Tuesday, October 10, 2017

Oracle Linux - Yum security plugin

Ensuring your Oracle Linux system is up to date with patches, and especially security patches can be a challenging task. Updating your system from a pure operating system point of view is not the main issue. A simple yum command will make sure that the latest versions are applied to your system.

The main challenge a lot of enterprises face is identifying which patches and updates are applicable and how they might affect applications running on the systems. For Oracle linux you will have an additional level of assurance that Oracle software will be working when applying updates from the official Oracle Linux repositories.

For software not developed by Oracle this assurance will not be that strict and you will face the same possible issues as you will have with other Linux distributions, like for example, RedHat.

A formal process of identifying what needs to be updated and after that ensuring the update will not break functionality should be in place. The first step in such a process is finding the candidates. A good way to find out which updates, security specific in our example, are available and could be applied is something that can be facilitated by yum itself

You can use the yum security plugin. Some of the options you can see mentioned below:

Plugin Options:
    --security          Include security relevant packages
    --bugfixes          Include bugfix relevant packages
    --cve=CVE           Include packages needed to fix the given CVE
    --bz=BZ             Include packages needed to fix the given BZ
                        Include security relevant packages, of this severity
                        Include packages needed to fix the given advisory

As an example you can use the below command which will show information on available updates.

[vagrant@localhost ~]$ yum updateinfo list
Loaded plugins: security
ELBA-2017-0891 bugfix         binutils-
ELEA-2017-1432 enhancement    ca-certificates-2017.2.14-65.0.1.el6_9.noarch
ELSA-2017-0847 Moderate/Sec.  curl-7.19.7-53.el6_9.x86_64
ELBA-2017-2506 bugfix         dhclient-12:4.1.1-53.P1.0.1.el6_9.1.x86_64
ELBA-2017-2506 bugfix         dhcp-common-12:4.1.1-53.P1.0.1.el6_9.1.x86_64
ELBA-2017-1373 bugfix         initscripts-9.03.58-1.0.1.el6_9.1.x86_64
ELBA-2017-2852 bugfix         initscripts-9.03.58-1.0.1.el6_9.2.x86_64
ELSA-2017-0892 Important/Sec. kernel-2.6.32-696.1.1.el6.x86_64
ELSA-2017-1372 Moderate/Sec.  kernel-2.6.32-696.3.1.el6.x86_64
ELSA-2017-1486 Important/Sec. kernel-2.6.32-696.3.2.el6.x86_64
ELSA-2017-1723 Important/Sec. kernel-2.6.32-696.6.3.el6.x86_64
ELBA-2017-2504 bugfix         kernel-2.6.32-696.10.1.el6.x86_64
ELSA-2017-2681 Important/Sec. kernel-2.6.32-696.10.2.el6.x86_64
ELSA-2017-2795 Important/Sec. kernel-2.6.32-696.10.3.el6.x86_64

In case you want to see only the security related updates with a severity Moderate you can use the below command to generate this list:

[vagrant@localhost ~]$ yum updateinfo list --sec-severity=Moderate
Loaded plugins: security
ELSA-2017-0847 Moderate/Sec. curl-7.19.7-53.el6_9.x86_64
ELSA-2017-1372 Moderate/Sec. kernel-2.6.32-696.3.1.el6.x86_64
ELSA-2017-2863 Moderate/Sec. kernel-2.6.32-696.13.2.el6.x86_64
ELSA-2017-2863 Moderate/Sec. kernel-headers-2.6.32-696.13.2.el6.x86_64
ELSA-2017-0847 Moderate/Sec. libcurl-7.19.7-53.el6_9.x86_64
ELSA-2017-2563 Moderate/Sec. openssh-5.3p1-123.el6_9.x86_64
ELSA-2017-2563 Moderate/Sec. openssh-clients-5.3p1-123.el6_9.x86_64
ELSA-2017-2563 Moderate/Sec. openssh-server-5.3p1-123.el6_9.x86_64
ELSA-2017-1574 Moderate/Sec. sudo-1.8.6p3-29.el6_9.x86_64
updateinfo list done
[vagrant@localhost ~]$ 

To list the security errata by their Common Vulnerabilities and Exposures (CVE) IDs instead of their errata IDs, specify the keyword cves as an argument:

[vagrant@localhost ~]$ yum updateinfo list cves
Loaded plugins: security
 CVE-2017-2628    Moderate/Sec.  curl-7.19.7-53.el6_9.x86_64
 CVE-2017-2636    Important/Sec. kernel-2.6.32-696.1.1.el6.x86_64
 CVE-2016-7910    Important/Sec. kernel-2.6.32-696.1.1.el6.x86_64
 CVE-2017-6214    Moderate/Sec.  kernel-2.6.32-696.3.1.el6.x86_64
 CVE-2017-1000364 Important/Sec. kernel-2.6.32-696.3.2.el6.x86_64
 CVE-2017-7895    Important/Sec. kernel-2.6.32-696.6.3.el6.x86_64
 CVE-2017-1000251 Important/Sec. kernel-2.6.32-696.10.2.el6.x86_64
 CVE-2017-1000253 Important/Sec. kernel-2.6.32-696.10.3.el6.x86_64
 CVE-2017-7541    Moderate/Sec.  kernel-2.6.32-696.13.2.el6.x86_64

When checking (automated) what patches are applicable the question why is very reasonable. Meaning, you would like to have some more information on the background of patches. For this you can do a "yum updateinfo info" command or you can specifically query for a CVE ID. The CVE ID example is shown below in an example:

[vagrant@localhost ~]$ yum updateinfo info --cve CVE-2017-1000251
Loaded plugins: security

   kernel security and bug fix update
  Update ID : ELSA-2017-2681
    Release : Oracle Linux 6
       Type : security
     Status : final
     Issued : 2017-09-13
       CVEs : CVE-2017-1000251
Description : [2.6.32-696.10.2.OL6]
            : - Update genkey [bug 25599697]
            : [2.6.32-696.10.2]
            : - [net] l2cap: prevent stack overflow on incoming
            :   bluetooth packet (Neil Horman) [1490060 1490062]
            :   {CVE-2017-1000251}
   Severity : Important

   Unbreakable Enterprise kernel security update
  Update ID : ELSA-2017-3620
    Release : Oracle Linux 6
       Type : security
     Status : final
     Issued : 2017-09-19
       CVEs : CVE-2017-1000251
Description : kernel-uek
            : [4.1.12-]
            : - Bluetooth: Properly check L2CAP config option
            :   output buffer length (Ben Seri)  [Orabug:
            :   26796363]  {CVE-2017-1000251}
   Severity : Important
updateinfo info done
[vagrant@localhost ~]$

By using the yum plugin in a correct way and automate against it you can leverage the power of this plugin and implement (an automated) process that will inform you about candidates for installation on your production systems.

No comments: