How do I check if a specific kernel is vulnerable to a specific CVE?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux

Issue

  • Is kernel kernel-3.10.0-862.11.6.el7.x86_64 vulnerable to CVE-2017-12190?

Resolution

There are a few ways that you may check if a specific kernel has been patched for a specific CVE. Here are a few of them:

  • If you have the rpm, you could use the rpm command to check the change log and grep for the CVE name.
    Example:
# rpm -qp kernel-3.10.0-862.11.6.el7.x86_64.rpm --changelog | grep CVE-2017-12190
  • If the kernel package for the kernel in question is in a repo that is configured and enabled on your server, you could use yum as follows:
# yum list --cve CVE-2017-12190 | grep kernel.x86_64
kernel.x86_64                    3.10.0-327.22.2.el7     @rhel-7-server-eus-rpms
kernel.x86_64                    3.10.0-514.2.2.el7      @rhel-7-server-rpms    
kernel.x86_64                    3.10.0-693.2.2.el7      @rhel-7-server-rpms    
kernel.x86_64                    3.10.0-862.14.4.el7     rhel-7-server-rpms

This shows that the above kernels include patches for CVE CVE-2017-12190

  • You may also find information on CVE's at https://access.redhat.com/security/security-updates/#/cve. You can search for the CVE of interest and drill down in the the errata that provided the fix, and what packages came with that errata. If your kernel version is later that the one shown in the errata, you can assume that your new kernel includes the patch.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.