Forum Stats

  • 3,750,404 Users
  • 2,250,174 Discussions
  • 7,866,968 Comments

Discussions

Oracle Enterprise Linux Security Update for edk2 (ELSA-2019-3338)

User_6LNOE
User_6LNOE Member Posts: 2 Green Ribbon

I have an alert from myr Security team for one of my servers

Oracle Enterprise Linux Security Update for edk2 (ELSA-2019-3338)

 CVE ID (cvedetails.com)

CVE-2018-12181CVE-2019-0160,

 

Package recommended by security team to solve the issue

edk2-ovmf-20190308git89910a39dcfd-6.el8.noarch.rpm

Package Installed on server:

edk2-ovmf-20200602gitca407c7246bf-4.el8_4.2.noarch



 on edk2-ovmf-20200602gitca407c7246bf-4.el8_4.2.noarch package information it says nothing related to CVE-2018-12181CVE-2019-0160,


is my installed version vulnerable to this issue?

I underestand that package versions only inlcude information to the CVEs solved in that version (but it keesphaving solved all the CVEs that where solved in previous versions)

is my asumption correct and my installeds version is ok?

Answers

  • David Gilpin-Oracle
    David Gilpin-Oracle Principal Product Manager, Oracle Linux and Virtualization Frisco, TXPosts: 21 Employee

    If you have Oracle Linux Support you can open an SR to get assistance on questions like this.

    You can research Oracle Linux related CVEs at no cost here: https://linux.oracle.com/cve

    Here is the one you were interested in https://linux.oracle.com/cve/CVE-2019-0160.html

    It shows the errata for Oracle Linux 8 at this path https://linux.oracle.com/errata/ELSA-2019-3338.html

    Notice the first section under Description lists the exact version your Security team mentioned, and the detail shows "Resolves: bz#1714446"

    The version of the RPM you mention is the latest available (edk2-ovmf-20200602gitca407c7246bf-4.el8_4.2.noarch). I downloaded that RPM into a temporary directory and checked the changelog:

    rpm -qp --changelog edk2-ovmf-20200602gitca407c7246bf-4.el8_4.2.noarch | grep bz#1714446

    That shows those patches are contained in this newer release of edk2-ovmf.

    Take a look at the entire changelog, you will see a lot of even newer patches.

    Based on this research that you can do yourself, YES this newer version has that CVE fixed. Security scanners need to be properly configured for use with Oracle Linux to prevent false positives...

  • Todd Vierling-Oracle
    Todd Vierling-Oracle Member Posts: 28 Employee

    And as a rule, we do not remove security patches in newer versions:

    edk2-ovmf-20190308git89910a39dcfd-6.el8.noarch.rpm

    is OLDER than

    edk2-ovmf-20200602gitca407c7246bf-4.el8_4.2.noarch

    the version you have installed. Since you have a NEWER version installed, you can assume that the same security fix is still in the package.