Start a conversation Sign in
Start a conversation
  1. NewNet
  2. NewNet Articles
  3. Articles

Resolving System Vulnerabilities by Upgrading to RHEL 8.10

Overview

The customer reported multiple vulnerabilities on their systems, including the MGR version R04.14.10.01. The recommended solution is to upgrade to RHEL 8.10, which includes necessary security patches. Post-upgrade checks for SSH, Log4j, SSL/TLS, and cipher suite validation are required to ensure system security.

Information

Issue: Multiple vulnerabilities reported on systems running MGR version R04.14.10.01.

Resolution Steps:

  1. Upgrade to RHEL 8.10:
    • Ensure all components (MGR, AMS, FAF, HUB, LGP, PBC, RTR, etc.) are upgraded to the latest versions available.
    • Follow your standard upgrade procedures to install RHEL 8.10.
  2. Post-Upgrade Checks:
    • SSH Version and Key Exchange:
      • Run ssh -V to verify OpenSSH version is 9.6+.
      • Execute ssh -Q kex | grep sntrup to ensure sntrup761x25519-sha512@openssh.com is supported.
    • Log4j Library Check:
      • If using the LGR component, run find / -type f -name "log4j*.jar" -exec ls -lh {} \; 2>/dev/null.
      • Replace or upgrade any Log4j 1.x files found.
    • SSL/TLS Certificate Validation:
      • Use echo | openssl s_client -connect <host>:443 2>/dev/null | openssl x509 -noout -enddate to check certificate expiration.
      • Ensure certificates are valid and issued by a trusted CA.
    • TLS Protocol Support:
      • Run the following to check supported protocols: 
        for v in ssl3 tls1 tls1_1 tls1_2 tls1_3; do
  echo -n "$v: "
  echo | openssl s_client -connect <host>:443 -$v </dev/null 2>&1 | grep "Protocol" || echo "Not supported"
done
      • Only TLS 1.2 and TLS 1.3 should be enabled.
    • Cipher Suite Validation:
      • Test with echo | openssl s_client -connect <host>:443 -cipher 'RC4-SHA' 2>&1 | head -n20.
      • Ensure connections fail for insecure ciphers.

Note: If compatibility issues arise with the upgrade, consult with management to decide whether to proceed with the upgrade or accept the risk of existing vulnerabilities.

Frequently Asked Questions

How do I know if my system is affected by these vulnerabilities?
Check your system's current version and compare it with the latest available versions. If your system is not on RHEL 8.10 or above, it may be vulnerable.
What are the post-upgrade checks I need to perform?
After upgrading to RHEL 8.10, perform checks for SSH version, Log4j libraries, SSL/TLS certificates, TLS protocol support, and cipher suite validation as detailed in the resolution steps.
What if there are compatibility issues with the upgrade?
Consult with your management to decide whether to proceed with the upgrade or accept the risk of the current vulnerabilities. If you choose not to upgrade, document the decision and monitor for any security advisories.
Choose files or drag and drop files
ai_initiated
atlas_studio
kb_automation
Was this article helpful?
Yes
No

  1. Priyanka Bhotika

  2. Posted

Comments