PDA

View Full Version : SLES 12 Qualys security scanner detects LZO memory vulnerability



zentz
12-Feb-2016, 22:16
Hello Everyone!

I am in the process of testing SLES 12 SP1 and have found that the network security scanner Qualys (www.qualys.com) detects an older version of the kernel ( lower than 3.14.9/3.15.2 ) and thinks the kernel is vulnerable to the LZO memory Corruption Vulnerability (QID 122360 ). I have not tested to see if the kernel is actually vulnerable but i am pretty confident it's not and that SUSE has back ported the kernel without that vulnerability. The problem is that Qualys, being the sticklers that they are want a published website from SUSE that states the kernel is not vulnerable. Here's where it get's a bit tricky. The vulnerability was published (July 2014) before the release date of SLES 12 (October 2014) and there's not going to be a website that details that the kernel has been back ported. Sigh... That being said, is there someone out there that can reference a doc that states SLES 12 is not vulnerable to this?

Thanks!

malcolmlewis
12-Feb-2016, 22:44
Hello Everyone!

I am in the process of testing SLES 12 SP1 and have found that the network security scanner Qualys (www.qualys.com) detects an older version of the kernel ( lower than 3.14.9/3.15.2 ) and thinks the kernel is vulnerable to the LZO memory Corruption Vulnerability (QID 122360 ). I have not tested to see if the kernel is actually vulnerable but i am pretty confident it's not and that SUSE has back ported the kernel without that vulnerability. The problem is that Qualys, being the sticklers that they are want a published website from SUSE that states the kernel is not vulnerable. Here's where it get's a bit tricky. The vulnerability was published (July 2014) before the release date of SLES 12 (October 2014) and there's not going to be a website that details that the kernel has been back ported. Sigh... That being said, is there someone out there that can reference a doc that states SLES 12 is not vulnerable to this?

Thanks!
Hi
Do you have a CVE reference? If so you can use the CVE as a search reference at https://bugzilla.suse.com/ or grep for it in the changelogs (rpm -qa --changelog | grep "CVE.....") or have a look at https://www.suse.com/support/update/

zentz
13-Feb-2016, 02:02
Hi
Do you have a CVE reference? If so you can use the CVE as a search reference at https://bugzilla.suse.com/ or grep for it in the changelogs (rpm -qa --changelog | grep "CVE.....") or have a look at https://www.suse.com/support/update/

That's the problem. There is no CVE since SLES 12 was released months after the CVE was released. Yes, i have checked the support site and can only find references to SLES 11 and the fix.

malcolmlewis
13-Feb-2016, 02:54
That's the problem. There is no CVE since SLES 12 was released months after the CVE was released. Yes, i have checked the support site and can only find references to SLES 11 and the fix.
Hi
I would imagine it is fixed, however if you can provide the CVE reference I can ask my SUSE contacts ;)

zentz
13-Feb-2016, 04:05
Here is the CVE. CVE-2014-4608 Thanks for the help!!!

malcolmlewis
13-Feb-2016, 06:05
Hi
So the kernel-default SLES 12 SP1 changelog shows


uname -a
Linux big-bird 3.12.51-60.25-default #1 SMP Fri Jan 15 20:10:04 UTC 2016 (0300b66) x86_64 x86_64 x86_64 GNU/Linux

rpm -q kernel-default --changelog |less
/CVE-2014-4608

* Wed Nov 19 2014 jslaby@suse.cz
- Update patches.kernel.org/patch-3.12.12-13 (CVE-2014-8709
bnc#859342 bnc#860346 bnc#865919 bnc#904700 LTC#103575
fate#315482 FATE#315595).
- Update patches.kernel.org/patch-3.12.23-24 (CVE-2014-3940
CVE-2014-4608 CVE-2014-4652 CVE-2014-4653 CVE-2014-4654
CVE-2014-4655 CVE-2014-4656 FATE#315054 FATE#315942 bnc#845378
bnc#856380 bnc#865310 bnc#866937 bnc#867753 bnc#872634
bnc#875242 bnc#875440 bnc#878059 bnc#879957 bnc#881091
bnc#881101 bnc#881939 bnc#882991 bnc#883081 bnc#883795
bnc#883948 LTC#110452).
- Update patches.kernel.org/patch-3.12.28-29 (CVE-2014-3185
bnc#879255 bnc#880892 bnc#887046 bnc#887418 bnc#891619
bnc#892612 bnc#892650 bnc#896391 bnc#897101).
Add some references (CVEs+bncs).
- commit 34c4991

* Wed Nov 19 2014 jslaby@suse.cz
- Update patches.kernel.org/patch-3.12.12-13 (CVE-2014-8709
bnc#859342 bnc#860346 bnc#865919 bnc#904700 LTC#103575
fate#315482 FATE#315595).
- Update patches.kernel.org/patch-3.12.23-24 (CVE-2014-3940
CVE-2014-4608 CVE-2014-4652 CVE-2014-4653 CVE-2014-4654
CVE-2014-4655 CVE-2014-4656 FATE#315054 FATE#315942 bnc#845378
bnc#856380 bnc#865310 bnc#866937 bnc#867753 bnc#872634
bnc#875242 bnc#875440 bnc#878059 bnc#879957 bnc#881091
bnc#881101 bnc#881939 bnc#882991 bnc#883081 bnc#883795
bnc#883948 LTC#110452).
- Update patches.kernel.org/patch-3.12.28-29 (CVE-2014-3185
bnc#879255 bnc#880892 bnc#887046 bnc#887418 bnc#891619
bnc#892612 bnc#892650 bnc#896391 bnc#897101).
Add some references (CVEs+bncs).
- commit 34c4991


So it is there?

It does mention SLE 12 already has the fixes in comment #12;
https://bugzilla.suse.com/show_bug.cgi?id=883948

zentz
15-Feb-2016, 21:51
Hi
So the kernel-default SLES 12 SP1 changelog shows


uname -a
Linux big-bird 3.12.51-60.25-default #1 SMP Fri Jan 15 20:10:04 UTC 2016 (0300b66) x86_64 x86_64 x86_64 GNU/Linux

rpm -q kernel-default --changelog |less
/CVE-2014-4608

* Wed Nov 19 2014 jslaby@suse.cz
- Update patches.kernel.org/patch-3.12.12-13 (CVE-2014-8709
bnc#859342 bnc#860346 bnc#865919 bnc#904700 LTC#103575
fate#315482 FATE#315595).
- Update patches.kernel.org/patch-3.12.23-24 (CVE-2014-3940
CVE-2014-4608 CVE-2014-4652 CVE-2014-4653 CVE-2014-4654
CVE-2014-4655 CVE-2014-4656 FATE#315054 FATE#315942 bnc#845378
bnc#856380 bnc#865310 bnc#866937 bnc#867753 bnc#872634
bnc#875242 bnc#875440 bnc#878059 bnc#879957 bnc#881091
bnc#881101 bnc#881939 bnc#882991 bnc#883081 bnc#883795
bnc#883948 LTC#110452).
- Update patches.kernel.org/patch-3.12.28-29 (CVE-2014-3185
bnc#879255 bnc#880892 bnc#887046 bnc#887418 bnc#891619
bnc#892612 bnc#892650 bnc#896391 bnc#897101).
Add some references (CVEs+bncs).
- commit 34c4991

* Wed Nov 19 2014 jslaby@suse.cz
- Update patches.kernel.org/patch-3.12.12-13 (CVE-2014-8709
bnc#859342 bnc#860346 bnc#865919 bnc#904700 LTC#103575
fate#315482 FATE#315595).
- Update patches.kernel.org/patch-3.12.23-24 (CVE-2014-3940
CVE-2014-4608 CVE-2014-4652 CVE-2014-4653 CVE-2014-4654
CVE-2014-4655 CVE-2014-4656 FATE#315054 FATE#315942 bnc#845378
bnc#856380 bnc#865310 bnc#866937 bnc#867753 bnc#872634
bnc#875242 bnc#875440 bnc#878059 bnc#879957 bnc#881091
bnc#881101 bnc#881939 bnc#882991 bnc#883081 bnc#883795
bnc#883948 LTC#110452).
- Update patches.kernel.org/patch-3.12.28-29 (CVE-2014-3185
bnc#879255 bnc#880892 bnc#887046 bnc#887418 bnc#891619
bnc#892612 bnc#892650 bnc#896391 bnc#897101).
Add some references (CVEs+bncs).
- commit 34c4991


So it is there?

It does mention SLE 12 already has the fixes in comment #12;
https://bugzilla.suse.com/show_bug.cgi?id=883948

Yes! It is there! Now i have to convince qualys. Thank you very much!