Vulnerabilities - solved since what patch version?
this question probably emerges because of my ignorance of the JBoss development processes.
Let's take into consideration CVE-2017-12629: I couldn't find a grid to determine what JBoss EAP versions are affected, but the advisory on the Red Hat CVE site states that it doesn't affect EAP v6.x.x and that a fix has been delivered since v7.0.9; how can I determine whether v7.1.0, which was released before v7.0.9, is affected or not?
The related erratas also mention only v7.0.9.
Please note that this is an example, there are many cases where the versions involved are more than 2.
Can someone explain how can I certainly determine whether an EAP version is affected or not by a CVE?
Try this first...
Use the command as follows:
For example find out if CVE-2017-12629 has been applied to a given package or not, enter:
Please examine this link for that specific CVE at Red Hat's CVE site and let us know how it goes. You can submit a ticket with Red Hat if it does not answer your question and to make it faster, submit an sosreport. Change the drop-down from 10 results to 100 for easier viewing.
You can click "view vulnerable systems" link at that CVE if you are logged into Red Hat with the correct account AND if that system is connected to Red Hat.
That is a nice tip given by RJ.
Adding to that, you could also use the
dnf updateinfocommand to find out details as there are a lot of options it provides. Lets say, if I need to search a particular CVE which is installed some time back in the system then I could use this command to get the details (it is just an example):
Change the CVE name as required. Check out all additional optional arguments that updateinfo supports:
Note: Just an additional information which may not be relevant, but thought of sharing it.
Hope this helps as well.
Unfortunately here there are near a thousand of JBoss servers and no one has been installed via RPM package in order to allow multiple instances per host and to allow managing everything in a centralized and replicable manner (Ansible). The CVE site unfortunately provides only partial information AFAICS and the answers I need, if available, aren't easy to trace: that was the reason of my question.
If a vulnerability grid doesn't exist, as you can easily figure out I'll have lots of tickets/sosreports to open.
I'll try to determine whether the instances are connected to RedHat and what is the correct account.