Skip to content
/ rhel8-cve-eratta-checker Public

This is a command line tool takes a CVE on the command line, uses some magic screen scraping to find a URL to Red Hat's rhel8 eratta posting about patching the CVE

License

View license
3 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

minektur/rhel8-cve-eratta-checker

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
rhel-cve
rhel-cve
 
 
rhel-cve-api
rhel-cve-api
 
 

Repository files navigation

RHEL 8 CVE erratta checker

This tool will do some magic search/screen-scraping to find RHEL's relese erratta URLs for specific vulnerabilities (by CVE ID).

It will print out the URL of the Red Hat 8 eratta, and optionall open (when run under WSL) that URL in a browser for you to read about/double check.

When we get security scans, often dumb scanners will see "old" version numbers for system services - e.g. "old" apache versions. The scanners will then claim we're old, out of date, and insecure. In these cases we have to validate/verify that any CVE they claim we might be vulnerable to is actually patched. Red Hat backports security patches to existing/old versions so that you have a very stable, and easy-to-update system, but doesn't change the version numbers.

Since I often have a hyperventilating security team (OK, I'm the security team too...) asking about these vulnerabilities, it's nice to be able to take a list of CVEs and verify that Red Hat has actually patched the, or in some other way declared that our server is not vulnerable.

I was doing this by hand for 150 CVEs and noticed a nice regular workflow that would get the data I needed. I had to write a 3 line blurb about each issue so I wrote a script that would do it for me.

Maybe you will want to use this tool, or maybe when you see it you'll know a better more reliable way to get this info and tell me all about it

I droped a list of the CVEs in a file and used simple a simple bash one-liner to run this tool on every CVE we had reported. There were about 5% that this didn't work on (mostly because Red Hat didn't release a patch for the vulnerability - e.g. it was windows-only or it requried a specific weird build option they don't use). Those ones I had to do by hand.

I do some stuff in this bash oneliner below that I should have just dropped into the python script - sometime I'll refactor it.

Updated new script that uses the RedHat security api - simpler and easier. Also handles the 'not vulnerable' case with descriptive data.

example runs

$ ./rhel-cve -m "Issue patched by Red Hat..... some long message"  CVE-2024-38474
Issue patched by Red Hat..... some long message

CVE-2024-38474

https://access.redhat.com/errata/RHSA-2024:4720





$ for i in $( cat ../cves ); do ./rhel-cve -m 'some message' $i || echo $i; echo "---"; done
some message

CVE-2019-10082

https://access.redhat.com/errata/RHSA-2020:4751
---
some message

CVE-2020-11984

https://access.redhat.com/errata/RHSA-2021:1809
---
some message

CVE-2021-26691

https://access.redhat.com/errata/RHSA-2021:3816
---
No link found
CVE-2021-3711
---
some message

CVE-2021-39275

https://access.redhat.com/errata/RHSA-2022:0891
---
some message

CVE-2021-44790

https://access.redhat.com/errata/RHSA-2022:0258
---
some message

CVE-2022-22720

https://access.redhat.com/errata/RHSA-2022:1049
---
........ <and so forth for 150 CVEs>

About

This is a command line tool takes a CVE on the command line, uses some magic screen scraping to find a URL to Red Hat's rhel8 eratta posting about patching the CVE

Resources

Readme

License

View license
Activity

Stars

3 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages