Best Practice, always check Red Hat CVE database. Example: CVE-2024-3094 (or other CVEs)

Posted on

CVE-2024-3094 is not an issue for RHEL 6 through 9

Hint:

  • Go to https://access.redhat.com
  • Click on "Security" at top
  • Click on "Red Hat CVE Database"
  • Type the entire CVE into the input box such as "CVE-2024-3094" (without the quotes)
  • Hit "Go"

The Red Hat CVE response will come up. In this example, it is:

https://access.redhat.com/security/cve/cve-2024-3094.

IMPORTANT NOTE ON BACKPORTING

Rabidly installing non-Red-Hat editions of an RPM to mitigate a falsely-perceived vulnerability is a very bad practice due to "Backporting"

Quote from Red Hat Backporting article

Backporting has a number of advantages for customers, but it can
 create confusion when it is not understood. Customers need to be 
aware that just looking at the version number of a package will not 
tell them if they are vulnerable or not. For example, stories in the 
press may include phrases such as "upgrade to Apache httpd 2.0.43
 to fix the issue," which only takes into account the upstream 
version number. This can cause confusion as even after installing 
updated packages from a vendor, it is not likely customers will have 
the latest upstream version. They will instead have an older 
upstream version with backported patches applied.

Also, some security scanning and auditing tools make decisions
 about vulnerabilities based solely on the version number of 
components they find. This results in false positives as the tools do
 not take into account backported security fixes.

Bottom Line, please consult Red Hat CVE responses when making response decisions to vulnerabilities you are researching to get valid information and to save you and your organization from incurring more vulnerabilities.

Regards,
RJ

RJ Hinton's picture

Responses