Page 1 of 1
Kernal update
Posted: 2020/10/06 11:17:41
by optikab
I have a PCI compliance scan failing due to the following CVE's:
CVE-2017-7184
CVE-2017-5546
CVE-2018-10938
CVE-2017-7273
These seem to relate to a fairly old problem, so I'm not sure why they have just been found. I have run yum update and the same issue is flagged up, any ideas on what to do?
Same goes for this CVE which is an OpenSSH issue from 2017???
CVE-2017-15906
Re: Kernal update
Posted: 2020/10/06 11:19:58
by optikab
Release version is CentOS Linux release 7.8.2003
Re: Kernal update
Posted: 2020/10/06 12:33:33
by jlehtone
Here are two out of those five:
https://access.redhat.com/security/cve/cve-2018-10938
https://access.redhat.com/security/cve/cve-2017-15906
The latter states that fix was provided in openssh-7.4p1-16.el7.x86_64 for RHEL 7.
CentOS 7 has now
Code: Select all
# rpm -q openssh
openssh-7.4p1-21.el7.x86_64
and its changelog says:
Code: Select all
# rpm -q --changelog openssh | grep -B1 -A1 CVE-2017-15906
* Fri Nov 24 2017 Jakub Jelen <jjelen@redhat.com> - 7.4p1-16 + 0.10.3-2
- Fix for CVE-2017-15906 (#1517226)
Kernel's changelog mentions only CVE-2017-7184.
You can check from Red Hat's site whether the other two are like the CVE-2018-10938: "Not affected".
Your "PCI compliance scan"
fails.
Ask yourself: What does it "scan"? How does it "see" these issues?
Can you rely on tool that apparently does not actually test what it claims to test?
Re: Kernal update
Posted: 2020/10/06 12:35:50
by TrevorH
CVE-2017-7184 = kernel-3.10.0-693.5.2.el7.x86_64.rpm
CVE-2017-5546 -
https://access.redhat.com/security/cve/CVE-2017-5546 not affected
CVE-2018-10938 -
https://access.redhat.com/security/cve/CVE-2018-10938 not affected
CVE-2017-7273 -
https://access.redhat.com/security/cve/CVE-2017-7273 will not fix
CVE-2017-15906 -
https://access.redhat.com/security/cve/cve-2017-15906 in openssh-7.4p1-16.el7.x86_64.rpm
By the sounds of it, your system is not up to date. The current kernel for el7 is kernel-3.10.0-1127.19.1.el7.x86_64, is that what uname -r says?
Re: Kernal update
Posted: 2020/10/06 16:27:51
by optikab
uname -r gives me
4.4.184-x1-64+
Re: Kernal update
Posted: 2020/10/06 16:38:45
by TrevorH
So it's not a CentOS kernel at all.
All CentOS 7 kernel versions are of the format 3.10.0-xxx[.yy.z].el7. ELRepo offer a kernel-lt package for CentOS 7 and that's currently 4.4.238-1.el7.elrepo so 4.4.184 is years out of date and may well be vulnerable to all those exploits you list. You will need to find out where that came from and see if they have an update. Or revert to the distro kernel or switch to ELRepo.
Other than hardware support there should be no reason to not use the distro kernel.
Re: Kernal update
Posted: 2020/10/06 16:42:41
by optikab
TrevorH wrote: ↑2020/10/06 16:38:45
So it's not a CentOS kernel at all.
All CentOS 7 kernel versions are of the format 3.10.0-xxx[.yy.z].el7. ELRepo offer a kernel-lt package for CentOS 7 and that's currently 4.4.238-1.el7.elrepo so 4.4.184 is years out of date and may well be vulnerable to all those exploits you list. You will need to find out where that came from and see if they have an update. Or revert to the distro kernel or switch to ELRepo.
Other than hardware support there should be no reason to not use the distro kernel.
I have checked another server using Centos 7 and this seems to be down to my hosting provider, not something I have done. The servers I have running Centos 8 are showing 4.18.0-193.19.1.el8_2.x86_64 so I may migrate them all to Centos 8.
Re: Kernal update
Posted: 2020/10/06 16:55:57
by TrevorH
Not quite as old as I feared it might be but still sufficiently out of date to need something doing to it:
ChangeLog-4.4.184 27-Jun-2019 00:17 1109
Re: Kernal update
Posted: 2020/10/06 17:06:02
by optikab
I'm going to migrate to 8, I did it recently for other servers and it was fine, better having things a bit more future proof anyway.