CentOS

Hi there,

Good day!
I need to fix the following vulnerability on Centos box, as I use Spacewalk to manage all Centos VM's repo and packages. I tried the following command on problematic vm but no update. It looks like Spacewalk doesn't sync httpd update.
centos_linux-cve-2021-40438
apache-httpd-cve-2021-40438
centos_linux-cve-2021-40438

I googled cve-2021-40438, I need to download and install httpd-2.4.6-97.el7_9.1.x86_64.rpm related package to fix this vulnerability.
https://access.redhat.com/errata/RHSA-2021:3856

I found Spacewalk doesn't sync errata, what is the right way to fix this? I have the following idea but not sure if they are correct? could you please share your thoughts.

option1: configure third party repo on Spacewalk to download httpd package, then run yum update httpd from the problematic vm.
option2: configure Spacewalk to receive errata, then check if this is included in errata. if so, i can push this errata from Spacewalk GUI or run yum update on the problematic vm.

seeking your expertise, thanks a lot!

https://github.com/mike-wendt/spacewalk ... ta-sync.sh

[root@xxxxx ~]# yum update httpd
Loaded plugins: fastestmirror, rhnplugin, tmprepo
This system is receiving updates from RHN Classic or Red Hat Satellite.
Loading mirror speeds from cached hostfile
No packages marked for update

I run the following command to check httpd version
Server version: Apache/2.4.6 (CentOS)
Server built: Mar 24 2022 14:57:57

[root@xxxxx ~]# yum info httpd
Loaded plugins: fastestmirror, rhnplugin, tmprepo
This system is receiving updates from RHN Classic or Red Hat Satellite.
Loading mirror speeds from cached hostfile
Installed Packages
Name : httpd
Arch : x86_64
Version : 2.4.6
Release : 97.el7.centos.5
Size : 9.4 M
Repo : installed
From repo : centos_7-2022-04-11
Summary : Apache HTTP Server
URL : http://httpd.apache.org/
License : ASL 2.0
Description : The Apache HTTP Server is a powerful, efficient, and extensible
: web server.

[root@D1PDSPACECAP01 ~]# rpm -qa httpd --changelog
* Thu Mar 24 2022 CentOS Sources <bugs@centos.org> - 2.4.6-97.el7.centos.5
- Remove index.html, add centos-noindex.tar.gz
- change vstring
- change symlink for poweredby.png
- update welcome.conf with proper aliases

* Tue Mar 22 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-97.5
- Resolves: #2065243 - CVE-2022-22720 httpd: HTTP request smuggling
vulnerability in Apache HTTP Server 2.4.52 and earlier

* Mon Jan 10 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-97.4
- Resolves: #2031072 - CVE-2021-34798 httpd: NULL pointer dereference via
malformed requests
- Resolves: #2031074 - CVE-2021-39275 httpd: out-of-bounds write in
ap_escape_quotes() via malicious input
- Resolves: #1969226 - CVE-2021-26691 httpd: Heap overflow in mod_session

* Mon Jan 10 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-97.3
- Resolves: #2035058 - CVE-2021-44790 httpd: mod_lua: possible buffer overflow
when parsing multipart content

* Mon Oct 25 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-97.2
- Resolves: #2015694 - proxy rewrite to unix socket fails with CVE-2021-40438 fix

* Thu Oct 07 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-97.1
- Resolves: #2011729 -CVE-2021-40438 httpd: mod_proxy: SSRF via a crafted
request uri-path containing "unix:"

I don't run spacewalk but if you are expecting to be able to update by CVE number then that will not work for CentOS as the yum repos do not contain that information. The update for CentOS 7 was built on Match 24th and released a day or two later and will be in the CentOS supplied 'updates' repo. You should definitely make sure that your spacewalk is syncing the updates repo as it contains all updated packages that have been released since 7.9 came out in 2020-09.

[root@xxxxx ~]# yum info httpd
Name : httpd
Arch : x86_64
Version : 2.4.6
Release : 97.el7.centos.5
Repo : installed

So you already have it.

Edit: to clarify, none of the yum --security options work on CentOS. The CentOS repos do not contain any security metadata so it is impossible to yum to be able to update for security purposes and attempting to use it will be counterproductive as it will tell you there is nothing to do when there might be lots and lots of security related updates pending. The only thing that works is just `yum update`.

Thanks TrevorH for prompted reply, It is informative and helpful. I will look into Centos "update" repo in Spacewalk.

Best Regards,
Black_Rock

You already have the updates repo or you would not have the updated version installed.

Yeah, I couldn't agree with you anymore, you are correct.

I found "updates" in spacewalk channel, which did include httpd-2.4.6-97.el7.centos.5.x86_64.rpm. I checked its changelog, this package already fixes the following vulnerability.

* Thu Oct 07 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-97.1
- Resolves: #2011729 - CVE-2021-40438 httpd: mod_proxy: SSRF via a crafted
request uri-path containing "unix:"

But why info sec team still report this, I am thinking this might be a false positive.

Black_rock wrote: ↑

2022/05/14 08:32:28

But why info sec team still report this, I am thinking this might be a false positive.

That is quite common. Some security checks do not actually test a vulnerability but look up from their list "IF system has X THEN it has vulnerability". The issue is that those lists do not represent RHEL content accurately. For example, the RHEL httpd-2.4.6-97.el7 looks like Apache 2.4.6 if you merely look at the name, but in reality it is something very different thanks to about hundred (backport) patches since RHEL httpd-2.4.6-n was originally forked from upstream Apache 2.4.6 years ago.