I am a long-time Linux system administrator, but new to CentOS. I just need to determine if this CentOS server is vulnerable to CVE-2019-18348. To do that, I have to check if the installed packages are patched or have a way to test the vulnerability on the machine.
I have not found any reliable way to test the vulnerability, so I keep looking at package versions, change logs, etc.
First, some details about the vulnerability:
CVE-2019-18348: An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with rn (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.) https://nvd.nist.gov/vuln/detail/CVE-2019-18348 https://nvd.nist.gov/vuln/detail/CVE-2016-10739
Here are the details of the version of my system:
OS: centos-release-8.0-0.1905.0.9.el8.x86_64 Python: 3.6.8 - installed package is python36.x86_64 (3.6.8-2.module_el8.0.0+33+0a10c0e1). glibc: 2.28-42.el8.1
The system is completely updated, but I don't see any security repository or backports enabled. I could not find any information on whether there is a repository of security updates for centos and how to enable it.
(root@host)# yum repolist Last metadata expiration check: 1:37:46 ago on Fri 06 Dec 2019 07:51:08 PM UTC. repo id repo name status AppStream CentOS-8 - AppStream 5,089 BaseOS CentOS-8 - Base 2,843 *epel Extra Packages for Enterprise Linux 8 - x86_64 3,579 extras CentOS-8 - Extras
The change log for glibc does not specifically list CVE-2019-18348. Although it may have been fixed in an earlier version, but I haven't found any way to verify that.
(root@host)# rpm -q --changelog glibc | grep -i cve - Add upstream test case for CVE-2018-19591 (#1654010) - CVE-2018-19591: File descriptor leak in if_nametoindex (#1654010) - CVE-2018-11237: Buffer overflow in __mempcpy_avx512_no_vzeroupper (#1581275) - CVE-2018-11236: realpath: Fix path length overflow (#1581270, swbz#22786) - CVE-2017-18269: memory corruption in i386 memmove (#1580934) - CVE-2017-14062, CVE-2016-6261, CVE-2016-6263: - CVE-2018-1000001: Make getcwd fail if it cannot obtain an absolute path - CVE-2017-16997: elf: Check for empty tokens before DST expansion (#1526866) - CVE-2017-1000409: Count in expanded path in _dl_init_path (#1524867) - CVE-2017-1000408: Compute correct array size in _dl_init_paths (#1524867) - CVE-2017-17426: malloc: Fix integer overflow in tcache (swbz#22375) - CVE-2017-15804: glob: Fix buffer overflow during GLOB_TILDE unescaping - CVE-2017-15670: glob: Fix one-byte overflow (#1504807) - Use execveat syscall in fexecve (swbz#22134)
The python changlog does not show any CVE, but "rhbz" numbers, which I guess are redhat bugzilla. I have some subscriptions with HR, but apparently it is not enough to see the details of these elements.
(root@host)# rpm -q --changelog python36 | grep -i resolves - Resolves: rhbz#1695587 - Resolves: rhbz#1658271 - Resolves: rhbz#1654867 - Resolves: rhbz#1633534 - Resolves: rhbz#1633534 - Resolves: rhbz#1633561 - Resolves: rhbz#1633534 - Resolves: rhbz#1632637 - Resolves: rhbz#1633534 - Resolves: rhbz#1615727
This red had warning corrections CVE-2016-10739 in package glibc-2.28-72.el8.x86_64.rpm
But since this machine is centos and in version 2.28-42.el8.1, and the patch versions between RH and CentOS seem to be different, that does not seem to help me determine if this box is vulnerable.
If anyone can offer an idea of whether this system is vulnerable, or point me in the right direction, I would really appreciate it.