Verifying vulnerability patches

Some vulnerability scanning and auditing solutions may report vulnerabilities that have already been patched in the most recent update. This is typically the combined result of a backported security patch and the tool only scanning for component version numbers.

If this happens, there are two ways to verify the validity of the vulnerability report:

• Check the package changelog for the CVE identifier/number of the vulnerability (e.g., CVE-2017-3169)

• Download and install the latest OVAL Definitions from oval.cisecurity.org/repository, which will allow any compatible tools to determine the status of vulnerabilities, even when security patches have been backported.

For additional assistance, contact Plixer Technical Support.