How to check if packages in RHEL-based Linux distributions have been patched for specific CVEs

2 years ago 344

Curious to cognize if your Red Hat Enterprise Linux-based organisation has been patched against a circumstantial CVE for a definite installed package? Jack Wallen shows you how.

Binary code, password vulnerability taking retired  with tweezers, selective focus

Image: MyImages_Micha, Getty Images/iStockphoto

CVEs (Common Vulnerabilities and Exposures) are perpetually being discovered and patched. When discovered, it means a caller information flaw exists successful either an operating strategy oregon a portion of bundle and should beryllium patched arsenic soon arsenic possible. Fixing the vulnerabilities, of course, is up to the developers. Patching those vulnerabilities, however, is up to the admin (or user). Thing is, you mightiness not cognize if you're utilizing a portion of bundle that includes 1 oregon much CVEs.  

How bash you uncover this information? Do you person to walk hours researching? Not really. In fact, each you request to cognize is the CVE you're looking for and the portion of bundle it affects. With those 2 bits of accusation successful hand, you tin rapidly observe if what's installed connected your Red Hat Enterprise Linux-based organisation contains that vulnerability.

I'm going to amusement you however to bash conscionable that.

SEE: 40+ unfastened root and Linux presumption you request to know (TechRepublic Premium)

What you'll request

The lone happening you'll request to marque this enactment is simply a moving lawsuit of an RHEL-based Linux organisation (such arsenic AlmaLinux, Rocky Linux oregon Fedora Linux). You don't adjacent request a idiosyncratic relationship with sudo privileges (just a regular ol' user). 

You volition request to cognize which CVE you're looking for. I similar to caput implicit to the authoritative location of CVE listings astatine mitre.org. You tin bash a speedy package-based search to presumption a implicit database of packages that person associated CVEs.

With that OS and CVE ready, let's cheque for vulnerabilities.

How to Run a CVE Check

Here's the deal: The CVE cheque is rather simple. We're going to tube the changelog output from the rpm bid to the grep bid to database immoderate imaginable CVEs. The syntax of the bid is:

rpm -q --changelog PACKAGE | grep CVE

Where PACKAGE is the sanction of the installed bundle to beryllium checked, and CVE is the afloat sanction of the CVE successful question. Before we bash that, let's instrumentality a look astatine the non-piped output of the OpenSSH package. Issue the command:

rpm -q --changelog openssh

The output should beryllium a implicit listing of the changelog for openssh (Figure A). 

Figure A

cvetesta.jpg

The full changelog of the installed mentation of openssh connected Alma Linux.

You could scroll done the full listing for the CVE you're looking for, oregon you could tube it done grep and person the bid bash the dense lifting. Let's accidental you're looking for CVE-2020-14145, which is described as:

In OpenSSH 7.9, owed to accepting and displaying arbitrary stderr output from the server, a malicious server (or man-in-the-middle attacker) tin manipulate the lawsuit output, for example, to usage ANSI power codes to fell further files being transferred.

To cheque against that vulnerability, the bid would be:

rpm -q --changelog openssh | grep CVE-2020-14145

If you spot thing successful the output, it means openssh has been patched against that vulnerability (Figure B).

Figure B

cvetestd.jpg

OpenSSH has been patched against CVE-2020-14145 successful AlmaLinux.

If you don't spot thing successful the output, it means openssh has not been patched and you should upgrade immediately. As agelong arsenic the developers of openssh person patched the root and it's disposable successful the organisation repositories, the upgrade should instrumentality attraction of the issue.

To upgrade the bundle successful question, contented the bid (which does necessitate sudo privileges):

sudo dnf upgrade PACKAGE

Where PACKAGE is the bundle successful question. Once the upgrade completes, tally the CVE cheque again to spot if the bundle has been patched for the vulnerability. If not, support coming backmost to the upgrade, and (hopefully) the bundle maintainers volition get that contented fixed asap.

And that's each determination is to checking for CVE vulnerabilities successful the packages you person installed connected your RHEL-based Linux distributions.

Subscribe to TechRepublic's How To Make Tech Work connected YouTube for each the latest tech proposal for concern pros from Jack Wallen.

Open Source Weekly Newsletter

You don't privation to miss our tips, tutorials, and commentary connected the Linux OS and unfastened root applications. Delivered Tuesdays

Sign up today

Also spot

Read Entire Article