Page 1 of 1

fixing vulnerability by installing version not available in repo ?

Posted: 2020/12/14 16:41:20
by fuzzy4096
Hi All,

so I got a vulnerability scan report for one of our servers and I fail to understand how to address ceratin findings.
For example "OpenSSH Information Disclosure Vulnerability" with the 2 CVE ID's:

CVE-2020-14145 --> https://bugzilla.redhat.com/show_bug.cgi?id=1852930
CVE-2020-15778 --> https://bugzilla.redhat.com/show_bug.cgi?id=1860487

As per my understanding there's no fix yet. But the scan report includes a line "customers are advised to upgrade to OpenSSH 8.4/8.4 P1.

I'm on version 7.4 P1. If I executed yum update openssh it returns "nothing to do".

If I look here https://ftp.fr.openbsd.org/pub/OpenBSD/ ... /portable/ I can see the 8.4 P1 version but as I understand this would requirme me to compile it. Could I please ask how to address such finding ?

Thank you in advance!

Re: fixing vulnerability by installing version not available in repo ?

Posted: 2020/12/14 17:06:45
by TrevorH
Red Hat have yet to release their patches for openssh to fix this vulnerability. When they do then CentOS will rebuild those and release them too. You should not update to something that is not shipped by CentOS.

Re: fixing vulnerability by installing version not available in repo ?

Posted: 2020/12/14 20:41:40
by fuzzy4096
Thank your for your answer. Please allow me to ask further questions:

- is there any reason the current openssh version on my CentOS Linux Release 7.9.2009 is 7.4 P1 while the upstream openssl version is at 8.4 P1 ?

- when you say that the issue is not yet fixed would it be safe to assume that the fix will be backported to openssl 7.something ? meaning the vulnerbaility will be fixed but the vulnerability scanner will relay on checking against the openssl upstream version numebr not taking into consideration that the fix was backported ?

- "When they do then CentOS will rebuild those and release them too" would that be the same fix as for RH ? Meaning if I look at the RHSA for this given vulnerability would it be safe to assume that if my version of the openssh package for CentOS is equal to the one listed as containing the fix in the RHSA?
Thank you in advance!

Re: fixing vulnerability by installing version not available in repo ?

Posted: 2020/12/14 20:49:41
by TrevorH
https://access.redhat.com/security/updates/backporting

CentOS package names and versions are inherited from RHEL unless they have .centos. in their names or they are modules in el8 (which get a random number added to their version number string so are not complete identical to the RHEL one).

Re: fixing vulnerability by installing version not available in repo ?

Posted: 2020/12/14 21:20:13
by jlehtone
https://access.redhat.com/security/cve/cve-2020-14145
https://access.redhat.com/security/cve/cve-2020-15778
State is "Red Hat Enterprise Linux 7 : Will not fix" for both of them.

Overall, they suggest alternatives for scp:
https://access.redhat.com/articles/5284081
fuzzy4096 wrote:
2020/12/14 20:41:40
... the vulnerability scanner will relay on checking against ... upstream version numebr not taking into consideration that the fix was backported ...
That seems to be a common case.

Re: fixing vulnerability by installing version not available in repo ?

Posted: 2020/12/15 11:17:16
by fuzzy4096
Yeah, and "findings" like that one just make me wonder if that even makes any sense, DLL hijacking on Linux ?
"Atlassian Jira is a proprietary issue tracking product, developed by Atlassian. It provides bug tracking, issue tracking, and project management functions.

CVE-2019-20419: DLL hijacking in Jira Server and JSD via Tomcat.

Affected Versions:
Atlassian Jira Server and Data Center version prior to 8.5.5
Atlassian Jira Server and Data Center version from 8.6.0 prior to 8.7.2

QID Detection Logic:(Unauthenticated)
It checks for vulnerable version of Atlassian Jira."