Discussions
Categories
- 17.9K All Categories
- 3.4K Industry Applications
- 3.3K Intelligent Advisor
- 63 Insurance
- 536.4K On-Premises Infrastructure
- 138.3K Analytics Software
- 38.6K Application Development Software
- 5.8K Cloud Platform
- 109.5K Database Software
- 17.5K Enterprise Manager
- 8.8K Hardware
- 71.1K Infrastructure Software
- 105.3K Integration
- 41.6K Security Software
Oracle Enterprise Linux Security Update for edk2 (ELSA-2019-3338)

I have an alert from myr Security team for one of my servers
Oracle Enterprise Linux Security Update for edk2 (ELSA-2019-3338)
CVE ID (cvedetails.com)
CVE-2018-12181, CVE-2019-0160,
Package recommended by security team to solve the issue
edk2-ovmf-20190308git89910a39dcfd-6.el8.noarch.rpm
Package Installed on server:
edk2-ovmf-20200602gitca407c7246bf-4.el8_4.2.noarch
on edk2-ovmf-20200602gitca407c7246bf-4.el8_4.2.noarch package information it says nothing related to CVE-2018-12181, CVE-2019-0160,
is my installed version vulnerable to this issue?
I underestand that package versions only inlcude information to the CVEs solved in that version (but it keesphaving solved all the CVEs that where solved in previous versions)
is my asumption correct and my installeds version is ok?
Answers
-
David Gilpin-Oracle Principal Product Manager, Oracle Linux and Virtualization Frisco, TXPosts: 52 Employee
If you have Oracle Linux Support you can open an SR to get assistance on questions like this.
You can research Oracle Linux related CVEs at no cost here: https://linux.oracle.com/cve
Here is the one you were interested in https://linux.oracle.com/cve/CVE-2019-0160.html
It shows the errata for Oracle Linux 8 at this path https://linux.oracle.com/errata/ELSA-2019-3338.html
Notice the first section under Description lists the exact version your Security team mentioned, and the detail shows "Resolves: bz#1714446"
The version of the RPM you mention is the latest available (edk2-ovmf-20200602gitca407c7246bf-4.el8_4.2.noarch). I downloaded that RPM into a temporary directory and checked the changelog:
rpm -qp --changelog edk2-ovmf-20200602gitca407c7246bf-4.el8_4.2.noarch | grep bz#1714446
That shows those patches are contained in this newer release of edk2-ovmf.
Take a look at the entire changelog, you will see a lot of even newer patches.
Based on this research that you can do yourself, YES this newer version has that CVE fixed. Security scanners need to be properly configured for use with Oracle Linux to prevent false positives...
-
And as a rule, we do not remove security patches in newer versions:
edk2-ovmf-20190308git89910a39dcfd-6.el8.noarch.rpm
is OLDER than
edk2-ovmf-20200602gitca407c7246bf-4.el8_4.2.noarch
the version you have installed. Since you have a NEWER version installed, you can assume that the same security fix is still in the package.