Page 1 of 1

Older CVEs fixed in kernel version of CentOS 6.7 (2.6.32)

Posted: 2018/03/06 05:02:20
by sathya_das
We are looking for some information on the CVE's fixed in the latest version of Linux kernel used in CentOS 6.7. Currently our product is running on top of CentOS 6.7 and the version of Linux kernel is 2.6.32-696.18.7.el6.
Our internal security team found out that the base version of Linux kernel(which is 2.6.32) is vulnerable to bunch of security vulnerabilities, like
CVE-2011-1476, CVE-2011-1180, CVE-2009-4536, CVE-2010-1086, CVE-2009-4538 and many more. We are aware that the CentOS team does, backporting of security fixes into lower branches of kernel.
But there is no way to identify if the above mentioned vulnerabilities(most of them are reported way back in 2010 and 2011 and 2012) are fixed in the kernel version (2.6.32-696.18.7.el6) we are currently using.

Have tried with the command (rpm -q --changelog kernel) to identify the fixes went in for the CVEs. But the above mentioned (CVE-2011-1476, CVE-2011-1180) were not listed in the changelog !.
For example the CVE (CVE-2010-1086) reports that Linux kernel 2.6.33 and earlier versions are affected. But RHEL (RHEL 4 and RHEL 5)has provided kernel patches for this CVE as given in the RHSA(https://access.redhat.com/errata/RHSA-2010:0398). The kernel version and release are of lower version(kernel-2.6.18-194.3.1.el5.x86_64.rpm) than the one we are currently using.

We have done our bit of analysing the CVEs and assume that the security vulnerabilities reported are pretty old and hence would have been fixed in the kernel version we currently use. Is there any documentation that we can rely on to show which older version of CVE(s) fixes are part of the current kernel version(2.6.32-696.18.7.el6) we use?

Any pointers would be welcome.

Re: Older CVEs fixed in kernel version of CentOS 6.7 (2.6.32)

Posted: 2018/03/06 08:28:57
by avij

Re: Older CVEs fixed in kernel version of CentOS 6.7 (2.6.32)

Posted: 2018/03/06 09:15:18
by sathya_das
Thank you avij for the reply.

For the first two issues( cve-2011-1476 and cve-2011-1180) it is mentioned that, RHEL 4,5 and 6 are not vulnerable. Good news for us.
But for the third one, CVE-2009-4536, the fix is done on a version (kernel-2.6.18-164.10.1.el5.x86_64.rpm) much lower than the one we use (2.6.32-696.18.7.el6). And there are no document which tells that the fix would be automatically available in the higher revision kernel versions !
The changelog doesnt mention about this CVE (rpm -q --changelog kernel). My problem is that there are a bunch of issues reported (around 100 ) which are already fixed in either lower versions of RHEL released kernels or fixed in higher base version of Kernel(2.6.39).

Re: Older CVEs fixed in kernel version of CentOS 6.7 (2.6.32)

Posted: 2018/03/06 09:37:43
by avij
The kernel changelog starts from Sat Nov 21 2009. It would not be a far-fetched idea to think that security issues found prior to that date would already be fixed in the first published CentOS 6 kernel.

Bugzilla can also be used for digging more information, like https://bugzilla.redhat.com/show_bug.cg ... -2009-4536

If you need to be 100% certain that the kernel is not vulnerable to any of these CVEs, you would need to hunt down the upstream kernel.org commits that fix the CVEs and make sure the same (or adapted) code changes are in the CentOS kernel.

Re: Older CVEs fixed in kernel version of CentOS 6.7 (2.6.32)

Posted: 2018/03/06 10:22:50
by TrevorH
Since the RH 2.6.32 kernel was based on the vanilla 2.6.32 kernel and was a clone of it to start with, you can safely assume that CVEs listed as fixed in kernels from 6 years before that are still fixed since 2.6.32 was based on 2.6.31 (which was based on 2.6.30 etc etc) and contains all the fixes that were in the previous versions.

Re: Older CVEs fixed in kernel version of CentOS 6.7 (2.6.32)

Posted: 2018/03/07 05:43:34
by Whoever
sathya_das wrote:We are looking for some information on the CVE's fixed in the latest version of Linux kernel used in CentOS 6.7. Currently our product is running on top of CentOS 6.7 and the version of Linux kernel is 2.6.32-696.18.7.el6.
What's the point of this when you are running on an old and presumably insecure version of CentOS?

Re: Older CVEs fixed in kernel version of CentOS 6.7 (2.6.32)

Posted: 2018/03/09 06:54:44
by sathya_das
W
Whoever wrote:What's the point of this when you are running on an old and presumably insecure version of CentOS?
There are many business models involved, which i am not sure about. Lets leave it to the Managers to fight it out. :)

Re: Older CVEs fixed in kernel version of CentOS 6.7 (2.6.32)

Posted: 2018/03/09 14:46:05
by TrevorH
There are many business models involved, which i am not sure about. Lets leave it to the Managers to fight it out. :)
No, let's not.

It's your responsibility to inform them that CentOS only maintains the latest minor version and support for older minor point releases stops as soon as the new one comes out. That means that CentOS 6.7 stopped getting fixes when 6.8 came out in May 2016 and 6.8 stopped getting fixes when 6.9 came out in March 2017. If you stick with 6.7 then you have a system that has all the security problems and vulnerabilities since July 2015 - that's now nearly 3 years of them.

If you want to know the scale of your problem then go to the Redhat errata pages for RHEL6 and click the Security tab, then tell it to show you only "Critical" and then "Important" bugs that have been fixed. Check that list for all those that are dated after July 2015 and those are the ones that could affect your system (if the relevant packages are installed). Unfortunately that page is currently broken for me so I cannot count them for you but there will be many of them, some worse than others.

Only the latest CentOS point release gets maintenance. There are no patches for older CentOS minor versions - you MUST keep up to date if you are to remain secure.

If your organisation has a requirement to stick with particular point release versions then CentOS is not the right operating system for you and you should be using RHEL along with their EUS support. That allows you to stick with a particular point release and also get security fixes for that point release. CentOS does not do this.