Vulnerabilities - solved since what patch version?

Latest response

Hi there

this question probably emerges because of my ignorance of the JBoss development processes.

Let's take into consideration CVE-2017-12629: I couldn't find a grid to determine what JBoss EAP versions are affected, but the advisory on the Red Hat CVE site states that it doesn't affect EAP v6.x.x and that a fix has been delivered since v7.0.9; how can I determine whether v7.1.0, which was released before v7.0.9, is affected or not?

The related erratas also mention only v7.0.9.

Please note that this is an example, there are many cases where the versions involved are more than 2.

Can someone explain how can I certainly determine whether an EAP version is affected or not by a CVE?




Try this first...

Use the command as follows:

rpm -q --changelog {rpm-name}
rpm -q --changelog {rpm-name} | less
rpm -q --changelog {rpm-name} | grep CVE-2017-12629

For example find out if CVE-2017-12629 has been applied to a given package or not, enter:

# rpm -q --changelog rpm_name | grep CVE-2017-12629

Please examine this link for that specific CVE at Red Hat's CVE site and let us know how it goes. You can submit a ticket with Red Hat if it does not answer your question and to make it faster, submit an sosreport. Change the drop-down from 10 results to 100 for easier viewing.

You can click "view vulnerable systems" link at that CVE if you are logged into Red Hat with the correct account AND if that system is connected to Red Hat.


That is a nice tip given by RJ.

Adding to that, you could also use the dnf updateinfo command to find out details as there are a lot of options it provides. Lets say, if I need to search a particular CVE which is installed some time back in the system then I could use this command to get the details (it is just an example):

[root@AnsibleMaster ~]# dnf updateinfo list security --installed --with-cve | grep CVE-2019-25032
CVE-2019-25032   Moderate/Sec.  python3-unbound-1.7.3-15.el8.x86_64
CVE-2019-25032   Moderate/Sec.  unbound-libs-1.7.3-15.el8.x86_64

Change the CVE name as required. Check out all additional optional arguments that updateinfo supports:

Updateinfo command-specific options:
  --available           advisories about newer versions of installed packages
  --installed           advisories about equal and older versions of installed
  --updates             advisories about newer versions of those installed
                        packages for which a newer version is available
  --all                 advisories about any versions of installed packages
  --summary             show summary of advisories (default)
  --list                show list of advisories
  --info                show info of advisories
  --with-cve            show only advisories with CVE reference
  --with-bz             show only advisories with bugzilla reference

  SPEC                  Package specification

Note: Just an additional information which may not be relevant, but thought of sharing it.

Hope this helps as well.


Unfortunately here there are near a thousand of JBoss servers and no one has been installed via RPM package in order to allow multiple instances per host and to allow managing everything in a centralized and replicable manner (Ansible). The CVE site unfortunately provides only partial information AFAICS and the answers I need, if available, aren't easy to trace: that was the reason of my question.

If a vulnerability grid doesn't exist, as you can easily figure out I'll have lots of tickets/sosreports to open.

I'll try to determine whether the instances are connected to RedHat and what is the correct account.