Page tree
Skip to end of metadata
Go to start of metadata

CentOS Linux—the open, enterprise-class, platform upon which Lumeta solutions are builtand third-party packages such as Postgres and Oracle JRE—are continuously monitored by industry  and community groups to uncover flaws. Upgrade packages that fix these CentOS flaws (aka CVEs, Common Vulnerabilities and Exposures) are made available from CentOS and third parties (Postgres, Oracle JRE) on an ongoing basis. 

This page lists security enhancements on our radar.  It's those CVEs that Lumeta is actively addressing and expects to have fully resolved in the upcoming releases of Lumeta Enterprise Edition.

 CVE Repair Date 3rd Party Patch
Vulnerability
 Resolved_Version & GA Date
Identifier          PKGReportedAvailable?IPsonarLumeta  Notes on vulnerability                                      IPSIPS GALumetaLumeta GA
CVE-2020-10531libicu2020-03-18CentOS yes
yeshttps://access.redhat.com/errata/RHSA-2020:0896

TBD

CVE-2015-9382

CVE-2015-9381

freetype2019-12-17CentOS yes
yeshttps://access.redhat.com/errata/RHSA-2019:4254

TBD
CVE-2019-17133
CVE-2019-17055

kernel
kernel-firmware
kernel-headers
perf

2020-03-11CentOS yesyesyeshttps://access.redhat.com/errata/RHSA-2020:0790

4.0
CVE-2019-18634sudo2020-03-05CentOS yesyesyeshttps://access.redhat.com/errata/RHSA-2020:0726

4.0
CVE-2019-11745

nss
nss-softokn
nss-softokn-freebl
nss-sysinit
nss-tools
nss-util

2019-11-21CentOS yesnoyeshttps://access.redhat.com/errata/RHSA-2019:4152

3.3.5
CVE-2019-14821kernel
kernel-firmware
kernel-headers
perf
2019-12-17CentOS yesyesyes


3.3.5
CVE-2019-0155

kernel
kernel-firmware
kernel-headers
perf

2019-11-14CentOS yesyesyes
6.5D
3.3.4.1

CVE-2018-12207
CVE-2019-11135
CVE-2019-3900
CVE-2019-0154

kernel
kernel-firmware
kernel-headers
perf

2019-11-13CentOS yesyesyes
6.5D
3.3.4.1

CVE-2019-2949
CVE-2019-2975
CVE-2019-2978
CVE-2019-2989
CVE-2019-2945
CVE-2019-2962
CVE-2019-2964
CVE-2019-2973
CVE-2019-2981
CVE-2019-2983
CVE-2019-2987
CVE-2019-2988
CVE-2019-2992
CVE-2019-2999

java-1.8.0-openjdk-headless2019-10-17CentOS yesnoyes


3.3.4
CVE-2019-14287sudo2019-10-14not yetnonoaffects sudo configs which use "!root", we don't.
https://access.redhat.com/security/cve/cve-2019-14287
N/A
N/A
CVE-2019-14835kernel
kernel-firmware
kernel-headers
perf
2019-09-23CentOS yesyesyeshttps://access.redhat.com/errata/RHSA-2019:28636.5D
3.3.4

CVE-2019-5489
CVE-2017-17805

kernel
kernel-firmware
kernel-headers
perf
2019-08-06CentOS yesyesyes

https://access.redhat.com/errata/RHSA-2019:2029

https://access.redhat.com/errata/RHSA-2018:2948

6.5D
3.3.4

CVE-2019-1125

CVE-2018-9568
CVE-2019-11810
CVE-2018-17972
CVE-2018-18445

kernel

kernel-firmware
kernel-headers

perf

2019-03-13CentOS yesyesyeshttps://access.redhat.com/errata/RHSA-2019:0512
...
https://access.redhat.com/errata/RHSA-2019:2736
6.5D
3.3.4
CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2113 CVE-2016-2114 CVE-2016-2115 CVE-2016-2118

libtalloc
libtevent
(samba)

2016-04-12CentOS yesnoyes

N/A as Domain Controller, but still applicable
in other roles.



3.3.4
CVE-2018-11763

httpd24-httpd
httpd24-httpd-tools
httpd24-apr-devel
httpd24-mod_ssl
httpd24-runtime
httpd24-libnghttp2

2018-09-25

SCL yesnonoimpacts only http/2 connections, we don't enable.

3.3.3.2

3.3.4


CVE-2019-0211

httpd24-httpd
httpd24-httpd-tools
httpd24-apr-devel
httpd24-mod_ssl
httpd24-runtime
httpd24-libnghttp2

2019-04-11SCL yesnoyes
N/A
3.3.3.2
3.3.4

CVE-2019-12735

vim-common
vim-enhanced
vim-filesystem
vim-minimal

2019-07-15CentOS yesyesyes
6.5D
3.3.3.2
3.3.4

CVE-2019-12749dbus2019-07-10CentOS yesyesyes
6.5D
3.3.4
3.3.3.2

CVE-2019-3855
CVE-2019-3856
CVE-2019-3857
CVE-2019-3863

libssh22019-07-02CentOS yesyesyes
6.5D
3.3.4
3.3.3.2

CVE-2019-12384jackson-databind.jar2019-05-27TBDnoyesThis is a jar file included in rpms lumeta-api and lumeta-ui, and also needed by x15. uptick to 2.9.9.N/A
TBD
CVE-2019-9636
CVE-2019-10160

python

python-libs

2019-06-13CentOS yesyesyes
6.5D

3.3.4

3.3.3.2


CVE-2019-11477

CVE-2019-11478

CVE-2019-11479

CVE-2019-3896

kernel

kernel-firmware

kernel-headers

perf

2019-06-18CentOS yesyesyesDenial Of Service or crash6.5D

3.3.4

3.3.3.2


CVE-2019-0232apache-tomcat2019-04-10N/AnonoImpact Windows OS only.



CVE-2018-7489jackson-databind.jar2018-02-26yesnoyesThis is a jar file included in rpms lumeta-api and lumeta-ui, and also needed by x15. uptick to 2.9.5.N/A
3.3.3

CVE-2018-12130

CVE-2018-12126

CVE-2018-12127

CVE-2019-11091

kernel

kernel-firmware

kernel-headers

microcode_ctl

2019-05-26CentOS yesyesyes

MDS/RIDL/ZombieLoad, in same family as L1TF/Foreshadow and Meltdown. Potential impact on HyperThreading/SMT, TBD.

6.5B
3.3.1
CVE-2018-14635openstack-neutron2018-09-17nononoN/A, we don't ship openstack-neutron which is
only for OpenStack Platform OS.
N/A
N/A
CVE-2018-15473

openssh,

openssh-clients,

openssh-server

2019-04-09CentOS yesyesyeslevel=low. user enumeration.6.5A
TBD
CVE-2018-13405

kernel,

kernel-firmware,

kernel-headers,

perf

2019-04-09CentOS yesyesyeslevel=important. sgid bit.6.5A
TBD
CVE-2018-12327ntp2018-12-19CentOS yesyesyes


3.3.3

3.3.2.2


CVE-2018-10897yum-utils2018-08-09CentOS yesyes noyes nonot external vulnerability
Corrected, not vulnerable, not shipped. -Pat


3.3.3
3.3.2.2

CVE-2018-5391

CVE-2018-14634

kernel2018-10-09CentOS yesyesyescodename SegmentSmack

3.3.3
CVE-2018-12384nss2018-10-09CentOS yesyesyes


3.3.3
CVE-2018-3640CPU Hardware

2018-05-21

Intel NOyesyesVendor is not providing a fix.  Rogue System Register Read (RSRE), Variant 3a.



CVE-2018-3639CPU Hardware2018-05-21Intel NOyesyesVendor is not providing a fix. Speculative Store Bypass (SSB), Variant 4.



CVE-2018-3615

CVE-2018-3620

CVE-2018-3646

kernel2018-08-14CentOS yesyesyescodename L1TF/Foreshadow

3.3.1.18/27/18

CVE-2012-6701

CVE-2015-8830

CVE-2016-8650

CVE-2017-0861

CVE-2017-1000

CVE-2017-1219

CVE-2017-1316

CVE-2017-1512

CVE-2017-1526

CVE-2017-1801

CVE-2017-1820

CVE-2017-2671

CVE-2017-6001

CVE-2017-7308

CVE-2017-7616

CVE-2017-7889

CVE-2017-8824

CVE-2017-8890

CVE-2017-9075

CVE-2017-9076

CVE-2017-9077

CVE-2018-1000

CVE-2018-1030

CVE-2018-1067

CVE-2018-1087

CVE-2018-1090

CVE-2018-1130

CVE-2018-3620

CVE-2018-3639

CVE-2018-3665

CVE-2018-3693

CVE-2018-5390

CVE-2018-5803

CVE-2018-7566



kernel
CentOS yesyesyesnew kernel branch

3.3.1.1

CVE-2017-9788
CVE-2017-9789

httpd24-httpd
httpd24-httpd-tools
httpd24-mod_ssl

CentOS yes
yes


3.3.2
CVE-2012-6701
CVE-2015-8830
CVE-2016-8650
CVE-2017-1000410
CVE-2017-12190
CVE-2017-13166
CVE-2017-15121
CVE-2017-18017
CVE-2017-18203
CVE-2017-2671
CVE-2017-6001
CVE-2017-7308
CVE-2017-7616
CVE-2017-7889
CVE-2017-8824
CVE-2017-8890
CVE-2017-9075
CVE-2017-9076
CVE-2017-9077
CVE-2018-10675
CVE-2018-10872
CVE-2018-1130
CVE-2018-3639
CVE-2018-3665
CVE-2018-5803
kernel
kernel-firmware
kernel-headers
perf

CentOS yesyesyes
?
3.3.2
CVE-2018-1000156patch
CentOS yes
yes


3.3.2
CVE-2018-1124
CVE-2018-1126
procps
CentOS yes
yes


3.3.2
CVE-2018-1273N/A

nononot installed



CVE-2018-3639kernel2018-05021CentOS yesyesyes
?
3.3.2
CVE-2018-1111

dhcp-common

dhclient

2018-05-15CentOS yesyesyes
6.5B
3.3.1
CVE-2018-2783
CVE-2018-2790
CVE-2018-2794
CVE-2018-2795
CVE-2018-2796
CVE-2018-2797
CVE-2018-2798
CVE-2018-2799
CVE-2018-2800
CVE-2018-2811
CVE-2018-2814
CVE-2018-2815
CVE-2018-2825
CVE-2018-2826
Q1 2018Oracle yesyesyes
6.5B
3.3.1

CVE-2017-14106kernel2017-09-01CentOSyesyestcp divide-by-zero kernel panic6.5B
3.3
CVE-2017-11176kenel2017-07-09CentOS yesyesyesrequires local access to host6.5B
3.3
CVE-2017-7542kernel2017-07-19CentOS yesyesyesipv6 packet fragmentation6.5B
3.3
CVE-2017-9074kernel2017-05-16CentOS yesyesyesipv6 packet fragmentation6.5B
3.3
CVE-2017-1000111kernel2017-08-10CentOS yesyesyesrequires local access to host6.5B
3.3
CVE-2017-1000112kernel2017-08-10CentOS yesyesyes
6.5B
3.3

CVE-2017-5715

CVE-2017-5753

CVE-2017-5754

kernel

microcode_ctl

2018-01-16CentOS yesnonovmware VMs not vulnerable. "Spectre/Meltdown"6.5B
3.3

CVE-2018-5732

CVE-2018-5733

dhcp-common

dhclient

2018-03-09CentOS yesyesyes
6.5B
3.3
CVE-2017-7541kernel2017-10-05CentOS yesyesyesUnlikely6.5A
3.2.7

CVE-2017-9798
CVE-2017-12171

httpd2017-10-19CentOS yesyesyes
6.5A
3.2.7

CVE-2016-9841

CVE-2016-10165
CVE-2017-10274
CVE-2017-10281
CVE-2017-10285
CVE-2017-10293
CVE-2017-10295
CVE-2017-10309
CVE-2017-10345
CVE-2017-10346
CVE-2017-10347
CVE-2017-10348
CVE-2017-10349
CVE-2017-10350
CVE-2017-10355
CVE-2017-10356
CVE-2017-10357
CVE-2017-10388

jreQ3 2017Oracle yesyesyes
6.5A
3.2.7
CVE-2017-6462
CVE-2017-6463
CVE-2017-6464
ntp2017-03-03

CentOS yes


yesyes
6.5A

3.2.7

3.3


CVE-2017-7805nss2019-09-28CentOS yesnonoWe use openssl instead but pkg is present.6.5A
3.2.6
CVE-2017-1000253kernel2017-09-26CentOS yesyesyesname=PIE6.5A

3.2.6

3.3


CVE-2017-1000250

CVE-2017-1000251

kernel2017-09-12CentOS yesyesyesname=bluez6.5A
3.2.6
3.3

CVE-2016-6210openssh2017-08-31CentOS yesyesyes
6.5A

3.2.6

3.3


CVE-2017-3167
CVE-2017-3169

CVE-2017-7679
CVE-2017-9788

httpd2017-08-15CentOS yesyesyes
6.5A
3.2.6
3.3
3.3 2017-09-29

CVE-2017-10053
CVE-2017-10067
CVE-2017-10074
CVE-2017-10078
CVE-2017-10081
CVE-2017-10086
CVE-2017-10087
CVE-2017-10089
CVE-2017-10090
CVE-2017-10096
CVE-2017-10101
CVE-2017-10102
CVE-2017-10104
CVE-2017-10105
CVE-2017-10107
CVE-2017-10108
CVE-2017-10109
CVE-2017-10110
CVE-2017-10111
CVE-2017-10114
CVE-2017-10115
CVE-2017-10116
CVE-2017-10117
CVE-2017-10118
CVE-2017-10121
CVE-2017-10125
CVE-2017-10135
CVE-2017-10145
CVE-2017-10176
CVE-2017-10193
CVE-2017-10198
CVE-2017-10243

jreQ2 2017Oracle yesyesyes
6.5A

3.2.5
3.3


CVE-2017-1000364
CVE-2017-1000366

kernel2017-06-19CentOS yesyesyesStack Clash6.5A
3.3
CVE-2017-1000366glibc2017-06-19CentOS yesyesyesStack Clash6.5A
3.2.5
CVE-2017-1000368sudo2017-06-22CentOS yesyesyes
6.5A
3.2.5
CVE-2017-9445systemd2017-06-27N/Anonoaffects systemd which we do not useN/A
N/A
CVE-2017-7502nss2017-05-30CentOS yesnonoaffects SSLv2, affects firefox CAs6.5A
3.3

CVE-2017-6214
CVE-2017-7895

kernel2017-05-30CentOS yesyesyes
6.5A
3.2.5
CVE-2017-1000367sudo2017-05-30CentOS yesyesyes
6.5A
3.3
CVE-2016-8610
CVE-2017-5335
CVE-2017-5336
CVE-2017-5337
gnutls2017-03-21*CentOS yesnoN/Aunused, dependency for cups-lib, ghostscript6.5
N/A
CVE-2015-5203
CVE-2015-5221
CVE-2016-10248
CVE-2016-10249
CVE-2016-10251
CVE-2016-1577
CVE-2016-1867
CVE-2016-2089
CVE-2016-2116
CVE-2016-8654
CVE-2016-8690
CVE-2016-8691
CVE-2016-8692
CVE-2016-8693
CVE-2016-8883
CVE-2016-8884
CVE-2016-8885
CVE-2016-9262
CVE-2016-9387
CVE-2016-9388
CVE-2016-9389
CVE-2016-9390
CVE-2016-9391
CVE-2016-9392
CVE-2016-9393
CVE-2016-9394
CVE-2016-9560
CVE-2016-9583
CVE-2016-9591
CVE-2016-9600
jasper-libs2017-05-09CentOS yesyesN/a
6.5
N/A
CVE-2016-0772
CVE-2016-1000110
CVE-2016-5699
python2016-08-18CentOS yesnonopython not used in http nor smtp services6.5
3.3
CVE-2017-5970kernel2017-02-04nonononet tcp impact only RHEL/CentOS-7-
-
CVE-2017-5897kernel2017-02-05nononoimpacts only RHEL/CentOS-7 IPv6 GRE tunnels-
-
CVE-2017-7645kernel2017-04-14nonononet NFSd, we don't use NFS/rpc-
-
CVE-2017-6214kernel2017-02-07nomaybemaybeipv4/tcpTBD
TBD
CVE-2017-5972kernel2017-02-12nonononet syn, RedHat unable to confirm-
-
CVE-2016-10229kernel2015-12-30nonononet udp bug not in RHEL 6 (thus CentOS 6)N/A
N/A
CVE-2017-8291ghostscript2017/05/12CentOS yesyesno
6.5


CVE-2016-9042
CVE-2017-6451
CVE-2017-6452
CVE-2017-6455
CVE-2017-6458
CVE-2017-6459
CVE-2017-6460
CVE-2017-6462
CVE-2017-6463
CVE-2017-6464
ntp2017/03/03no yesyes strikethru only affects Windows TBD  TBD 
CVE-2016-7545policycoreutils2016/11/14CentOS yesmaybemaybeSandbox impacted.6.5 3.3 
CVE-2015-3245
CVE-2015-3246
libuser2015/07/23CentOS yesyesyes 6.5 3.3 

CVE-2017-3509
CVE-2017-3511
CVE-2017-3512
CVE-2017-3514
CVE-2017-3526
CVE-2017-3533
CVE-2017-3539
CVE-2017-3544

jreQ1 2017Oracle yesnonoaffects only embedded, Web Start, applets.
But Nessus flags this High.
6.5 3.3 
CVE-2017-5461nss2017/04/20CentOS yesyesyes 6.5 3.3 
CVE-2016-7910
CVE-2017-2636
kernel2017/04/11CentOS yesyesyes 6.5 3.3 
CVE-2017-2616coreutils2017/03/21CentOS yesyesyes 6.5 3.2.7
3.3
 
CVE-2014-9761
CVE-2015-8776
CVE-2015-8778
CVE-2015-8779
glibc2017/03/21CentOS yesyesyes 6.5 3.3 
CVE-2016-0634
CVE-2016-7543
CVE-2016-9401
bash2017/03/21CentOS yesyesyes 6.5 

3.2.7
3.3

 
CVE-2015-8325openssh2016/04/13CentOS yespossiblepossible

No, unless if /etc/ssh/sshd_config

UseLogin=yes.

6.5 3.3 

CVE-2016-10088
CVE-2016-10142
CVE-2016-2069
CVE-2016-2384
CVE-2016-6480
CVE-2016-7042
CVE-2016-7097*
CVE-2016-8399*
CVE-2016-9576*

kernel2017/03/21*
CentOS 6.9
 CentOS yes yes yes 6.5 3.3 
CVE-2016-5139
CVE-2016-5158
CVE-2016-5159
CVE-2016-7163
CVE-2016-9675
openjpeg2017/03/19CentOS yesN/AN/Awe do not use openjpeg----
CVE-2016-6816tomcat62016/11/22CentOS yesnoN/AIPsonar uses tomcat7----
CVE-2016-8745tomcat62016/12/12CentOS yesnoN/AIPsonar uses tomcat7----
CVE-2017-5638 2017/03/06CentOS nonononot using struts- --
CVE-2016-6136kernel2016/07/04CentOS yesyesyeskernel audit logs falsifiable6.5 3.3* 
CVE-2016-9555kernel2016/10/25CentOS yesnonosctp disabled, STIG- --
CVE-2016-5423postgresql2016/08/11CentOS yesyes BUTyes BUTrequires login to exercise- - 
CVE-2016-5424postgresql2016/08/11CentOS yesyes BUTyes BUTrequires login to exercise- - 
CVE-2016-8610openssl2016/10/24CentOS yesyesyesDOS ALERT- handshake6.5 3.2.42017/02/28
CVE-2017-3730openssl2017/01/26

OpenSSL yes
CentOS no

nonoaffects 1.1 branch, we use 1.0.1- - 
CVE-2017-3731openssl2017/01/26CentOS yesnono32-bit only- - 
CVE-2017-3732openssl2017/01/26

CentOS no
OpenSSL yes

yesyes

1 vector considered unlikely, 1 feasible
but very difficult and requires login

unknown unknown 
CVE-2017-3733openssl2017/02/16CentOS yesnonoaffects 1.1 branch, we use 1.0.1- - 
CVE-2017-6074kernel2017/02/17CentOS yesmaybemaybeUDP DCCP IPV6 protocol impacted6.5 3.2.42017/02/28

CVE-2016-7426
CVE-2016-7429
CVE-2016-7433
CVE-2016-9310

CVE-2016-9311

ntp

2016/11/21

CentOS yesyesyes 6.5 3.2.42017/02/28

CVE-2015-8870
CVE-2016-5652
CVE-2016-9533
CVE-2016-9534
CVE-2016-9535
CVE-2016-9536
CVE-2016-9537
CVE-2016-9540

libtiff2015/01/28
2016/10/25
2016/09/24
2016/09/24
2016/11/04
2016/09/24
2016/09/24
2016/10/08
CentOS yesyesno 6.5* - 
CVE-2014-8127
CVE-2014-8129
CVE-2014-8130
CVE-2014-9330
CVE-2014-9655
CVE-2015-1547
CVE-2015-7554
CVE-2015-8665
CVE-2015-8668
CVE-2015-8683
CVE-2015-8781
CVE-2015-8782
CVE-2015-8783
CVE-2015-8784
CVE-2016-3632
CVE-2016-3945
CVE-2016-3990
CVE-2016-3991
CVE-2016-5320
libtiff2016/08/02CentOS yesyesno 6.5   
CVE-2016-2183
CVE-2016-5546
CVE-2016-5547
CVE-2016-5548
CVE-2016-5549
CVE-2016-5552
CVE-2016-8328
CVE-2017-3231
CVE-2017-3241
CVE-2017-3252
CVE-2017-3253
CVE-2017-3259
CVE-2017-3260
CVE-2017-3261
CVE-2017-3262
CVE-2017-3272
CVE-2017-3289
jre2016/08/24
2017/01/17
2017/01/17
2017/01/17
2017/01/17
2017/01/17
2017/01/17
2017/01/17
2017/01/17
2017/01/17
2017/01/17
2017/01/17
2017/01/17
2017/01/17
2017/01/17
2017/01/17
2017/01/17
Oracle yesyesyes 6.52017/03/273.2.42017/02/28
CVE-2016-4998
CVE-2016-6828
CVE-2016-7117
kernel2016/06/24
2016/08/15
2016/03/14
CentOS yesyesyes 6.52017/03/273.2.32017/01/23
CVE-2016-1248vim2016/12/21CentOS yesnonoWe don't use vim in App.6.5 3.2.3 
CVE-2016-0718expat2016/11/28CentOS yesyesyes 6.5 3.2.22016/01/09
CVE-2014-3538
CVE-2014-3587
CVE-2014-3710
CVE-2014-8116
CVE-2014-8117
CVE-2014-9620
CVE-2014-9653
file2016/05/10CentOS yesyesyes 6.5 3.2.22016/01/09
CVE-2016-1583
CVE-2016-5195
kernel2016/10/28CentOS yesnonobug is in ecryptfs which we don't use6.5 3.2.22016/01/09
CVE-2016-6313libgcrypt2016/11/08CentOS yesyes butyes butalso had to get 1st 580 RNG output, calc next 206.5 3.2.22016/01/09

CVE-2016-7032
CVE-2016-7076


sudo2016/12/06CentOS yesyes butyes butintersects with noexec restriction  3.2.2201601/09
CVE-2011-4327OpenSSH2011/05/05CentOS yes
No

CVE-2011-4327 doesn't affect RHEL 4, 5, 6 because there is a built-in entropy pool in openssl. This not an actual Vulnerability.

6.5
N/AN/A


A * means the report is corrected.

 

  • No labels