Kernel live patching and OVAL known issues
Red Hat provides OVAL definitions for kernel live patch advisories (also known as kpatch).
This document is a guide to provide an understanding of kpatch and kernel advisory OVAL definitions that can appear in your OVAL scan results in several situations.
Kpatch advisory appears in OVAL results even when not using kpatch
If you are currently running a kernel version that has known vulnerabilities that have been fixed in a kpatch advisory, this advisory appears in OVAL scan results. If an ordinary kernel advisory has been released for your kernel, this information appears in your OVAL results as well.
The following list provides several options on how to continue:
- Install kpatch advisory. Fixes included in the kpatch advisory are applied to the currently running kernel without a need to reboot your system.
- Install full kernel advisory. This installation will usually fix additional bugs and vulnerabilities but requires a reboot of your system.
- Install both advisories. This installation will apply fixes from kpatch advisory immediately and after reboot into the new kernel, kernel advisory fixes are applied.
Kernel advisory still appearing in OVAL results after kpatch installation
Kpatch advisories generally contain only a subset of fixes that get included in full kernel advisories. After installation of a kpatch advisory, your system is still vulnerable to vulnerabilities that are only fixed in kernel advisories. For this reason, OVAL scanners will keep reporting the full kernel advisory as unapplied. However, kpatch advisories generally fix vulnerabilities with higher impact and the remaining vulnerabilities should limit the impact of the unapplied kernel advisory. For this reason, the real impact of the kernel advisory after the kpatch advisory has been applied will generally be lower than the defined impact in the kernel advisory metadata. To get a clear list of remaining unfixed vulnerabilities after applying the kpatch advisory, you can compare the list of vulnerabilities fixed in the kpatch advisory and then compare them with the kernel advisory.
Comments