Checking for vulnerabilities¶
It is important to keep the Scrutinizer software and Operating System up to date to patch any known vulnerabilities.
After applying all the system updates it is common for vulnerability scanners that only look at package version numbers to report that vulnerabilities still exist when they have already been patched. This is a result of backporting security patches.
Backporting has a number of advantages for customers, but it can create confusion when it is not understood. Customers need to be aware that just looking at the version number of a package will not tell them if they are vulnerable or not. For example, stories in the press may include phrases such as “upgrade to Apache httpd 2.0.43 to fix the issue,” which only takes into account the upstream version number. This can cause confusion as even after installing updated packages from a vendor, customers will not have the latest upstream version. They will instead have an older upstream version with backported patches applied.
Don’t trust the version number
Some security scanning and auditing tools make decisions about vulnerabilities based solely on the version number of components they find. This results in false positives as the tools do not take into account backported security fixes.
Look for the CVE number
Backported security fixes can be manually verified by looking for the CVE number in the package changelog.
Here is an example:
# rpm –q –changelog httpd | grep CVE-2017-3169
- Resolves: #1463197 - CVE-2017-3169 httpd: mod_ssl NULL pointer dereference
To fix the false positives generated by security scanners that only look at version numbers, something called OVAL definitions (machine-readable versions of the advisories) are supplied for third-party vulnerability tools. These can be used to determine the status of vulnerabilities, even when security fixes have been backported. In doing this, we hope to remove some of the confusion surrounding backporting and make it easier for customers to always keep up to date with the latest security fixes.
OVAL definitions can be downloaded from oval.cisecurity.org/repository