Red Hat Security: Linux in Physical, Virtual, and Cloud

Instructions

1. Identify all Critical, Important, and Moderate security updates on the servera machine.

   1. Log in to the servera machine as the student user.

      [student@workstation ~]$ ssh student@servera
      [student@servera ~]$

   2. Change to the root user. Use student as the password.

      [student@servera ~]$ sudo -i
      [sudo] password for student: student
      [root@servera ~]#

   3. List the summary of the security updates. Among the 16 total security notices, eight are Important and eight are Moderate. The total security number might be different on your system.

      [root@servera ~]# dnf updateinfo --security
      ...output omitted...
      Updates Information Summary: available
          16 Security notice(s)
               8 Important Security notice(s)
               8 Moderate Security notice(s)

2. List the security-related packages that are available to update.

   [root@servera ~]# dnf updateinfo list updates security
   ...output omitted...
   RHSA-2023:3725 Moderate/Sec.  less-590-2.el9_2.x86_64
   RHSA-2023:4354 Moderate/Sec.  libcurl-7.76.1-23.el9_2.2.x86_64
   RHSA-2023:4347 Moderate/Sec.  libeconf-0.4.1-3.el9_2.x86_64
   RHSA-2023:4325 Moderate/Sec.  libsmbclient-4.17.5-103.el9_2.x86_64
   RHSA-2023:4325 Moderate/Sec.  libwbclient-4.17.5-103.el9_2.x86_64
   RHSA-2023:4349 Moderate/Sec.  libxml2-2.9.13-3.el9_2.1.x86_64
   RHSA-2023:4412 Important/Sec. openssh-8.7p1-30.el9_2.x86_64
   RHSA-2023:4412 Important/Sec. openssh-clients-8.7p1-30.el9_2.x86_64
   RHSA-2023:4412 Important/Sec. openssh-server-8.7p1-30.el9_2.x86_64
   RHSA-2023:3722 Moderate/Sec.  openssl-1:3.0.7-16.el9_2.x86_64
   RHSA-2023:3722 Moderate/Sec.  openssl-libs-1:3.0.7-16.el9_2.x86_64
   ...output omitted...

3. List the RHSAs with an Important severity rating.

   [root@servera ~]# dnf updateinfo list updates security | grep Important
   ...output omitted...
   RHSA-2023:4412 Important/Sec. openssh-8.7p1-30.el9_2.x86_64
   RHSA-2023:4412 Important/Sec. openssh-clients-8.7p1-30.el9_2.x86_64
   RHSA-2023:4412 Important/Sec. openssh-server-8.7p1-30.el9_2.x86_64
   ...output omitted...

4. View the information of one Important RHSA to validate its content.

   Read through the Description and Security Fix(es) sections of RHSA-2023:4412 to better understand this advisory and the subsequent CVE. Note the CVE ID so that you can use it later to update only the packages that relate to this RHSA.

   [root@servera ~]# dnf updateinfo info RHSA-2023:4412
   ...output omitted...
   ===============================================================================
     Important: openssh security update
   ===============================================================================
     Update ID: RHSA-2023:4412
          Type: security
       Updated: 2023-08-01 09:35:02
          Bugs: 2224173 - CVE-2023-38408 openssh: Remote code execution in ssh-agent PKCS#11 support
          CVEs: CVE-2023-38408
   Description: OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server.
              :
              : Security Fix(es):
              :
              : * openssh: Remote code execution in ssh-agent PKCS#11 support (CVE-2023-38408)
              :
              : For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
      Severity: Important

5. List the required RHSAs to resolve the CVE-2023-38408 CVE.

   [root@servera ~]# dnf updateinfo list updates security --cve CVE-2023-38408
   ...output omitted...
   RHSA-2023:4412 Important/Sec. openssh-8.7p1-30.el9_2.x86_64
   RHSA-2023:4412 Important/Sec. openssh-clients-8.7p1-30.el9_2.x86_64
   RHSA-2023:4412 Important/Sec. openssh-server-8.7p1-30.el9_2.x86_64

6. Use DNF and the CVE ID to update the system with the necessary packages that provide the security fixes.

   [root@servera ~]# dnf update --cve CVE-2023-38408
   ...output omitted...
   Dependencies resolved.
   ================================================================================
    Package Arch   Version        Repository                                  Size
   ================================================================================
   Upgrading:
    openssh x86_64 8.7p1-30.el9_2 rhel-9.2-for-x86_64-baseos-additional-rpms 460 k
    openssh-clients
            x86_64 8.7p1-30.el9_2 rhel-9.2-for-x86_64-baseos-additional-rpms 709 k
    openssh-server
            x86_64 8.7p1-30.el9_2 rhel-9.2-for-x86_64-baseos-additional-rpms 459 k
   
   Transaction Summary
   ================================================================================
   Upgrade  3 Packages
   ...output omitted...
   Is this ok [y/N]: y
   ...output omitted...
   Upgraded:
     openssh-8.7p1-30.el9_2.x86_64          openssh-clients-8.7p1-30.el9_2.x86_64
     openssh-server-8.7p1-30.el9_2.x86_64
   
   Complete!

7. List the summary of the security updates to confirm that the number of Important notices is reduced.

   [root@servera ~]# dnf updateinfo --security
   ...output omitted...
   Updates Information Summary: available
       15 Security notice(s)
            7 Important Security notice(s)
            8 Moderate Security notice(s)

8. Return to the workstation machine as the student user.

   [root@servera ~]# logout
   [student@servera ~]$ logout
   Connection to servera closed.
   [student@workstation ~]$