How to check the current CVE update level on the APM TIM OS

Document ID : KB000047654
Last Modified Date : 14/02/2018
Show Technical Document Details

 

 Introduction: 

  It is often not possible to know which Common Vulnerability and Exposure (CVE) reports have been addressed by an OS running CA Software. This KB shows how to check these on a RedHat type OS.

 

 Background:  

 Many vulnerabilities are reported and need fixes. This is a way to know if one specific CVE report which reports a vulnerability has been addressed by the current OS installed.

 

 Environment:  

 All TIM/MTP releases supporting a RedHat 6.x/7.x type system or a CentOS 6.x/7.x type system having yum and yum-security installed.

 

 Instructions: 

 To see which erratas exist for your current running TIM, run (The “| tail -5” here, limits the output to the last 5 lines):

 

[caadmin@testos ~]$ yum updateinfo list available | tail -5
FEDORA-EPEL-2014-1437
      bugfix      znc-modtcl-1.4-1.el6.x86_64
FEDORA-EPEL-2016-4986d9102b enhancement zvbi-0.2.35-1.el6.x86_64
FEDORA-EPEL-2016-4986d9102b enhancement zvbi-devel-0.2.35-1.el6.x86_64 FEDORA-EPEL-2016-4986d9102b enhancement zvbi-fonts-0.2.35-1.el6.noarch updateinfo list done
[caadmin@pcm ~]$

  To list all available security related Erratas, run:

 

[caadmin@testos ~]$ yum updateinfo list sec
FEDORA-EPEL-2016-63b3a35519 security phpMyAdmin-4.0.10.17-2.el6.noarch updateinfo list done

 

 To get a list of the currently installed security updates, use:

 

[caadmin@testos ~]$ yum updateinfo list security installed   
FEDORA-EPEL-2015-8027 security php-mcrypt-5.3.3-4.el6.x86_64
updateinfo list done

 

 If you need more detailed information on the security updates, issue:

 

[caadmin@testos ~]$ yum info-sec --advisory FEDORA-EPEL-2016-63b3a35519
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
* base: mirrors.mit.edu
* epel: mirror.math.princeton.edu
* extras: centos.mirror.nac.net
* updates: mirror.symnds.com

===============================================================================
 phpMyAdmin-4.0.10.17-2.el6
===============================================================================
 Update ID : FEDORA-EPEL-2016-63b3a35519
   Release : Fedora EPEL 6
      Type : security
    Status : stable
    Issued : 2016-09-13 17:52:35
Description : phpMyAdmin 4.0.10.17 (2016-08-16)
           : =================================
           :  
           : This release includes many security fixes of
           : various levels of severity. Upstream recommends
           : all users of the 4.0 branch upgrade to this
           : release immediately. For full information on the
           : vulnerabilities fixed and mitigation factors for
           : users who are unable to upgrade, refer to the
           : ChangeLog file included with this release and the
           : security announcements at
           : https://www.phpmyadmin.net/security/
updateinfo info done

 

 So - the previous commands only provided us information on all or installed packages (non Linux geeks would rather use the term "apps" for package).

  If however we want to install the security tagged packages, use the following:

 

[caadmin@testos ~]$ sudo yum -y update --security
Loaded plugins: fastestmirror, security
Setting up Update Process
Loading mirror speeds from cached hostfile
* base: mirrors.mit.edu
* epel: mirror.cs.princeton.edu
* extras: centos.mirror.nac.net
* updates: mirror.umd.edu
Resolving Dependencies
Limiting packages to security relevant ones
epel/updateinfo
                                                                                                     | 729 kB     00:00      
1 package(s) needed (+0 related) for security, out of 53 available
--> Running transaction check
---> Package phpMyAdmin.noarch 0:4.0.10.15-2.el6 will be updated
---> Package phpMyAdmin.noarch 0:4.0.10.17-2.el6 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

============================================================================================================================================
Package
                          Arch                          Version                                  Repository                   Size
============================================================================================================================================
Updating:
phpMyAdmin
                       noarch                        4.0.10.17-2.el6                          epel                        4.2 M

Transaction Summary
============================================================================================================================================
Upgrade
      1 Package(s)

Total download size: 4.2 M
Downloading Packages:
phpMyAdmin-4.0.10.17-2.el6.noarch.rpm
                                                                               | 4.2 MB     00:00      
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
 Updating   : phpMyAdmin-4.0.10.17-2.el6.noarch                                                                                        1/2  
 Cleanup    : phpMyAdmin-4.0.10.15-2.el6.noarch                                                                                        2/2  
 Verifying  : phpMyAdmin-4.0.10.17-2.el6.noarch                                                                                        1/2  
 Verifying  : phpMyAdmin-4.0.10.15-2.el6.noarch                                                                                        2/2  

Updated:
 phpMyAdmin.noarch 0:4.0.10.17-2.el6                                                                                                       
Complete!

 

 

 This will install all packages that had at least one issue tagged as security relevant in their lifetime on this release.

 


  If wanting to install only the packages that have current tagged security issue, use the minimal function:

 

 yum update-minimal --security -y

 

 

 That's it - your system is secure according to reported CVEs and advisories.

 

 

 If now comes someone  asking  if your system is secured against CVE-2016-0800 - you can check it by grepping the info ouf of the listing of all CVE's, or just apply all upgrades related to that CVE number by issuing:

 

 # yum update --cve CVE-2016-0800

 

 Then, you can tell your customer that his system is secured against the known threat CVE-2016-0800.

 

 

Additional Information:

- Most information were taken out of the RedHat archive and written in a user-friendly manner. 

- Similar functionality also exist for other distributions, the way the data is accessed is different.
- Check Google to find out the needed detailsfor your distribution.