Discussions
Categories
- 17.9K All Categories
- 3.4K Industry Applications
- 3.3K Intelligent Advisor
- 63 Insurance
- 536.4K On-Premises Infrastructure
- 138.3K Analytics Software
- 38.6K Application Development Software
- 5.8K Cloud Platform
- 109.5K Database Software
- 17.5K Enterprise Manager
- 8.8K Hardware
- 71.1K Infrastructure Software
- 105.3K Integration
- 41.6K Security Software
Linux Security Update for edk2 (ELSA-2019-3338)

We have an alert from our Security team for one of our servers
Oracle Enterprise Linux Security Update for edk2 (ELSA-2019-3338)
CVE ID (cvedetails.com)
CVE-2018-12181, CVE-2019-0160,
Package recommended by security team:
edk2-ovmf-20190308git89910a39dcfd-6.el8.noarch.rpm
Package Installed on server:
edk2-ovmf-20200602gitca407c7246bf-4.el8_4.2.noarch
Does edk2-ovmf-20200602gitca407c7246bf-4.el8_4.2.noarch has that prob fixed? or is vulnerable, as in edk2-ovmf-20200602gitca407c7246bf-4.el8_4.2.noarch there is no reference to CVE-2018-12181, CVE-2019-0160
Best Answer
-
thanks a lot for your time and your assistance.
Additionaly...
Finally we learnt how to get the evidences that prove ELSA-2019-3338 and CVEs (CVE-2018-12181, CVE-2019-0160) are patched in IOMSOIP01.
- Patched recommendations in a package: Here you can list all patches from edk2-ovmf package, (i) means installed in system:
yum updateinfo --all --list --advisory CL-ELSA-2019-3338
- List of available patches to advisory CL-ELSA-2019-338 (clear, no package pending to install)
yum updateinfo --available --list --advisory CL-ELSA-2019-3338
- List of updates to advisory CL-ELSA-2019-338 (clear, no package pending to install)
yum updateinfo --updates --list --advisory CL-ELSA-2019-3338
- List of installed packages to advisory CL-ELSA-2019-338 (edk2-ovmf-20190308git89910a39dcfd-6.el8.noarch package showed)
yum updateinfo --installed --list --advisory CL-ELSA-2019-3338
- List of available patches to CVE-2018-12181 or CVE-2019-0160 (clear, no package pending)
yum updateinfo --available --list --cve CVE-2018-12181 --cve CVE-2019-0160
- List of updates to CVE-2018-12181 or CVE-2019-0160 (clear, no package pending)
yum updateinfo --updates --list --cve CVE-2018-12181 --cve CVE-2019-0160
- List of installed packages to CVE-2018-12181 or CVE-2019-0160 (edk2-ovmf-20190308git89910a39dcfd-6.el8.noarch package showed)
yum updateinfo --installed --list --cve CVE-2018-12181 --cve CVE-2019-0160
regards
Alfonso
Answers
-
A newer version of a package typically contains all bug fixes of older versions, unless the fixes introduced a more serious problem and had to be reverted. In this case it looks like the problem was fixed in an upstream version and the RHEL and OL versions were refreshed to that version, so the changelog only has the "refresh" message, not each individual change that was made upstream. In order to know for sure you would need to review the source code of this package, but it's very likely that all versions since the reported fixed version have this fix.
-
I took a look at the edk2 source code, and edk2-ovmf-20200602gitca407c7246bf-4.el8_4.2 does indeed still have the fix for CVE-2018-12181. I'm guessing the same will be the case for CVE-2019-0160, but I haven't checked.
-
You may want to check with the security team why they flagged the installed version for those vulnerabilities. It looks like the scanner used may report a false positive result.
-
thanks a lot for your time and your assistance.
Additionaly...
Finally we learnt how to get the evidences that prove ELSA-2019-3338 and CVEs (CVE-2018-12181, CVE-2019-0160) are patched in IOMSOIP01.
- Patched recommendations in a package: Here you can list all patches from edk2-ovmf package, (i) means installed in system:
yum updateinfo --all --list --advisory CL-ELSA-2019-3338
- List of available patches to advisory CL-ELSA-2019-338 (clear, no package pending to install)
yum updateinfo --available --list --advisory CL-ELSA-2019-3338
- List of updates to advisory CL-ELSA-2019-338 (clear, no package pending to install)
yum updateinfo --updates --list --advisory CL-ELSA-2019-3338
- List of installed packages to advisory CL-ELSA-2019-338 (edk2-ovmf-20190308git89910a39dcfd-6.el8.noarch package showed)
yum updateinfo --installed --list --advisory CL-ELSA-2019-3338
- List of available patches to CVE-2018-12181 or CVE-2019-0160 (clear, no package pending)
yum updateinfo --available --list --cve CVE-2018-12181 --cve CVE-2019-0160
- List of updates to CVE-2018-12181 or CVE-2019-0160 (clear, no package pending)
yum updateinfo --updates --list --cve CVE-2018-12181 --cve CVE-2019-0160
- List of installed packages to CVE-2018-12181 or CVE-2019-0160 (edk2-ovmf-20190308git89910a39dcfd-6.el8.noarch package showed)
yum updateinfo --installed --list --cve CVE-2018-12181 --cve CVE-2019-0160
regards
Alfonso