How to determine if your Red Hat Enterprise Linux 7 system is vulnerable to a specific CVE

Let’s say we are looking to determine if our system is vulnerable to Heartbleed or LogJam.

# ls /usr/lib64/*
/usr/lib64/ /usr/lib64/
# yum info openssl
Installed Packages
Name : openssl
Arch : x86_64
Epoch : 1
Version : 1.0.1e
Release : 42.el7_1.9
Size : 1.5 M
Repo : installed
From repo : rhel-7-server-rpms
Summary : Utilities from the general purpose cryptography library with TLS implementation
License : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications between
 : machines. OpenSSL includes a certificate management tool and shared
 : libraries which provide various cryptographic algorithms and
 : protocols.

Note “Version” is 1.0.1e. But that denotes what version Red Hat based the relesae. Since that release, Red Hat has backported many future bugfixes, security fixes, etc, exposed by the “Release” value 42.el7_1.9.

Using Heartbleed (CVE-2014-0160) as the example (
“Red Hat Enterprise Linux 7 include OpenSSL version openssl-1.0.1e-34.el7 which includes a fix backported from openssl-1.0.1g”

Each specific CVE can be check directly on Red Hat’s site,

You can also check directly on the command line. For example, checking for Heartbleed you would use:

# yum updateinfo list installed --cve CVE-2014-0160

This will show any RPM packages installed that apply to Heartbleed. But note — nothing will return on a RHEL7 system, because the original RPM released with RHEL7 was not vulnerable, so no additiona package needed to be installed to fix it.

Logjam, though, is a little more interesting.

# yum updateinfo list installed --cve CVE-2015-4000
RHSA-2015:1229 Critical/Sec. java-1.7.0-openjdk-1:
RHSA-2015:1229 Critical/Sec. java-1.7.0-openjdk-1:
RHSA-2015:1229 Critical/Sec. java-1.7.0-openjdk-headless-1:
RHSA-2015:1185 Moderate/Sec. nss-3.19.1-3.el6_6.x86_64
RHSA-2015:1185 Moderate/Sec. nss-3.19.1-3.el7_1.x86_64
RHSA-2015:1185 Moderate/Sec. nss-sysinit-3.19.1-3.el6_6.x86_64
RHSA-2015:1185 Moderate/Sec. nss-sysinit-3.19.1-3.el7_1.x86_64
RHSA-2015:1185 Moderate/Sec. nss-tools-3.19.1-3.el6_6.x86_64
RHSA-2015:1185 Moderate/Sec. nss-tools-3.19.1-3.el7_1.x86_64
RHSA-2015:1185 Moderate/Sec. nss-util-3.19.1-1.el6_6.x86_64
RHSA-2015:1185 Moderate/Sec. nss-util-3.19.1-1.el7_1.x86_64
RHSA-2015:1072 Moderate/Sec. openssl-1.0.1e-30.el6_6.9.x86_64
RHSA-2015:1072 Moderate/Sec. openssl-1:1.0.1e-42.el7_1.6.x86_64
RHSA-2015:1072 Moderate/Sec. openssl-libs-1:1.0.1e-42.el7_1.6.x86_64

Each of those RHSA’s addressed Logjam. You can get a lot more information by using:

# yum updateinfo info installed --cve CVE-2015-4000

Note the use of “installed” in these commands. This shows information only about packages that are already installed. If you remove “installed”, you will see information only about packages that /could/ be installed.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s