Warning message

Log in to add comments.

Addressing CVE-2015-7547, CVE-2015-5229, and any other scary errata via Red Hat Satellite 6.1

Rich Jerrido published on 2016-02-18T19:29:41+00:00, last updated 2016-02-19T13:03:44+00:00

Addressing CVE-2015-7547, CVE-2015-5229, and any other scary errata via Red Hat Satellite 6.1

Overview

On 16 Feb, 2016, Red Hat released RHSA-2016-0176, the errata that addresses a number of critical security flaws in glibc. Given the severity and scope of this security vulnerability, it is critical that we quickly and reliably deploy the updated errata that addresses these security flaws.

There are a few considerations that need to be taken into account:

  • Identifying which systems are affected.
  • Releasing the minimal required content to address the vulnerability. (I only want to release the fixes for this errata, its dependencies and nothing else)
  • Ensuring that systems that are provisioned in the future have this errata already included.
  • Lastly, and most importantly, install the errata on your systems.

Ok, so now what?

Satellite 6, Red Hat's Life Cycle management tool for Red Hat Infrastructure, includes a number of features that make the process of addressing vulnerabilities simple. Key to addressing errata is the Incremental Updates feature, included with Satellite 6.1. Let's take a look at how easy Satellite makes it to address this vulnerability.

It is considered good practice to synchronize Satellites with Red Hat's Content Delivery Network (CDN) on a periodic basis, such as daily or weekly. This ensures that Satellite has the latest errata available and can provide an accurate picture regarding which systems need which errata. Satellite uses the errata metadata in the repositories to generate the Satellite Host Advisory, a scheduled report of which errata a host needs. Alternatively, you can subscribe to receive notifications of security advisories via email

Firstly, visit the Content->Errata page on the Satellite. This shows which errata have been downloaded. In the search box, we can search via the CVE identifier (CVE-2015-7547) OR via the Red Hat Security Advisory (RHSA) identifier (RHSA-2016:0176). This is shown in the images below:

Searching via CVE (Click to Enlarge)

ALT TEXT

Searching via RHSA (Click to Enlarge)
ALT TEXT

Next, we've identified 12 systems that have this errata applicable and 1 system that has it installable. What's the difference?

Satellite 6 classifies errata in two ways:

  • Applicable = The RPMs in this errata apply to the system in question.
  • Instalable = The RPMs in this errata can be installed (via yum) on the system in question.

This distinction is important. As part of building a Standard Operating Environment, Satellite gives you the ability to customize which software (and their versions) are made available to your systems.

In this scenario, I've published the following software for consumption by my systems.

  • RHEL 7Server
  • include security errata from GA until 31-Dec-2015
  • do NOT include bugfix (RHBA) or enhancement (RHEA) errata.

Because of Satellite's ability to create point-in-time views of content (called Content Views), it is very possible (and expected) that systems will have errata that are applicable but not installable. In the case of RHSA-2016:0176, the errata is not installable yet, (as it does not meet the criteria set above on my Content View)

Next, in the UI, we can select the errata (RHSA-2016:0176), and select the content hosts tab to see which systems require this errata. In this example, I am going to select all of my hosts in the Development & Infrastructure environments, and select Apply To Hosts

Showing affected systems (Click to Enlarge)
ALT TEXT

Next, Satellite informs us that since the errata is not published yet, that a minor revision of the existing Content Views will be created. My new content views will include:

  • RHEL 7Server
  • include security errata from GA until 31-Dec-2015
  • do NOT include bugfix (RHBA) or enhancement (RHEA) errata.
  • RHSA-2016:0176 & its dependencies.

This allows the ability to be minimally invasive and introduce only the fixes needed, and no more.
Next, I'll click Confirm

Applying RHSA-2016:0176 (Click to Enlarge)
ALT TEXT

Next, you'll see that Satellite has updated the content views in question and (if you've selected it), began the process of updating all of your clients. Note: Installing errata on the client assumes you have the katello-agent installed, which is default for Satellite provisioned systems.

Updated Content view including RHSA-2016:0176 (Click to Enlarge)
ALT TEXT

Lastly, we can view our content view to see that it has a new minor release (version 2.2 in this case), and as stated previously, this version succeeds the older (and vulnerable versions 2.1, & 2.0). This is what ensures that newer systems, when built, aren't vulnerable. At our next normally scheduled update window, we'll ensure that any future versions of this content view include this errata as well.

Content View Versioning (Click to Enlarge)
ALT TEXT

In summary, Red Hat Satellite provides not only the controls to ensure the rigid & disciplined lifecycling of content, but also the workflows to deal with critical bugs and vulnerabilities easily.

Additional Reading

English

About The Author

Rich Jerrido's picture Red Hat Guru 3050 points

Rich Jerrido

Rich Jerrido, Red Hat Product Manager, is a “doer-of-all-things Red Hat Satellite,” including training, integration, enablement, documentation, and helping to identify product requirements. He serves as a technology expert, frequently speaking in web seminars and at industry events. With mor...