Page 1 of 1

CVE-2017-10000253 CentOS 7.3.1611

Posted: 2020/12/17 15:06:43
by fuzzy4096
Hi All,

I have a CentOS 7.3.1611 system. A report has marked the system as vulnerable o CVE-2017-1000253. If I look at https://access.redhat.com/errata/RHSA-2017:2793 it states that the patch is available for Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.3 and the updated package is kernel-3.10.0-514.32.3.el7.x86_64.rpm.

When I look now in http://mirror.centos.org/centos/ or https://vault.centos.org/ I'm unable to locate this particular package kernel-3.10.0-514.32.3.el7.x86_64.rpm.

My question is, if I can't find it would that mean that it was made available only for RHEL customer that paied for the Extenden Update Support?

Of course I know that the 7.3.1611 version is not getting any updates, nor any security fixe's so what would be the best path to update the system (taking into consideration recent anoucements RH has made).


Thank you for your grea support folks!

Re: CVE-2017-10000253 CentOS 7.3.1611

Posted: 2020/12/17 15:16:15
by TrevorH
CentOS 7.3 has been out of support since the release of 7.4 more than 3 years ago. You need to run yum update and get your system up to date on 7.9.

EUS is something you have to pay for separately and is for RHEL systems only.

Re: CVE-2017-10000253 CentOS 7.3.1611

Posted: 2020/12/17 15:41:53
by fuzzy4096
Thank you. Is it safe to assume that if let's say I have this vulnerability in CentOS 7.3.1611 it was fixed along the way to CentOS 7.9 ?

I can run rpm -q --changelog <installed kernel> to list whch CVE's were fixed but this AFAIK can be done only for installed packages ? How could I check it then, please ?

Thank you in advance !

BR

Re: CVE-2017-10000253 CentOS 7.3.1611

Posted: 2020/12/17 17:19:54
by tunk
A web search with these keywords should provide some info:
CVE-2017-1000253 red hat

Re: CVE-2017-10000253 CentOS 7.3.1611

Posted: 2020/12/17 17:48:47
by fuzzy4096
Thank you tunk, but as you can see in my inital post I was able to find the RHSA. The fix was included in kernel-3.10.0-514.32.3.el7.x86_64.rpm but only for RHEL customers with Extended Update Support 7.3. So while running CentOS I won't be able to get/install it. I could of course upgrade to 7.9 bo to questions is how can I verify that the vulnerability is no longer present in further releases ? Or is it enough to search for that CVE here and if it is not reported for 7.9 it would be safe to assume that the vulnerability is not / was not present in 7.9 ?

Re: CVE-2017-10000253 CentOS 7.3.1611

Posted: 2020/12/17 21:53:18
by avij
If you had done the web search suggested above, you might have found this Bugzilla entry and especially its comment 12, which says:
This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 7 prior to kernel version 3.10.0-693, that is Red Hat Enterprise Linux 7.4 GA kernel version. Kernel versions after 3.10.0-693 contain the fix and are thus not vulnerable.
There's also the vulnerability page which also states that versions >= 7.4 are not impacted.

As TrevorH suggested above, running yum update and rebooting will help.