OpenVZ Forum


Home » General » Support » centOS vulnerabilities detected by Nessus
centOS vulnerabilities detected by Nessus [message #53346] Thu, 14 June 2018 11:58 Go to next message
fvafva is currently offline  fvafva
Messages: 8
Registered: June 2018
Junior Member
Hello,

We are using different versions of openVZ on top of CentOS 6.

Nessus scanner is detecting for example :
The remote host is running Linux Kernel 2.6.32-042stab128.2 on CentOS release 6.9 (Final)

But is reporting the following :
Remote package installed : kernel-2.6.32-696.el6
Should be : kernel-2.6.32-696.6.3.el6

Because it is checking the CentOS version.

My question (I am not familiar enough with openVZ):
stab128. stab129, stab130 ... are all based on different centOS kernels?
Do we have to consider centOS vulnerabilities, like Nessus is doing?

Thanks for your answers.
Re: centOS vulnerabilities detected by Nessus [message #53347 is a reply to message #53346] Fri, 15 June 2018 08:57 Go to previous messageGo to next message
vaverin is currently offline  vaverin
Messages: 708
Registered: September 2005
Senior Member
Dear fvafva,

Our kernels are based on last released RHEL6 kernels.

We are monitoring public security mailing lists,
timely detect issues critical for containers,
and timely release fixed kernels.

Take a look:
openVZ6 kernel 042stab128.2 was released 26 March 2018 it is based on RHEL6 kernel 2.6.32-696.23.1.el6 released 13 March 2018.
Our next kernel 042stab129.1 was released 15 May 2018 and it is based on RHEL6 kernel 2.6.32-696.28.1.el6 released 8 May 2018.
Our last kernel 042stab130.1 was released 23 May 2018 and it is based on last RHEL6 2.6.32-696.30.1.el6 released 21 May 2018.

Moreover our kernels includes many security fixes not included yet into RHEL kernels.

I do not know what is Nessus and how it works,
however anyway from security point of view our last released kernels at least are not worse than last released RHEL kernels.

Thank you,
Vasily Averin
Re: centOS vulnerabilities detected by Nessus [message #53348 is a reply to message #53347] Fri, 15 June 2018 09:48 Go to previous message
fvafva is currently offline  fvafva
Messages: 8
Registered: June 2018
Junior Member
Thaks for your answer.

I agree you include sometimes security fixes that are not yet in RHEL, bravo!

But as Nessus is detecting the RHEL one, and not openVZ one, it is creating some confusion.
For example, if I am using 042stab128.2, Nessus will tell me about vulnerabilities that are in 2.6.32-696.23.1.el6, even if you already fixed them in openVZ.
I would say it is normal behavior, nothing to discuss about that.


But may I consider 042stab128.2 secure? Probably not, as it is not the last version, and 042stab130.1 contains new security fixes.
So every time Nessus is reporting an issue with CentOS version, that probably means I am not up-to-date on openVZ side.

Anyway, thanks for your answer.
Previous Topic: Kernel Panic after booting to openvz2.6 kernel
Next Topic: Install openvz7 on centos 7.4
Goto Forum:
  


Current Time: Thu Dec 12 20:26:11 GMT 2024

Total time taken to generate the page: 0.02880 seconds