DISCUSION Y ANALISIS

Common Vulnerabilities and Exposures (CVEs) is a dictionary of publicly known information security vulnerabilities and exposures. CVE’s common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services. It is strongly recommended to frequently apply security updates and patches, to keep your Oracle Linux system secure at all times.

In this lab, we will look at some of the package management commands that can help you identify and install security updates on your Oracle Linux 6 system. We will look at using the yum security plugin. The yum security plugin extends yum to allow lists and updates to be limited using security relevant criteria.

We will start by checking to see if the Oracle Linux 6 system has the yum security plugin already installed or not. You can check whether this yum security plugin is installed or not using the following ‘rpm’ command.

[root@examplehost /]# rpm -qa | grep yum-plugin-security yum-plugin-security-1.1.30-14.el6.noarch

[root@examplehost /]#

Next, check and make sure that this yum security plugin is enabled. You should find a ‘security.conf’ file under the ‘/etc/yum/pluginconf.d/’ directory.

[root@examplehost /]# cd /etc/yum/pluginconf.d/ [root@examplehost pluginconf.d]#

[root@examplehost pluginconf.d]# ls

refresh-packagekit.conf rhnplugin.conf security.conf [root@examplehost pluginconf.d]#

Examine the ‘/etc/yum/pluginconf.d/security.conf’ file and make sure that it contains the enabled=1 entry as shown below.

[root@examplehost /]# cat

/etc/yum/pluginconf.d/security.conf [main]

enabled=1

[root@examplehost /]#

Once you have confirmed that you have the plugin installed, you can start by reading the man pages of this plugin.

You can run the following ‘yum’ command to check for security updates. Note the output below is just an example and the output on your system may be different from the one shown below.

[root@examplehost /]# yum --security check-update Loaded plugins: refresh-packagekit, security

Limiting package lists to security relevant ones 3 package(s) needed for security, out of 6 available

firefox.x86_64 10.0.12-1.0.1.el6_3 ol6_latest vino.x86_64 2.28.1-8.el6_3 ol6_latest xulrunner.x86_64 10.0.12-1.0.1.el6_3 ol6_latest [root@examplehost /]#

If you want to install only the security update packages on your Oracle Linux system, you can run the following ‘yum’ command. For this lab, we will click N and not install any updates. Also note, the output and number of security updates available for any system will be different depending on the packages installed, date when they were installed etc.

[root@examplehost /]# yum --security update Loaded plugins: refresh-packagekit, security Setting up Update Process

Resolving Dependencies

Limiting packages to security relevant ones

3 package(s) needed (+0 related) for security, out of 6 available

--> Running transaction check

---> Package firefox.x86_64 0:10.0.11-1.0.1.el6_3 will be updated

---> Package firefox.x86_64 0:10.0.12-1.0.1.el6_3 will be an update

---> Package vino.x86_64 0:2.28.1-3.el6 will be updated ---> Package vino.x86_64 0:2.28.1-8.el6_3 will be an update ---> Package xulrunner.x86_64 0:10.0.11-1.0.1.el6_3 will be updated

---> Package xulrunner.x86_64 0:10.0.12-1.0.1.el6_3 will be an update

--> Finished Dependency Resolution Dependencies Resolved

=========================================================== ====================

Package Arch Version Repository Size

Updating: firefox x86_64 10.0.12-1.0.1.el6_3 ol6_latest 20 M vino x86_64 2.28.1-8.el6_3 ol6_latest 426 k xulrunner x86_64 10.0.12-1.0.1.el6_3 ol6_latest 12 M Transaction Summary =========================================================== ==================== Upgrade 3 Package(s) Total download size: 32 M Is this ok [y/N]:

To list all available security updates with their CVE numbers, you can run the following ‘yum’ command.

[root@examplehost /]# yum list-security

Loaded plugins: refresh-packagekit, security

CVE-2013-0753 security firefox-10.0.12-1.0.1.el6_3.x86_64 CVE-2013-0754 security firefox-10.0.12-1.0.1.el6_3.x86_64 CVE-2013-0759 security firefox-10.0.12-1.0.1.el6_3.x86_64 CVE-2013-0767 security firefox-10.0.12-1.0.1.el6_3.x86_64 CVE-2013-0758 security firefox-10.0.12-1.0.1.el6_3.x86_64 CVE-2013-0748 security firefox-10.0.12-1.0.1.el6_3.x86_64 CVE-2013-0746 security firefox-10.0.12-1.0.1.el6_3.x86_64 CVE-2013-0762 security firefox-10.0.12-1.0.1.el6_3.x86_64 CVE-2013-0769 security firefox-10.0.12-1.0.1.el6_3.x86_64 CVE-2013-0766 security firefox-10.0.12-1.0.1.el6_3.x86_64 CVE-2013-0750 security firefox-10.0.12-1.0.1.el6_3.x86_64 CVE-2013-0744 security firefox-10.0.12-1.0.1.el6_3.x86_64 CVE-2011-1164 security vino-2.28.1-8.el6_3.x86_64

CVE-2012-4429 security vino-2.28.1-8.el6_3.x86_64 CVE-2011-0905 security vino-2.28.1-8.el6_3.x86_64 CVE-2011-1165 security vino-2.28.1-8.el6_3.x86_64 CVE-2011-0904 security vino-2.28.1-8.el6_3.x86_64

CVE-2013-0753 security xulrunner-10.0.12-1.0.1.el6_3.x86_64 CVE-2013-0754 security xulrunner-10.0.12-1.0.1.el6_3.x86_64 CVE-2013-0759 security xulrunner-10.0.12-1.0.1.el6_3.x86_64 CVE-2013-0767 security xulrunner-10.0.12-1.0.1.el6_3.x86_64 CVE-2013-0758 security xulrunner-10.0.12-1.0.1.el6_3.x86_64 CVE-2013-0748 security xulrunner-10.0.12-1.0.1.el6_3.x86_64 CVE-2013-0746 security xulrunner-10.0.12-1.0.1.el6_3.x86_64 CVE-2013-0762 security xulrunner-10.0.12-1.0.1.el6_3.x86_64 CVE-2013-0769 security xulrunner-10.0.12-1.0.1.el6_3.x86_64 CVE-2013-0766 security xulrunner-10.0.12-1.0.1.el6_3.x86_64 CVE-2013-0750 security xulrunner-10.0.12-1.0.1.el6_3.x86_64 CVE-2013-0744 security xulrunner-10.0.12-1.0.1.el6_3.x86_64 updateinfo list done

To list installed security updates, you can run the following ‘yum’ command: [root@examplehost /]# yum updateinfo list security installed

To list available security updates, use the following command:

[root@examplehost /]# yum updateinfo list security available

To list all available CVES:

To list all installed CVES:

[root@examplehost /]# yum updateinfo cves installed

You can also query a RPM package on your system and find CVEs relevant for that package. For example, if you want to query the ‘openssh’ package for all CVEs associated with this package, you can run the following ‘rpm’ query command. [root@examplehost /]# rpm -q --changelog openssh | grep CVE - fixed audit log injection problem (CVE-2007-3102)

- CVE-2006-5794 - properly detect failed key verify in monitor (#214641)

- CVE-2006-4924 - prevent DoS on deattack detector (#207957)

- CVE-2006-5051 - don't call cleanups from signal handler (#208459)

- use fork+exec instead of system in scp - CVE-2006-0225 (#168167)

In the example below, we query the ‘httpd’ package and check if CVE 2011-3348 is included in the ‘httpd’ package installed on this system.

[root@examplehost /]# rpm -q --changelog httpd | grep CVE- 2011-3348

- mod_proxy_ajp: add security fix for CVE-2011-3348 (#738961)

[root@examplehost /]#

Finding Important Errata and CVE Information on ULN:

Oracle Linux Support customers who have valid support contracts and CSI numbers for their Linux systems can also check the Errata and CVE information on the ULN

website. The information relating to critical security updates or important errata releases for Oracle Linux for your systems that are under support can be checked using the ULN. Here are the two locations:

 Errata listings: https://linux.oracle.com/errata  CVE Listings: https://linux.oracle.com/cve

At https://linux.oracle.com/errata you are able to view all the errata releases that are available. They are listed by type, severity, advisory, summary and release date. In addition, you are also able to filter this list by release and/or type (Bug, Security, and Enhancement) and if you select an item from the list you will receive additional details regarding the errata, including a description, related CVEs and the packages updated by the errata. You can also navigate to this same information by logging into ULN and selecting the 'Errata' tab from the options across the top.

You can go to https://linux.oracle.com/cveto see information about security errata involving CVE identifiers (Common Vulnerabilities and Exposures). This site allows you to gather information on important CVE identifiers, by providing a summary of all CVE offered through ULN. This summary is listed by CVE identifier and includes a brief synopsis and the release date. You can also filter the list by year. In addition, when you select a specific CVE identifier, you will receive additional details, such as information on CVSS v2 metrics as well as affected platforms.