@redhat.com> - 7.4p1-16 + 0.10.3-2
- Fix for CVE-2017-15906 (#1517226)

Kernel's changelog mentions only CVE-2017-7184.
You can check from Red Hat's site whether the other two are like the CVE-2018-10938: "Not affected".


Your "PCI compliance scan" fails.
Ask yourself: What does it "scan"? How does it "see" these issues?
Can you rely on tool that apparently does not actually test what it claims to test?

User avatar
TrevorH
Forum Moderator
Posts: 29719
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Kernal update

Post by TrevorH » 2020/10/06 12:35:50

CVE-2017-7184 = kernel-3.10.0-693.5.2.el7.x86_64.rpm
CVE-2017-5546 - https://access.redhat.com/security/cve/CVE-2017-5546 not affected
CVE-2018-10938 - https://access.redhat.com/security/cve/CVE-2018-10938 not affected
CVE-2017-7273 - https://access.redhat.com/security/cve/CVE-2017-7273 will not fix
CVE-2017-15906 - https://access.redhat.com/security/cve/cve-2017-15906 in openssh-7.4p1-16.el7.x86_64.rpm

By the sounds of it, your system is not up to date. The current kernel for el7 is kernel-3.10.0-1127.19.1.el7.x86_64, is that what uname -r says?
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

optikab
Posts: 32
Joined: 2014/01/19 18:04:15

Re: Kernal update

Post by optikab » 2020/10/06 16:27:51

uname -r gives me

4.4.184-x1-64+

User avatar
TrevorH
Forum Moderator
Posts: 29719
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Kernal update

Post by TrevorH » 2020/10/06 16:38:45

So it's not a CentOS kernel at all.

All CentOS 7 kernel versions are of the format 3.10.0-xxx[.yy.z].el7. ELRepo offer a kernel-lt package for CentOS 7 and that's currently 4.4.238-1.el7.elrepo so 4.4.184 is years out of date and may well be vulnerable to all those exploits you list. You will need to find out where that came from and see if they have an update. Or revert to the distro kernel or switch to ELRepo.

Other than hardware support there should be no reason to not use the distro kernel.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

optikab
Posts: 32
Joined: 2014/01/19 18:04:15

Re: Kernal update

Post by optikab » 2020/10/06 16:42:41

TrevorH wrote:
2020/10/06 16:38:45
So it's not a CentOS kernel at all.

All CentOS 7 kernel versions are of the format 3.10.0-xxx[.yy.z].el7. ELRepo offer a kernel-lt package for CentOS 7 and that's currently 4.4.238-1.el7.elrepo so 4.4.184 is years out of date and may well be vulnerable to all those exploits you list. You will need to find out where that came from and see if they have an update. Or revert to the distro kernel or switch to ELRepo.

Other than hardware support there should be no reason to not use the distro kernel.
I have checked another server using Centos 7 and this seems to be down to my hosting provider, not something I have done. The servers I have running Centos 8 are showing 4.18.0-193.19.1.el8_2.x86_64 so I may migrate them all to Centos 8.

User avatar
TrevorH
Forum Moderator
Posts: 29719
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Kernal update

Post by TrevorH » 2020/10/06 16:55:57

Not quite as old as I feared it might be but still sufficiently out of date to need something doing to it:

ChangeLog-4.4.184 27-Jun-2019 00:17 1109
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

optikab
Posts: 32
Joined: 2014/01/19 18:04:15

Re: Kernal update

Post by optikab » 2020/10/06 17:06:02

I'm going to migrate to 8, I did it recently for other servers and it was fine, better having things a bit more future proof anyway.

Post Reply

Return to “CentOS 7 - Security Support”