Security team telling me patched/updated 6.9 has severe and critical issues?

Support for security such as Firewalls and securing linux
dcloes
Posts: 7
Joined: 2017/09/26 14:54:04

Security team telling me patched/updated 6.9 has severe and critical issues?

Post by dcloes » 2017/09/26 16:08:25

13 Critical and over 75 Severe. When I run yum update or yum -y update kernel, I get no Packages marked for Update.

What am I missing? I'm at 6.9

# cat /etc/centos-release
CentOS release 6.9 (Final)

Here are the criticals:

Cent OS: CVE-2017-7895: CESA-2017:1723 (kernel)
Cent OS: CVE-2016-9555: CESA-2017:0307 (kernel)
Cent OS: CVE-2016-7117: CESA-2017:0036 (kernel)
Cent OS: CVE-2014-8171: CESA-2015:0864 (kernel)
Cent OS: CVE-2015-1421: CESA-2015:0864 (kernel)
Cent OS: CVE-2014-2523: CESA-2014:0475 (kernel)
Cent OS: CVE-2016-7910: CESA-2017:1308 (kernel)
Cent OS: CVE-2015-3331: CESA-2015:1081 (kernel)
Cent OS: CVE-2015-5364: CESA-2016:0045 (kernel)
Cent OS: CVE-2014-3673: CESA-2014:1997 (kernel)
Cent OS: CVE-2014-3687: CESA-2014:1997 (kernel)
Cent OS: CVE-2014-3535: CESA-2014:1167 (kernel)
Cent OS: CVE-2013-2017: CESA-2013:0911 (kernel)

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Security team telling me patched/updated 6.9 has severe and critical issues?

Post by TrevorH » 2017/09/26 16:24:56

Latest CentOS 6 kernel is kernel-2.6.32-696.10.1.el6.x86_64 and rpm -q --changelog kernel-2.6.32-696.10.1.el6.x86_64 shows the following:

Cent OS: CVE-2017-7895: CESA-2017:1723 (kernel) - fixed in 2.6.32-696.6.1.el6
Cent OS: CVE-2016-9555: CESA-2017:0307 (kernel) - 2.6.32-678.el6
Cent OS: CVE-2016-7117: CESA-2017:0036 (kernel) - 2.6.32-672.el6
Cent OS: CVE-2014-8171: CESA-2015:0864 (kernel) - not in kernel rpm changelog
Cent OS: CVE-2015-1421: CESA-2015:0864 (kernel) - ditto
Cent OS: CVE-2014-2523: CESA-2014:0475 (kernel) - 2.6.32-452.el6
Cent OS: CVE-2016-7910: CESA-2017:1308 (kernel) - 2.6.32-696.1.1.el6
Cent OS: CVE-2015-3331: CESA-2015:1081 (kernel) - 2.6.32-556.el6
Cent OS: CVE-2015-5364: CESA-2016:0045 (kernel) - 2.6.32-575.el6
Cent OS: CVE-2014-3673: CESA-2014:1997 (kernel) - 2.6.32-509.el6
Cent OS: CVE-2014-3687: CESA-2014:1997 (kernel) - 2.6.32-509.el6
Cent OS: CVE-2014-3535: CESA-2014:1167 (kernel) - not listed
Cent OS: CVE-2013-2017: CESA-2013:0911 (kernel) - 2.6.32-376.el6

Of the ones not listed in the changelog, kernel-2.6.32-504.16.2.el6 has the fix for CVE-2014-8171 and CVE-2015-1421. kernel-2.6.32-431.29.2.el6 fixes CVE-2014-3535.

What is the output of uname -r ? If you are running 2.6.32-696.10.1.el6 (or higher for those reading in the future!) then all those are fixed.

Please note that yum-plugin-security does not function on CentOS as the yum repos do not contain the necessary metadata to allow it to know what CVE's are fixed when.

Check https://access.redhat.com/security/cve/CVE-yyyy-nnnn for the official status on any CVE not listed in the rpm -q --changelog output. Sometimes things are not listed as fixed as the relevant option is not turned on in the RH kernel (or it's otherwise not vulnerable).
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

dcloes
Posts: 7
Joined: 2017/09/26 14:54:04

Re: Security team telling me patched/updated 6.9 has severe and critical issues?

Post by dcloes » 2017/09/26 16:45:47

uname -r
2.6.32-358.el6.x86_64 , so there's my problem - I'm not at the latest despite running yum update and yum -y update kernel .

I guess I need to manually install kernel-2.6.32-696.10.1.el6.x86_64 since yum repositories aren't doing it.

I read your other posts that said it's yum update or nothing (no cherry picking security updates), but thought they'd get me the latest kernel.

Thanks for your time and insight!

dcloes
Posts: 7
Joined: 2017/09/26 14:54:04

Re: Security team telling me patched/updated 6.9 has severe and critical issues?

Post by dcloes » 2017/09/26 16:52:24

Digging a bit, I found a easy solution:

vi /etc/yum.repos.d/CentOS-Base.repo and changed the "enabled=" lines from 0 to to 1 and reran yum update.

Doing that I got these available updates and applied them:

kernel-firmware.noarch 0:2.6.32-696.10.2.el6.centos.plus
kernel-headers.x86_64 0:2.6.32-696.10.2.el6.centos.plus
perf.x86_64 0:2.6.32-696.10.2.el6.centos.plus
postfix.x86_64 2:2.6.6-8.el6.centos.plus

Probably a no duh for most, but thought I'd share my fix in case others run into the same.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Security team telling me patched/updated 6.9 has severe and critical issues?

Post by TrevorH » 2017/09/26 17:07:54

You enabled the centosplus repo by accident and now you have the CentOS Plus kernel.

Go back a step. Post the output of [rpm -q kernel and ls -la /etc/grub.conf and the contents of /boot/grub/grub.conf
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

dcloes
Posts: 7
Joined: 2017/09/26 14:54:04

Re: Security team telling me patched/updated 6.9 has severe and critical issues?

Post by dcloes » 2017/09/26 17:44:05

Yep, that's what it says....stopped reading what the update was when I ran yum update when I say the numbers were right and missed the plus.

rpm -q kernel
kernel-2.6.32-358.el6.x86_64
kernel-2.6.32-696.10.1.el6.x86_64
kernel-2.6.32-696.10.2.el6.x86_64
kernel-2.6.32-696.10.2.el6.centos.plus.x86_64

lrwxrwxrwx. 1 root root 22 Aug 24 14:45 /etc/grub.conf -> ../boot/grub/grub.conf

cat /boot/grub/grub.conf
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/mapper/vg_iwperf1-lv_root
# initrd /initrd-[generic-]version.img
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.32-696.10.2.el6.centos.plus.x86_64)
root (hd0,0)
kernel /vmlinuz-2.6.32-696.10.2.el6.centos.plus.x86_64 ro root=/dev/mapper/vg_iwperf1-lv_root rd_LVM_LV=vg_iwperf1/lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkerne l=auto rd_LVM_LV=vg_iwperf1/lv_swap KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
initrd /initramfs-2.6.32-696.10.2.el6.centos.plus.x86_64.img
title CentOS (2.6.32-696.10.2.el6.x86_64)
root (hd0,0)
kernel /vmlinuz-2.6.32-696.10.2.el6.x86_64 ro root=/dev/mapper/vg_iwperf1-lv_root rd_LVM_LV=vg _iwperf1/lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LV M_LV=vg_iwperf1/lv_swap KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
initrd /initramfs-2.6.32-696.10.2.el6.x86_64.img
title CentOS (2.6.32-696.10.1.el6.x86_64)
root (hd0,0)
kernel /vmlinuz-2.6.32-696.10.1.el6.x86_64 ro root=/dev/mapper/vg_iwperf1-lv_root rd_LVM_LV=vg _iwperf1/lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LV M_LV=vg_iwperf1/lv_swap KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
initrd /initramfs-2.6.32-696.10.1.el6.x86_64.img
title CentOS (2.6.32-358.el6.x86_64)
root (hd0,0)
kernel /vmlinuz-2.6.32-358.el6.x86_64 ro root=/dev/mapper/vg_iwperf1-lv_root rd_LVM_LV=vg_iwpe rf1/lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV= vg_iwperf1/lv_swap KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
initrd /initramfs-2.6.32-358.el6.x86_64.img

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Security team telling me patched/updated 6.9 has severe and critical issues?

Post by TrevorH » 2017/09/26 18:21:41

Unless you need to run the centosplus kernel tehn I would either yum remove that or use yum history undo to remove it.

Edit /boot/grub/grub.conf and make sure that default= still points to the first kernel listed then reboot. If it still comes up on the old kernel then - are you running software RAID at all?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

dcloes
Posts: 7
Joined: 2017/09/26 14:54:04

Re: Security team telling me patched/updated 6.9 has severe and critical issues?

Post by dcloes » 2017/09/26 18:28:40

I did yum history undo x on the first server and yum remove kernel-2.6.32-696.10.2.el6.centos.plus.x86_64 on the 2nd and both are now showing

uname -r
2.6.32-696.10.2.el6.x86_64

and I fixed it in the repo file so it doesn't happen again. Learned something new, so was worthwhile.

But I still don't understand this..... I was at kernel-2.6.32-358.el6.x86_64 that appears to have lots of vulnerabilities AND there appears to have been MULTIPLE newer kernels that have fixed said vulnerabilities, but yum update wasn't presenting them? Are those other kernels not considered ready for prime time yet?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Security team telling me patched/updated 6.9 has severe and critical issues?

Post by TrevorH » 2017/09/26 21:18:23

If you don't have base AND updates enabled then you don't get any updates. If you only have base enabled then you'll only get updates when a new point release comes out (the only time that the contents of base change).
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

dcloes
Posts: 7
Joined: 2017/09/26 14:54:04

Re: Security team telling me patched/updated 6.9 has severe and critical issues?

Post by dcloes » 2017/09/27 01:24:20

Thanks again for your insight.

I didn't realize that the default was just base updates. Very good to know.

Post Reply