Qualys security scanner detects LZO memory vulnerability

SUSE Product Topics SLES Updates
1

Hello Everyone!

I am in the process of testing SLES 12 SP1 and have found that the network security scanner Qualys (www.qualys.com) detects an older version of the kernel ( lower than 3.14.9/3.15.2 ) and thinks the kernel is vulnerable to the LZO memory Corruption Vulnerability (QID 122360 ). I have not tested to see if the kernel is actually vulnerable but i am pretty confident it’s not and that SUSE has back ported the kernel without that vulnerability. The problem is that Qualys, being the sticklers that they are want a published website from SUSE that states the kernel is not vulnerable. Here’s where it get’s a bit tricky. The vulnerability was published (July 2014) before the release date of SLES 12 (October 2014) and there’s not going to be a website that details that the kernel has been back ported. Sigh… That being said, is there someone out there that can reference a doc that states SLES 12 is not vulnerable to this?

Thanks!

2

[QUOTE=zentz;31522]Hello Everyone!

I am in the process of testing SLES 12 SP1 and have found that the network security scanner Qualys (www.qualys.com) detects an older version of the kernel ( lower than 3.14.9/3.15.2 ) and thinks the kernel is vulnerable to the LZO memory Corruption Vulnerability (QID 122360 ). I have not tested to see if the kernel is actually vulnerable but i am pretty confident it’s not and that SUSE has back ported the kernel without that vulnerability. The problem is that Qualys, being the sticklers that they are want a published website from SUSE that states the kernel is not vulnerable. Here’s where it get’s a bit tricky. The vulnerability was published (July 2014) before the release date of SLES 12 (October 2014) and there’s not going to be a website that details that the kernel has been back ported. Sigh… That being said, is there someone out there that can reference a doc that states SLES 12 is not vulnerable to this?

Thanks![/QUOTE]
Hi
Do you have a CVE reference? If so you can use the CVE as a search reference at https://bugzilla.suse.com/ or grep for it in the changelogs (rpm -qa --changelog | grep “CVE…”) or have a look at https://www.suse.com/support/update/

3

[QUOTE=malcolmlewis;31523]Hi
Do you have a CVE reference? If so you can use the CVE as a search reference at https://bugzilla.suse.com/ or grep for it in the changelogs (rpm -qa --changelog | grep “CVE…”) or have a look at https://www.suse.com/support/update/[/QUOTE]

That’s the problem. There is no CVE since SLES 12 was released months after the CVE was released. Yes, i have checked the support site and can only find references to SLES 11 and the fix.

4

Hi
I would imagine it is fixed, however if you can provide the CVE reference I can ask my SUSE contacts :wink:

5

Here is the CVE. CVE-2014-4608 Thanks for the help!!!

6

Hi
So the kernel-default SLES 12 SP1 changelog shows

uname -a
Linux big-bird 3.12.51-60.25-default #1 SMP Fri Jan 15 20:10:04 UTC 2016 (0300b66) x86_64 x86_64 x86_64 GNU/Linux

rpm -q kernel-default --changelog |less
/CVE-2014-4608

* Wed Nov 19 2014 jslaby@suse.cz
- Update patches.kernel.org/patch-3.12.12-13 (CVE-2014-8709
  bnc#859342 bnc#860346 bnc#865919 bnc#904700 LTC#103575
  fate#315482 FATE#315595).
- Update patches.kernel.org/patch-3.12.23-24 (CVE-2014-3940
  CVE-2014-4608 CVE-2014-4652 CVE-2014-4653 CVE-2014-4654
  CVE-2014-4655 CVE-2014-4656 FATE#315054 FATE#315942 bnc#845378
  bnc#856380 bnc#865310 bnc#866937 bnc#867753 bnc#872634
  bnc#875242 bnc#875440 bnc#878059 bnc#879957 bnc#881091
  bnc#881101 bnc#881939 bnc#882991 bnc#883081 bnc#883795
  bnc#883948 LTC#110452).
- Update patches.kernel.org/patch-3.12.28-29 (CVE-2014-3185
  bnc#879255 bnc#880892 bnc#887046 bnc#887418 bnc#891619
  bnc#892612 bnc#892650 bnc#896391 bnc#897101).
  Add some references (CVEs+bncs).
- commit 34c4991

* Wed Nov 19 2014 jslaby@suse.cz
- Update patches.kernel.org/patch-3.12.12-13 (CVE-2014-8709
  bnc#859342 bnc#860346 bnc#865919 bnc#904700 LTC#103575
  fate#315482 FATE#315595).
- Update patches.kernel.org/patch-3.12.23-24 (CVE-2014-3940
  CVE-2014-4608 CVE-2014-4652 CVE-2014-4653 CVE-2014-4654
  CVE-2014-4655 CVE-2014-4656 FATE#315054 FATE#315942 bnc#845378
  bnc#856380 bnc#865310 bnc#866937 bnc#867753 bnc#872634
  bnc#875242 bnc#875440 bnc#878059 bnc#879957 bnc#881091
  bnc#881101 bnc#881939 bnc#882991 bnc#883081 bnc#883795
  bnc#883948 LTC#110452).
- Update patches.kernel.org/patch-3.12.28-29 (CVE-2014-3185
  bnc#879255 bnc#880892 bnc#887046 bnc#887418 bnc#891619
  bnc#892612 bnc#892650 bnc#896391 bnc#897101).
  Add some references (CVEs+bncs).
- commit 34c4991

So it is there?

It does mention SLE 12 already has the fixes in comment #12;
https://bugzilla.suse.com/show_bug.cgi?id=883948

7

[QUOTE=malcolmlewis;31527]Hi
So the kernel-default SLES 12 SP1 changelog shows

uname -a
Linux big-bird 3.12.51-60.25-default #1 SMP Fri Jan 15 20:10:04 UTC 2016 (0300b66) x86_64 x86_64 x86_64 GNU/Linux

rpm -q kernel-default --changelog |less
/CVE-2014-4608

* Wed Nov 19 2014 jslaby@suse.cz
- Update patches.kernel.org/patch-3.12.12-13 (CVE-2014-8709
  bnc#859342 bnc#860346 bnc#865919 bnc#904700 LTC#103575
  fate#315482 FATE#315595).
- Update patches.kernel.org/patch-3.12.23-24 (CVE-2014-3940
  CVE-2014-4608 CVE-2014-4652 CVE-2014-4653 CVE-2014-4654
  CVE-2014-4655 CVE-2014-4656 FATE#315054 FATE#315942 bnc#845378
  bnc#856380 bnc#865310 bnc#866937 bnc#867753 bnc#872634
  bnc#875242 bnc#875440 bnc#878059 bnc#879957 bnc#881091
  bnc#881101 bnc#881939 bnc#882991 bnc#883081 bnc#883795
  bnc#883948 LTC#110452).
- Update patches.kernel.org/patch-3.12.28-29 (CVE-2014-3185
  bnc#879255 bnc#880892 bnc#887046 bnc#887418 bnc#891619
  bnc#892612 bnc#892650 bnc#896391 bnc#897101).
  Add some references (CVEs+bncs).
- commit 34c4991

* Wed Nov 19 2014 jslaby@suse.cz
- Update patches.kernel.org/patch-3.12.12-13 (CVE-2014-8709
  bnc#859342 bnc#860346 bnc#865919 bnc#904700 LTC#103575
  fate#315482 FATE#315595).
- Update patches.kernel.org/patch-3.12.23-24 (CVE-2014-3940
  CVE-2014-4608 CVE-2014-4652 CVE-2014-4653 CVE-2014-4654
  CVE-2014-4655 CVE-2014-4656 FATE#315054 FATE#315942 bnc#845378
  bnc#856380 bnc#865310 bnc#866937 bnc#867753 bnc#872634
  bnc#875242 bnc#875440 bnc#878059 bnc#879957 bnc#881091
  bnc#881101 bnc#881939 bnc#882991 bnc#883081 bnc#883795
  bnc#883948 LTC#110452).
- Update patches.kernel.org/patch-3.12.28-29 (CVE-2014-3185
  bnc#879255 bnc#880892 bnc#887046 bnc#887418 bnc#891619
  bnc#892612 bnc#892650 bnc#896391 bnc#897101).
  Add some references (CVEs+bncs).
- commit 34c4991

So it is there?

It does mention SLE 12 already has the fixes in comment #12;
https://bugzilla.suse.com/show_bug.cgi?id=883948[/QUOTE]

Yes! It is there! Now i have to convince qualys. Thank you very much!