Forum Stats

  • 3,836,836 Users
  • 2,262,198 Discussions
  • 7,900,127 Comments

Discussions

Categories

Linux Security Update for edk2 (ELSA-2019-3338)

User_6LNOE
User_6LNOE Member Posts: 3 Green Ribbon
in Oracle Linux

We have an alert from our Security team for one of our servers

Oracle Enterprise Linux Security Update for edk2 (ELSA-2019-3338)

 

CVE ID (cvedetails.com)

CVE-2018-12181CVE-2019-0160,

 

Package recommended by security team:

edk2-ovmf-20190308git89910a39dcfd-6.el8.noarch.rpm

Package Installed on server:

edk2-ovmf-20200602gitca407c7246bf-4.el8_4.2.noarch



Does edk2-ovmf-20200602gitca407c7246bf-4.el8_4.2.noarch has that prob fixed? or is vulnerable, as in edk2-ovmf-20200602gitca407c7246bf-4.el8_4.2.noarch there is no reference to CVE-2018-12181CVE-2019-0160

Tagged:
· Share on TwitterShare on Facebook

Best Answer

  • User_6LNOE
    User_6LNOE Member Posts: 3 Green Ribbon
    Answer ✓

    thanks a lot for your time and your assistance.

    Additionaly...

    Finally we learnt how to get the evidences that prove ELSA-2019-3338 and CVEs (CVE-2018-12181, CVE-2019-0160) are patched in IOMSOIP01.

    •  Patched recommendations in a package: Here you can list all patches from edk2-ovmf package, (i) means installed in system:

    yum updateinfo --all --list --advisory CL-ELSA-2019-3338

    image1.png


    • List of available patches to advisory CL-ELSA-2019-338 (clear, no package pending to install)

    yum updateinfo --available --list --advisory CL-ELSA-2019-3338

    • List of updates to advisory CL-ELSA-2019-338 (clear, no package pending to install)

    yum updateinfo --updates --list --advisory CL-ELSA-2019-3338

    • List of installed packages to advisory CL-ELSA-2019-338 (edk2-ovmf-20190308git89910a39dcfd-6.el8.noarch package showed)

    yum updateinfo --installed --list --advisory CL-ELSA-2019-3338

    image2.png
    • List of available patches to CVE-2018-12181 or CVE-2019-0160  (clear, no package pending)

    yum updateinfo --available --list --cve CVE-2018-12181 --cve CVE-2019-0160

    • List of updates to CVE-2018-12181 or CVE-2019-0160 (clear, no package pending)

    yum updateinfo --updates --list --cve CVE-2018-12181 --cve CVE-2019-0160

    • List of installed packages to CVE-2018-12181 or CVE-2019-0160 (edk2-ovmf-20190308git89910a39dcfd-6.el8.noarch package showed)

    yum updateinfo --installed --list --cve CVE-2018-12181 --cve CVE-2019-0160


    image3.png

    regards

    Alfonso

    · Share on TwitterShare on Facebook

Answers

  • Herbert van den Bergh-Oracle
    Herbert van den Bergh-Oracle Member Posts: 985 Employee

    A newer version of a package typically contains all bug fixes of older versions, unless the fixes introduced a more serious problem and had to be reverted. In this case it looks like the problem was fixed in an upstream version and the RHEL and OL versions were refreshed to that version, so the changelog only has the "refresh" message, not each individual change that was made upstream. In order to know for sure you would need to review the source code of this package, but it's very likely that all versions since the reported fixed version have this fix.

    · Share on TwitterShare on Facebook
  • Herbert van den Bergh-Oracle
    Herbert van den Bergh-Oracle Member Posts: 985 Employee

    I took a look at the edk2 source code, and edk2-ovmf-20200602gitca407c7246bf-4.el8_4.2 does indeed still have the fix for CVE-2018-12181. I'm guessing the same will be the case for CVE-2019-0160, but I haven't checked.

    User_6LNOE
    · Share on TwitterShare on Facebook
  • Herbert van den Bergh-Oracle
    Herbert van den Bergh-Oracle Member Posts: 985 Employee

    You may want to check with the security team why they flagged the installed version for those vulnerabilities. It looks like the scanner used may report a false positive result.

    User_6LNOE
    · Share on TwitterShare on Facebook
  • User_6LNOE
    User_6LNOE Member Posts: 3 Green Ribbon
    Answer ✓

    thanks a lot for your time and your assistance.

    Additionaly...

    Finally we learnt how to get the evidences that prove ELSA-2019-3338 and CVEs (CVE-2018-12181, CVE-2019-0160) are patched in IOMSOIP01.

    •  Patched recommendations in a package: Here you can list all patches from edk2-ovmf package, (i) means installed in system:

    yum updateinfo --all --list --advisory CL-ELSA-2019-3338

    image1.png


    • List of available patches to advisory CL-ELSA-2019-338 (clear, no package pending to install)

    yum updateinfo --available --list --advisory CL-ELSA-2019-3338

    • List of updates to advisory CL-ELSA-2019-338 (clear, no package pending to install)

    yum updateinfo --updates --list --advisory CL-ELSA-2019-3338

    • List of installed packages to advisory CL-ELSA-2019-338 (edk2-ovmf-20190308git89910a39dcfd-6.el8.noarch package showed)

    yum updateinfo --installed --list --advisory CL-ELSA-2019-3338

    image2.png
    • List of available patches to CVE-2018-12181 or CVE-2019-0160  (clear, no package pending)

    yum updateinfo --available --list --cve CVE-2018-12181 --cve CVE-2019-0160

    • List of updates to CVE-2018-12181 or CVE-2019-0160 (clear, no package pending)

    yum updateinfo --updates --list --cve CVE-2018-12181 --cve CVE-2019-0160

    • List of installed packages to CVE-2018-12181 or CVE-2019-0160 (edk2-ovmf-20190308git89910a39dcfd-6.el8.noarch package showed)

    yum updateinfo --installed --list --cve CVE-2018-12181 --cve CVE-2019-0160


    image3.png

    regards

    Alfonso

    · Share on TwitterShare on Facebook