CentOS7 security vulnerabilties

Support for security such as Firewalls and securing linux
Post Reply
amarigza
Posts: 2
Joined: 2021/10/28 09:54:37

CentOS7 security vulnerabilties

Post by amarigza » 2021/10/28 10:01:05

Hi! I am currently using Alfresco images that are currently using CentOS7. I used Trivy as the image scanner, and I got 300+ medium vulnerabilities. I have updated all packages to their most recent version by using "yum update".

I have also checked them one by one in access.redhat.com/security/cve/xxxx, and unfortunately, the fixes are introduced in CentOS8. Is there any way for me to install CentOS8 package versions in CentOS7? Thanks a lot!

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CentOS7 security vulnerabilties

Post by TrevorH » 2021/10/28 10:38:23

No, you cannot install CentOS 8 updates on CentOS 7. There is no upgrade from one to the other either. Since you don't give any examples it is not possible to check to see what's going on.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: CentOS7 security vulnerabilties

Post by jlehtone » 2021/10/28 14:43:16

amarigza wrote:
2021/10/28 10:01:05
I have also checked them one by one in access.redhat.com/security/cve/xxxx, and unfortunately, the fixes are introduced in CentOS8.
Was the reason that "RHEL 7 is vulnerable, but won't be fixed" or "RHEL 7 is not affected"?
If the latter, then the scanner produces false positives and does not actually test what it should.
If the former ... do you think that Red Hat would leave their paying customers open to serious flaws?

amarigza
Posts: 2
Joined: 2021/10/28 09:54:37

Re: CentOS7 security vulnerabilties

Post by amarigza » 2021/10/28 23:33:12

Hi TrevorH,

Here's a sample of my scan results:

Total: 723 (UNKNOWN: 0, LOW: 385, MEDIUM: 333, HIGH: 3, CRITICAL: 2)

glibc:
- https://access.redhat.com/security/cve/cve-2009-5155
- https://access.redhat.com/security/cve/cve-2015-8983
- https://access.redhat.com/security/cve/CVE-2016-1234
- https://access.redhat.com/security/cve/cve-2016-4429
- https://access.redhat.com/security/cve/cve-2017-8804
- https://access.redhat.com/security/cve/cve-2019-9169
- https://access.redhat.com/security/cve/cve-2020-1752
- https://access.redhat.com/security/cve/cve-2021-35942

Some of the fixes are already in CentOS 8, so to eliminate some vulnerabilities (for example CVE-2019-9169), I'm thinking if there is a way to install recent version of a glibc in CentOS8 to my CentOS7 image.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: CentOS7 security vulnerabilties

Post by jlehtone » 2021/10/29 05:47:42

There is no way.

You can remove the el7 image and install el8 (RHEL, AL, RL, OL, or CS).

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CentOS7 security vulnerabilties

Post by TrevorH » 2021/10/29 08:25:43

Some of those may already be fixed. For example, I checked the first two, both in glibc, and the second one is fixed despite it not saying so anywhere. If you look at the CVE page for cve-2015-8983 then it refers to bugzilla entry 1195762 anad if you rpm -q --changelog glibc | grep -i 1195762 then you get

- Prevent integer overflow in _IO_wstr_overflow (#1195762).
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply