FIPS validated modules are dated, are they vulnerable?

Posted on

Please consider this KB:
https://access.redhat.com/solutions/307523

I understand that there are folks that need to build systems to strict compliance of FIPS and they must use those specific versions of those modules.

Looking at the RHEL v7 kernel version (3.10.0-229.11.1) in that KB it is more than two years old; released 8-5-2015. The certification came on 9-12-2016, a year after release.
(https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/2742)

Looking at kernel release notes and CVE DB it seems like there are vulnerabilities in this old version. I'm still digging through them to see if there is stuff that needs to have some other mitigation than patching. I have not looked at all the other ten packages in the KB, but they seem to have 'delays' too.

So, how do folks deal with this; being FIPS compliant, and not patching 'up to date'? (Call me crazy, I prefer to be patched as up to date as possible.) Anyone know of any 'nasty' vulnerabilities in these old versions?

Other than slogging through places like the CVE DB and/or package changelogs does anyone out there know if someone has an already compiled list of 'problems' with these packages?

Responses