Comments (12)
@schnipschnap Can you look into why that happens? All version comparisons look right to me. I just picked ELSA-2021-4513 https://linux.oracle.com/errata/ELSA-2021-4513.html and the data cnspec shows matches the advisory.
from cnspec.
@chris-rock One thing that sticks out to me is that this command:
[root@ip-10-0-101-136 ec2-user]# uname -a
Linux ip-10-0-101-136.ec2.internal 4.18.0-513.11.0.1.el8_9.x86_64 #1 SMP Thu Jan 11 11:30:45 PST 2024 x86_64 x86_64 x86_64 GNU/Linux
claims we are running kernel version 4.18.0-513. However, cnspec claims
9.8 kernel 4.18.0-372.9.1.el8 4.18.0-513.9.1.el8_9 ELSA-2023-7549
we are running 4.18.0-372 which is not true. Also it correctly sees that this is fixed in the latest version 4.18.0-513 which is what we have installed.
from cnspec.
In linux systems you can install multiple kernel packages at the same point in time. cnspec displays all packages that are installed. 4.18.0-372.9.1.el8
showing up does not mean it is thinking that the kernel is running. That means the kernel package is installed on the system.
You can get a list of all kernel packages via:
packages.where(name == /kernel/)
You can see the installed kernels via:
cnquery> kernel.info.version
kernel.info.version: "6.4.16-linuxkit"
I recommend to purge unused kernels.
from cnspec.
Hi @chris-rock this helped. Indeed it was even applicable for packages that can have 2 versions on the system:
e.g. gzip:
[root@ip-10-0-101-136 ec2-user]# yum --showduplicates list gzip
Last metadata expiration check: 0:02:19 ago on Thu 15 Feb 2024 01:12:09 PM GMT.
Installed Packages
gzip.x86_64 1.9-12.el8 @ol8_baseos_latest
gzip.x86_64 1.9-13.el8_5 @ol8_baseos_latest
cnspec vuln will report these outdated installed packages.
However, with bpftool it is different:
This package is installed in the system
bpftool.x86_64 4.18.0-513.11.0.1.el8_9
cnspec asks to install version 5.15.0-201.135.6 as indicated by https://linux.oracle.com/errata/ELSA-2023-13043.html
This version seems to be missing from the Oracle linux repository:
[root@ip-10-0-101-136 ec2-user]# yum remove bpftool
Dependencies resolved.
==================================================================================================================================================================
Package Architecture Version Repository Size
==================================================================================================================================================================
Removing:
bpftool x86_64 4.18.0-513.11.0.1.el8_9 @ol8_baseos_latest 2.9 M
Transaction Summary
==================================================================================================================================================================
Remove 1 Package
Freed space: 2.9 M
Is this ok [y/N]: y
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Erasing : bpftool-4.18.0-513.11.0.1.el8_9.x86_64 1/1
Running scriptlet: bpftool-4.18.0-513.11.0.1.el8_9.x86_64 1/1
Verifying : bpftool-4.18.0-513.11.0.1.el8_9.x86_64 1/1
Removed:
bpftool-4.18.0-513.11.0.1.el8_9.x86_64
Complete!
[root@ip-10-0-101-136 ec2-user]# yum update
Last metadata expiration check: 0:08:34 ago on Thu 15 Feb 2024 01:12:09 PM GMT.
Dependencies resolved.
Nothing to do.
Complete!
[root@ip-10-0-101-136 ec2-user]#
[root@ip-10-0-101-136 ec2-user]#
[root@ip-10-0-101-136 ec2-user]# yum install bpftool
Last metadata expiration check: 0:08:41 ago on Thu 15 Feb 2024 01:12:09 PM GMT.
Dependencies resolved.
==================================================================================================================================================================
Package Architecture Version Repository Size
==================================================================================================================================================================
Installing:
bpftool x86_64 4.18.0-513.11.0.1.el8_9 ol8_baseos_latest 11 M
Transaction Summary
==================================================================================================================================================================
Install 1 Package
Total download size: 11 M
Installed size: 2.9 M
Is this ok [y/N]: y
Downloading Packages:
bpftool-4.18.0-513.11.0.1.el8_9.x86_64.rpm 36 MB/s | 11 MB 00:00
------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 35 MB/s | 11 MB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : bpftool-4.18.0-513.11.0.1.el8_9.x86_64 1/1
Running scriptlet: bpftool-4.18.0-513.11.0.1.el8_9.x86_64 1/1
Verifying : bpftool-4.18.0-513.11.0.1.el8_9.x86_64 1/1
Installed:
bpftool-4.18.0-513.11.0.1.el8_9.x86_64
Complete!
[root@ip-10-0-101-136 ec2-user]#
This is an Oracle Linux issue - closing this
from cnspec.
Oracle lists various package repositories in https://yum.oracle.com/oracle-linux-8.html, can you check if the package is in their Test and Development repos?
from cnspec.
Can you also share how you purged the packages so that users who encounter the issue know how to resolve the issue quickly?
from cnspec.
How to remove old kernels manually:
- List all kernels:
rpm -q kernel
rpm -q kernel-code
rpm -q kernel-modules
- Remove all old kernel packages using
yum remove <package>
Example yum remove kernel-core-4.18.0-372.9.1.el8.x86_64 kernel-core-4.18.0-477.10.1.el8_8.x86_64
How to remove kernels automatically:
package-cleanup --oldkernels --count=1
How to remove old installed packages:
Find the outdated package version using yum --showduplicates list <package>
Example for gzip:
[root@ip-10-0-101-136 ec2-user]# yum --showduplicates list gzip
Last metadata expiration check: 0:34:21 ago on Thu 15 Feb 2024 01:12:09 PM GMT.
Installed Packages
gzip.x86_64 1.9-12.el8 @ol8_baseos_latest
gzip.x86_64 1.9-13.el8_5 @ol8_baseos_latest
Removal of outdated package:
yum remove gzip.x86_64-1.9-12.el8
from cnspec.
As of now there are no packages even in the developer repo: https://yum.oracle.com/repo/OracleLinux/OL8/baseos/developer/x86_64/index.html
bpftool is at [bpftool-4.18.0-477.el8.x86_64.rpm] last update April 6 2023
It can be found for Oracle Linux 9 though here: https://oraclelinux.pkgs.org/9/ol9-baseos-latest-aarch64/bpftool-5.15.0-201.135.6.el9uek.aarch64.rpm.html
from cnspec.
I see potential two problems with bpftool:
9.8 bpftool 4.18.0-513.11.0.1.el8_9 5.15.0-201.135.6.el9uek ELSA-2023-13043
The comparison is not correct, since we should not compare el8_9 to el9uek.
- Do we need to detect if the uek kernel is running?
- From the advisory it looks like
bpftool-5.15.0-201.135.6.el8uek.x86_64.rpm
should be the recommended version for OEL8
from cnspec.
I can reproduce the same by running the container image and installing the package: oraclelinux:8.9
.
from cnspec.
As I understand https://docs.oracle.com/en/database/oracle/oracle-database/19/ladbi/about-oracle-linux-and-the-unbreakable-enterprise-kernel.html, you can run both kernel versions on EL8.
But UEK has its own repos: https://yum.oracle.com/repo/OracleLinux/OL8/UEKR7/x86_64/index.html
And one major version of Oracle Linux can have multiple different UEK releases: https://yum.oracle.com/oracle-linux-8.html
E.g., https://linux.oracle.com/errata/ELSA-2024-12159.html has different channel labels. Perhaps we can integrate this.
from cnspec.
I see potential two problems with bpftool:
9.8 bpftool 4.18.0-513.11.0.1.el8_9 5.15.0-201.135.6.el9uek ELSA-2023-13043
The comparison is not correct, since we should not compare el8_9 to el9uek.
- Do we need to detect if the uek kernel is running?
- From the advisory it looks like
bpftool-5.15.0-201.135.6.el8uek.x86_64.rpm
should be the recommended version for OEL8
I think, we need to check for UEK.
Taking ELSA-2023-13043
as an example, the title is:
ELSA-2023-13043 - Unbreakable Enterprise kernel security update
Following the CVEs linked in this advisory, some mention the v4 non-uek kernel, e.g., https://linux.oracle.com/cve/CVE-2023-4623.html
The standard kernels have their own advisories: https://linux.oracle.com/errata/ELSA-2024-0897.html
And these advisories also mention updates for the v4 kernel and tools packages.
from cnspec.
Related Issues (20)
- Allow uploading query packs with cnspec HOT 1
- set explicit region for aws scanning HOT 3
- cnspec running inside a k8s cluster: `queue is full` HOT 2
- sshd.config.params does not correctly parse the config file HOT 1
- Running cnspec policy info without any arguments: panic: runtime error: index out of range [0] with length 0 [recovered]
- incognito scan failing to pull policy HOT 4
- AWS provider panics when running S3 bucket encryption check
- cnspec vuln local --incognito not working HOT 1
- cnspec 10.3.0 - docker cnspec shell host crash HOT 2
- ansible inventory scan not working HOT 1
- cnspec scan host does not retrieve certificate HOT 1
- `cnspec scan ssh` does not show an asset name for AWS EC2 VMs HOT 2
- MRN displaying after each scan
- variants compilation not working as intended HOT 1
- cnspec panic scanning Ubuntu 1604 HOT 4
- Docker registry scanning fails
- installer trigger does not work HOT 2
- workflow display to https://api.github.com/repos/mondoohq/installer not working
- :bug: Issues with the `--use-recording` switch and `cnspec mock`
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cnspec.