This documentation supports the 21.05 (12.2) version of BMC Discovery.

To view an earlier version of the product, select the version from the Product version menu.

Troubleshooting vulnerability issues

When your security team runs the security tool on the Discovery appliance, if vulnerabilities are reported in its operating system, use this section as troubleshooting steps to either resolve the problem or create a BMC Support case.

Issue symptom

The security tool reports vulnerabilities in the operating system of the Discovery appliance.

Issue scope

  • Several vulnerabilities are reported by Security Tool.
  • The security tool lists CVE IDs of the vulnerabilities with their brief descriptions.
  • No custom packages are installed on the Discovery server.

Resolution

Perform the following steps to troubleshoot and resolve the reported vulnerability:

Step 1: Check the current operating system update on the Discovery appliance.

To check the current operating system update, perform the following steps: 

  1. Ensure that the latest Operating System Update (OSU), which is released every month by BMC, is applied on the Discovery appliance. To do so, in the Discovery UI, click the Help icon  and then click About.
    The latest OS updates are displayed.
  2. Alternatively, you can also check the OSU applied by executing the following command from the command line:

    rpm -q tideway-appliance

    For example, here is the output of the above command:

    tideway-appliance-6.20.06.10-813053.centos6.x86_64

    The number highlighted in bold indicates that the current OSU is of 10 June 2020. To know the latest OSU upgrade on BMC EPD site, see BMC Discovery operating system upgrades

  3. If the current OSU is an old one, apply the latest OSU and then run the Security Tool again.
    This helps to isolate the issue. It may reduce the number of vulnerabilities reported in the previous report as the latest OSU contains updated OS packages.

  4. Based on the latest results, troubleshoot the reported vulnerability.

Step 2: Check the vulnerability details

Perform the following steps to check the vulnerability details:

  1. Check the vulnerability details by searching its CVE ID on the Red Hat portal.
    This provides information about the affected package that is causing the vulnerability.
  2. Click the Red Hat Security Advisory (RHSA) describing the vulnerability.
    This provides information for fixing the vulnerability or the package version in which this vulnerability is fixed.
  3. After you find the updated package version which includes its fix, check if that package or a higher one is included in the latest OSU update. For information on the latest OSU packages , see Latest CentOS 7 operating system upgrade. The links for the other operating system versions are:

Step 3: Determine if the vulnerability is a false positive

Perform the following steps to determine if the detected vulnerability is a false positive:

  1. Check the details on the CVE page. To find this page, check the  MITRE CVE Open link  site and search for the CVE number.
    Alternatively, entering the CVE number (CVE-2009-0688) in a search engine should also find the CVE. The CVE shows that Red Hat has released a statement, a Red Hat Security Advisory (RHSA) describing the vulnerability. The RHSA tells you what version of the package the bug is fixed in.
  2. When you know the version of the package in which Red Hat have fixed the vulnerability, confirm that the package is updated in the latest version of BMC Discovery.
  3. Check if the mentioned package is installed on BMC Discovery.
    As mentioned in the above link, you can find this package, or you can use the command line described in the following step.
  4. Login as a tideway user and run the following command:

    rpm -qa | grep <package name>

If that package does not appear to be installed, it confirms that the issue cannot affect BMC Discovery. This issue can be reported as a false positive. For more information, see Security audits.  

Step 4: The Discovery appliance is affected by a vulnerability in spite of applying the latest OSU

 Perform the following steps if you find that the appliance is affected by a vulnerability in spite of applying the latest OSU:

  1. After you confirm that the package installed on Discovery is affected by a vulnerability, collect its details, which is its CVE ID link.
  2. Collect the output of the following commands:

    rpm -q tideway-appliance
    rpm -qa | grep <package name>
  3. Contact Customer Support and provide the results collected so far.

OS patches

When patches to the OS are released, BMC Software checks whether they are appropriate to the appliance. Some are inappropriate due to the subset of packages used in the appliance. Where a patch is appropriate, it is tested and rolled into the next available OS upgrade, or product release. Urgent updates are released as a hotfix.

BMC provides regular upgrades to the BMC Discovery OS each month. Each upgraded package is checked for appropriateness to the appliance. For more information, see OS upgrades Open link


Was this page helpful? Yes No Submitting... Thank you

Comments