RH415 - ch01s03

Bookmark this page

Managing RHEL Security with Red Hat Errata

Objectives

Describe Red Hat's development process and security response practices, and install Red Hat errata.

Red Hat's Secure Development Lifecycle

The Red Hat Product Security team collaborates with the relevant teams to promote secure development practices and software features that meet customers' business needs. Red Hat Secure Software Management Lifecycle (SSML), a Software Development Lifecycle (SDL) approach, aligns with the NIST Secure Software Development Framework (NIST SSDF SP-800-218) as well as OWASP guidance and various ISO standards. The goal of these SDL practices and standards is to reduce the number of vulnerabilities in released software, to mitigate the potential impact of undetected or unaddressed vulnerabilities, and to address the root causes of vulnerabilities to prevent future recurrences.

Responding to Vulnerabilities

Every day, new and increasingly complex vulnerabilities are discovered that affect computer systems. The process of interpreting and addressing threats in a vulnerability scan can be challenging. Scan results with more findings might seem more accurate than scans with fewer findings, but this conclusion could be misleading. A truly accurate scan might remove duplicates, use vendor-disclosed data, and assist the security professional in prioritizing the elimination of risk.

However, vulnerability scanning can also generate false positives, false negatives, and data discrepancies, which makes the results difficult to compare and understand. Vulnerability scanning becomes even more challenging when the complexity of the software increases. For example, containerized environments such as Red Hat OpenShift include platform dependencies in addition to container packages.

Red Hat monitors weaknesses and flaws before they become known vulnerabilities.
Regardless of whether an offering includes an affected component, Red Hat's analysis includes a review of the environmental aspects of how the component is built, the libraries that are used, and any default configurations.
All vulnerabilities receive a Common Vulnerabilities and Exposures (CVE) record.
Red Hat provides a severity rating, which prioritizes the risk assessment for customers. This rating is based on both the base flaw metrics and the additional environmental aspects that were previously mentioned.
Red Hat openly publishes vulnerabilities by using industry standards and formats.

Backporting Security Fixes

Red Hat uses the term backporting to describe when it takes a fix for a security flaw out of the most recent version of an upstream software package, and applies that fix to an earlier version of the package that Red Hat distributes.

In such cases, Red Hat can backport the updates. When backporting security fixes, Red Hat takes the following steps:

Identify the fixes and isolate them from any other changes.
Ensure that the fixes do not introduce unwanted side effects.
Apply the fixes to previously released versions.

For example, Red Hat provided version 5.3 of PHP in Red Hat Enterprise Linux 6. The upstream developers of PHP stopped supporting PHP 5.3 on August 14, 2014, and were no longer releasing updates of any kind for PHP 5.3. At that point, if security issues occurred, then the upstream project fixed them only in later versions of PHP.

On October 14, 2014, a buffer overflow flaw was found in PHP that Red Hat rated as Important. This issue could allow a remote attacker to crash a PHP application, or possibly execute arbitrary code with the privileges of the user that runs the PHP application.

The upstream project developed a fix, and released it for PHP 5.4. However, because the upstream project no longer supported PHP 5.3, the project developers did not update that version of PHP.

However, Red Hat still had customers who used PHP 5.3. Red Hat did not want to force them to migrate to PHP 5.4 due to the risk of backward compatibility problems between versions 5.3 and 5.4. Therefore, Red Hat backported the fix for this issue from PHP 5.4 to PHP 5.3 without changing other features, and released updated packages for Red Hat Enterprise Linux 6 customers. Backporting enabled Red Hat customers to continue to run PHP 5.3 and not be vulnerable to that particular issue, even though the last upstream release of PHP 5.3 was still vulnerable to it.

For most products, although the default practice is to backport security fixes, Red Hat does sometimes provide version updates for some packages after testing and analysis. Red Hat might update a package instead of backporting fixes to it when those updates have minimal impact on the behavior of the system, or if users of that package also expect frequent feature enhancements.

The Relationship Between Software Versions and Vulnerabilities

Although backporting brings advantages, it can create confusion when it is not understood. Customers must know that they cannot determine the vulnerability of a package from its version number alone. This version number can cause confusion, because even after installing updated packages from a vendor, customers might not have the latest upstream version. Customers might instead have an earlier upstream version with applied backported patches.

Some security scanning and auditing tools make decisions about vulnerabilities based solely on the version number of the components. These tools generate false positives because the tools do not consider backported security fixes.

For each version of Red Hat Enterprise Linux, Red Hat explains in security advisories how it fixed an issue: either by moving to a new upstream version or by backporting patches to the existing version. Red Hat now attaches CVE records to all advisories, so that users can refer to vulnerabilities and their fixes independently from version numbers.

Red Hat Advisories and CVEs

Red Hat periodically releases errata, which are corrections or updates to software packages based on security issues, bugs, or the availability of new features. Each errata is associated with an advisory, a text description of what the issue is, which fix is being provided, the products that are affected, and other relevant information.

Red Hat releases three types of advisories:

Red Hat Security Advisory (RHSA)

RHSAs contain security fixes and might also contain bug or enhancement fixes. Many organizations consider RHSAs to be the most important type of errata. RHSAs are ranked with a rating of Critical, Important, Moderate, and Low in decreasing severity order of the vulnerability.

The RHSA provides a unique advisory ID, a severity rating, an issue date, a brief description of the issue that the updated packages fix, and the list of included packages in the advisory that require updating. Customers use the severity rating to determine the relevance of a specific security update to their environment.

Red Hat Enhancement Advisory (RHEA)

RHEAs contain enhancements or new features and do not contain bug fixes or security fixes. An RHEA is released when new features are added and an updated package is shipped.

Red Hat Bug Advisory (RHBA)

RHBAs always contain bug fixes and might contain enhancements, but do not contain security fixes. Because RHBAs are released for bug fixes, they are often considered a higher priority than an RHEA.

Red Hat customers can subscribe to email notifications for new or updated advisories on the Customer Portal. Log in to https://access.redhat.com, and click your account icon in the upper-right corner of the web UI. Select Account details, and then on the next page select Errata notifications. If you are logged in to the Customer Portal, you can also go directly to the URL https://learn.spidernet.pl/wapps/ugc/protected/notif.html to reach that page.

All email advisories from Red Hat are digitally signed.

CVE Records and OVAL Definitions

The CVE Program is a cross-vendor organization whose mission is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. They maintain a Common Vulnerabilities and Exposures database that contains a CVE record, or CVE, for each identified vulnerability. Each CVE record consists of an ID number (including the year and a sequence number to uniquely identify it), a short description to summarize the issue, and a list of links to content that is relevant to the vulnerability. More information is available at https://www.cve.org.

A Red Hat advisory references which CVEs it resolves, which bugs are addressed, or which features the relevant errata added.

Important

A single CVE record might result in multiple Red Hat Security Advisories when the issue is addressed in different products.

Likewise, a single Red Hat Security Advisory might address several CVE records in one software update. Red Hat might also update multiple related software packages as part of the advisory.

Security Data

Red Hat aims to provide clarity about backporting, and to help customers to keep up-to-date with security fixes. Red Hat provides various electronic documents to help vulnerability scanners and other tools determine which issues might affect a system.

CSAF/VEX Documents: The Common Security Advisory Framework (CSAF) standard enables organizations to share information about security issues by using a consistent and common format. Red Hat provides security advisories in CSAF format by using the Vulnerability Exploitability eXchange (VEX) profile.
OVAL Definitions: Open Vulnerability and Assessment Language (OVAL) definitions are available for vulnerabilities that were addressed in errata for Red Hat Enterprise Linux and certain additional products.

Red Hat publishes vulnerability data in different formats in the following locations:

Important

Red Hat uses OVAL/DS v2 security data. OVAL/DS v1 security data is deprecated and archived.

Common Vulnerability Reporting Framework (CVRF) files are discontinued from 1 September 2023; customers must migrate to using CSAF files.

Using DNF to Manage Security Errata

The dnf package manager includes several security-related features to search, list, display, and install security errata.

A Red Hat subscription must be attached to the host to manage security updates.

Identifying Security Updates

The following example lists all available security updates that are not installed:

[root@host ~]# dnf updateinfo list updates security
...output omitted...
RHSA-2023:4412 Important/Sec. openssh-8.7p1-30.el9_2.x86_64
RHSA-2023:4412 Important/Sec. openssh-clients-8.7p1-30.el9_2.x86_64
RHSA-2023:4412 Important/Sec. openssh-server-8.7p1-30.el9_2.x86_64
RHSA-2023:3722 Moderate/Sec.  openssl-1:3.0.7-16.el9_2.x86_64
RHSA-2023:3722 Moderate/Sec.  openssl-libs-1:3.0.7-16.el9_2.x86_64
RHSA-2023:3595 Important/Sec. python-unversioned-command-3.9.16-1.el9_2.1.noarch
RHSA-2023:3595 Important/Sec. python3-3.9.16-1.el9_2.1.x86_64
RHSA-2023:3595 Important/Sec. python3-libs-3.9.16-1.el9_2.1.x86_64
RHSA-2023:4349 Moderate/Sec.  python3-libxml2-2.9.13-3.el9_2.1.x86_64
RHSA-2023:3723 Important/Sec. python3-perf-5.14.0-284.18.1.el9_2.x86_64
RHSA-2023:4377 Important/Sec. python3-perf-5.14.0-284.25.1.el9_2.x86_64
RHSA-2023:4350 Moderate/Sec.  python3-requests-2.25.1-7.el9_2.noarch
...output omitted...

The following example lists all security updates that are installed:

[root@host ~]# dnf updateinfo list security --installed
...output omitted...
RHSA-2023:2645 Moderate/Sec.  openssh-8.7p1-29.el9_2.x86_64
RHSA-2023:2645 Moderate/Sec.  openssh-clients-8.7p1-29.el9_2.x86_64
RHSA-2023:2645 Moderate/Sec.  openssh-server-8.7p1-29.el9_2.x86_64
RHSA-2022:6224 Moderate/Sec.  openssl-1:3.0.1-41.el9_0.x86_64
RHSA-2022:7288 Important/Sec. openssl-1:3.0.1-43.el9_0.x86_64
RHSA-2023:0946 Important/Sec. openssl-1:3.0.1-47.el9_1.x86_64
RHSA-2023:2523 Low/Sec.       openssl-1:3.0.7-6.el9_2.x86_64
RHSA-2022:6224 Moderate/Sec.  openssl-libs-1:3.0.1-41.el9_0.x86_64
RHSA-2022:7288 Important/Sec. openssl-libs-1:3.0.1-43.el9_0.x86_64
RHSA-2023:0946 Important/Sec. openssl-libs-1:3.0.1-47.el9_1.x86_64
RHSA-2023:2523 Low/Sec.       openssl-libs-1:3.0.7-6.el9_2.x86_64
...output omitted...

The following example shows information for a specific advisory:

[root@host ~]# dnf updateinfo info RHSA-2023:4412
Last metadata expiration check: 0:06:16 ago on Wed Aug  9 00:15:00 2023.
===============================================================================
  Important: openssh security update
===============================================================================
  Update ID: RHSA-2023:4412
       Type: security
    Updated: 2023-08-01 09:35:02
       Bugs: 2224173 - CVE-2023-38408 openssh: Remote code execution in ssh-agent PKCS#11 support
       CVEs: CVE-2023-38408
Description: OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server.
           :
           : Security Fix(es):
           :
           : * openssh: Remote code execution in ssh-agent PKCS#11 support (CVE-2023-38408)
           :
           : For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
   Severity: Important

The following example identifies RHSAs with the Important severity rating:

[root@host ~]# dnf updateinfo list updates security | grep Important
...output omitted...
RHSA-2023:4412 Important/Sec. openssh-8.7p1-30.el9_2.x86_64
RHSA-2023:4412 Important/Sec. openssh-clients-8.7p1-30.el9_2.x86_64
RHSA-2023:4412 Important/Sec. openssh-server-8.7p1-30.el9_2.x86_64
...output omitted...

The following example identifies the required packages that resolve the CVE-2023-38408 CVE:

[root@host ~]# dnf updateinfo list updates security --cve CVE-2023-38408
...output omitted...
RHSA-2023:4354 Moderate/Sec.  libcurl-7.76.1-23.el9_2.2.x86_64
RHSA-2023:4347 Moderate/Sec.  libeconf-0.4.1-3.el9_2.x86_64
RHSA-2023:4325 Moderate/Sec.  libsmbclient-4.17.5-103.el9_2.x86_64
RHSA-2023:4325 Moderate/Sec.  libwbclient-4.17.5-103.el9_2.x86_64
RHSA-2023:4349 Moderate/Sec.  libxml2-2.9.13-3.el9_2.1.x86_64
RHSA-2023:4412 Important/Sec. openssh-8.7p1-30.el9_2.x86_64
RHSA-2023:4412 Important/Sec. openssh-clients-8.7p1-30.el9_2.x86_64
RHSA-2023:4412 Important/Sec. openssh-server-8.7p1-30.el9_2.x86_64
RHSA-2023:3722 Moderate/Sec.  openssl-1:3.0.7-16.el9_2.x86_64
RHSA-2023:3722 Moderate/Sec.  openssl-libs-1:3.0.7-16.el9_2.x86_64
...output omitted...

Installing Security Updates

The following example installs the security update for a specific advisory:

[root@host ~]# dnf update --advisory=RHSA-2023:3722
Last metadata expiration check: 0:21:29 ago on Wed Aug  9 00:15:00 2023.
Dependencies resolved.
================================================================================
 Package       Arch    Version             Repository                      Size
================================================================================
Upgrading:
 openssl       x86_64  1:3.0.7-17.el9_2    rhel-9-for-x86_64-baseos-rpms  1.2 M
 openssl-libs  x86_64  1:3.0.7-17.el9_2    rhel-9-for-x86_64-baseos-rpms  2.2 M

Transaction Summary
================================================================================
Upgrade  2 Packages
...output omitted...

Upgraded:
  openssl-1:3.0.7-17.el9_2.x86_64      openssl-libs-1:3.0.7-17.el9_2.x86_64

Complete!

The following example installs all security updates:

[root@host ~]# dnf update --security
Last metadata expiration check: 0:30:20 ago on Wed Aug  9 00:15:00 2023.
Dependencies resolved.
================================================================================
 Package       Arch   Version               Repository                     Size
================================================================================
Installing:
 kernel        x86_64 5.14.0-284.25.1.el9_2 rhel-9-for-x86_64-baseos-rpms 3.4 M
 kernel-core   x86_64 5.14.0-284.25.1.el9_2 rhel-9-for-x86_64-baseos-rpms  17 M
 kernel-modules
               x86_64 5.14.0-284.25.1.el9_2 rhel-9-for-x86_64-baseos-rpms  37 M
...output omitted...

Upgraded:

...output omitted...
  python-unversioned-command-3.9.16-1.el9_2.1.noarch
  python3-3.9.16-1.el9_2.1.x86_64
  python3-libs-3.9.16-1.el9_2.1.x86_64
  python3-libxml2-2.9.13-3.el9_2.1.x86_64
  python3-perf-5.14.0-284.25.1.el9_2.x86_64
  python3-requests-2.25.1-7.el9_2.noarch
  samba-client-libs-4.17.5-103.el9_2.x86_64
  samba-common-4.17.5-103.el9_2.noarch
  samba-common-libs-4.17.5-103.el9_2.x86_64
  webkit2gtk3-jsc-2.38.5-1.el9_2.3.x86_64
Installed:
  grub2-tools-efi-1:2.06-61.el9_2.1.x86_64
  grub2-tools-extra-1:2.06-61.el9_2.1.x86_64
  kernel-5.14.0-284.25.1.el9_2.x86_64
  kernel-core-5.14.0-284.25.1.el9_2.x86_64
  kernel-modules-5.14.0-284.25.1.el9_2.x86_64
  kernel-modules-core-5.14.0-284.25.1.el9_2.x86_64

Complete!

References

An Overview of Red Hat's Secure Development Lifecycle (SDL) Practices

Tutorial on How to Process Vulnerability Scans

What Is Backporting and How Does It Affect Red Hat Enterprise Linux (RHEL)?

Backporting Security Fixes

Red Hat Security Advisories

The CVE Program

Red Hat CVE Database

Red Hat and OVAL Compatibility

Managing and Monitoring Security Updates (RHEL 9)

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-9.2-a821299