As a trusted partner for providing maintenance services to the Enterprise Linux industry, our goal is to make system administration more manageable. In this monthly overview, you will find a round-up of the latest CVEs patched by the TuxCare Team. Also, carry on reading for details of the latest TuxCare advice and offerings for our clients.
Our main goal is to help clients overcome security breaches. To achieve this, TuxCare Extended Lifecycle Support Services track and test vulnerabilities across several packages.
- CVE-2021-25217 – DHCP(D) Remotely Exploitable Vulnerability is present in versions 4.1-ESV-R1 up to 4.1-ESV-R16 and 4.4.0 up to 4.4.2. The vulnerability is also present in older unsupported 4.0.x and 4.3.x series. This vulnerability affected DHCP code and can affect the stack for both client-side and server-side communications, allowing an attacker to disrupt services remotely. This attack vector has been proven using internal proof-of-concept testing.
- CVE-2021-30641 is a moderate risk vulnerability for Apache HTTP Server versions 2.4.39 to 2.4.46, where unexpected URL matching when configured with “MergeSlashes OFF” could bypass security controls.
- CVE-2021-26690 is a moderate risk vulnerability for Apache HTTP Server versions 2.4.0 to 2.4.46, where receipt of a particular Cookie header could cause mod_session to crash.
- CVE-2020-35452 is a low-impact vulnerability for Apache HTTP Server versions 2.4.0 to 2.4.46 that could theoretically result in a mod_auth_digest stack overflow, but currently, no practical exploit exists.
- CVE-2021-26691 is a low-impact vulnerability for Apache HTTP Server versions 2.4.0 to 2.4.46, where receipt of a particular SessionHeader could cause a heap overflow. However, testing identified this would be an improbable attack vector.
For all vulnerabilities, TuxCare patches were released on the same day the vulnerability was disclosed.
ROLE-BASED ACCESS CONTROL CONCEPTS
Role-based access control is a feature that simplifies access control configuration in large organisations by replacing individual permissions for each user and resource with shared permissions for groups that have identical access requirements. It’s a feature that many organisations use without realising.
The TuxCare Technical Evangelist João Correia has produced an in-depth guide into role-based access control concepts, how to implement them effectively, and how they affect day-to-day operations.
RHEL 7 TO CENTOS 7 CONVERSION
Following multiple client requests for support when converting RHEL 7 to CentOS 7, the TuxCare Team decided to create a helpful script that all our clients can use whenever they want to make this process straightforward and painless. The script automates the conversion process and makes the complexity of the process transparent to users, making your job significantly simpler. In addition, the team has prepared an overview of the migration process to support the script.
The TuxCare team is not just another OS vendor. We go beyond bug fixes and updates to help solve security, interoperability, and connectivity issues of the open-source software in enterprise solutions.
ENTERPRISE VULNERABILITY DETECTION AND PATCH MANAGEMENT TRENDS
It turns out that the most common method used by sysadmins to find out more about high threat vulnerabilities is by simple manual online research. These were the findings from our preliminary results when we surveyed our enterprise clients on their vulnerability patch management operations.
There is still time to take part in our survey if you want to share your own experiences. Entering will give the chance of winning one of ten Certified Kubernetes Administrator Certifications from The Linux Foundation.
- The 2021 Deep Dive To Linux Kernel Update
- The Risks of Running End-Of-Life OS – And How To Manage Them
- Why improving SecOps Can Save You Money
- Open Source Code is Public, But Are The Right People Looking At It?
Regarding the last article, check out the discussion between Jay from the LearnLinuxTV and TuxCare Evangelist Joao Correia on how the University of Minnesota got the open-source wrong, plus the strengths and weaknesses of open-source in general.