What are the risks of leaving older kernels installed?

Solution Unverified - Updated -

Environment

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8

Issue

Some security scanners flag older kernel packages as security threats due to recognized bugs and security issues. Does leaving these packages installed present an attack vector for a RHEL environment?

Resolution

Just having older kernel packages installed likely doesn't open a direct attack vector against an environment. The primary risk component is if an administrator unknowingly utilizes the older kernel with the vulnerability at boot-time rather than the newer patched kernel. Doing this would generally require root privileges, console access, or physical access to the machine. Steps to increase the security of this process, such as password protecting the GRUB bootloader, can also be considered.

In many situations, it's advisable to maintain at least one older kernel in the event that an issue occurs with the current running kernel that prevents it from being used. With this in mind, policies surrounding how many and which older kernel packages to keep should be established for your environments to maximize the resilience to failure while limiting possible exposure to security vulnerabilities.

If a particular kernel version has a vulnerability that is completely unacceptable, removing that specific kernel package while leaving older ones that may not be impacted should be considered. Alternatively, if no older unaffected version exists, the decision comes down to how likely the vulnerability is to impact your environment vs reducing the ability to recover from a catastrophic kernel failure in the current running version until a new kernel update becomes available and the redundancy can be achieved with a safer version.

Managing kernel packages is a critical component to a healthy, resilient RHEL environment. Please see this article for more information on how to safely remove older kernels packages and limit the number retained for resilience. If you have any questions about a specific kernel package and whether or need assistance with your environment, please reach out to Red Hat Support for assistance!

Root Cause

Kernel packages are not removed by default during an update, however some older kernels are susceptible to unacceptable security vulnerabilities.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments