Should i update/patch or not?

Latest response

Hi all,

I have Red Hat Enterprise Linux Server release 7.9 (Maipo) installed and i want check if i am vulnerable to CVE-2021-33909.
Is there any way to check for sure if i need to make updates or install patches?

I found this: https://access.redhat.com/solutions/3628301

According to the second way running:

yum list --cve CVE-2021-33909 | grep kernel.x86_64

In the results i find my kernel...so according to this i am not vulnerable.

Is this way correct?

Is there any other way to check if i am vulnerable to this specific CVE, and if yes how should i proceed?

Thanks in advance.

Responses

Hi Thanasis,

The best way to protect yourself is to run yum update on a regular basis. Red Hat is known to fix bugs and security issues
as fast as possible. In many cases Red Hat provides kernel updates before vulnerabilities are getting officially revealed. So,
the answer to your question "Should I update/patch or no" is : yes, regularly updating is best and recommended practice. :)

Regards,
Christian

Thanasis, I completely agree with Christian's always-good advice here - patch regularly and often. Red Hat and other respectable software/operating system companies make updates available regularly. It's a good idea in principle to just do this, even if you look at one individual patch and think that one is not so bad, it's just best to patch your systems regularly. Here's some additional background on Red Hat's updates See table 3.1 at this link too.

To view security-related updates, you can run this:

yum check-update --security

or this:

yum update --security

If you do not use the "-y" option, you will only view the security-related rpms. However, as Christian said above, it's just a good idea to do a full update where possible.

Regards,
RJ

Thanks for providing some additional information, RJ ... very useful (as always) for all customers, my friend ! :)

Regards,
Christian

Gladly my friend, hope all is well for you, thanks for your always-helpful tech advise to all here.

Regards,
RJ

Thank you for your kind words, RJ ! I'm glad that my work here is appreciated.
Yes, all is well over here so far. Hope it's the same with you and your family ! :)

Regards,
Christian

Hi all,

These checks and advises are great.

There is one minor detail to be mentioned: "The check you use @thanasis peronas only works if your client is directly connected to the Red Hat CDN".

If it is connected to a RH Satellite with Content Views, it only works if the packages are in a promoted version of the Content View.

So in short follow the advises of Christian as confirmed by RJ.

I say: Patch at least once a month, if it is a commercial environment.

If the CCVS score is 7 or above, apply asap.

Regards,

Jan Gerrit

Thanks Jan, for providing these hints ! They are generally useful for customers coming across this discussion. :)

Regards,
Christian

Thanks for mentioning that Jan, that's generally the first thing I think of and forgot to mention (whoops) - appreciate the good info there, start with the basics first!

Regards,
RJ

Yes RJ, I agree ... useful hints from Jan ! Well, I assume Thanasis doesn't have a Satellite environment though. :)

Regards,
Christian

Thank you all very much for your answers and the effort! I appreciate it!

You're welcome, Thanasis ! :)