Troubleshooting vulnerability issues
When your security team runs the security tool on the Discovery appliance, if vulnerabilities are reported in its operating system, use this section as troubleshooting steps to either resolve the problem or create a BMC Support case.
Issue symptom
The security tool reports vulnerabilities in the operating system of the Discovery appliance.
Issue scope
- Several vulnerabilities are reported by Security Tool.
- The security tool lists CVE IDs of the vulnerabilities with their brief descriptions.
- No custom packages are installed on the Discovery server.
Resolution
Perform the following steps to troubleshoot and resolve the reported vulnerability:
Step 1: Check the current operating system update on the Discovery appliance.
To check the current operating system update, perform the following steps:
- Ensure that the latest Operating System Update (OSU), which is released every month by BMC, is applied on the Discovery appliance. To do so, in the Discovery UI, click the Help icon
and then click About.
The latest OS updates are displayed. Alternatively, you can also check the OSU applied by executing the following command from the command line:
rpm -q tideway-applianceFor example, here is the output of the above command:
tideway-appliance-6.20.06.10-813053.centos6.x86_64
The number highlighted in bold indicates that the current OSU is of 10 June 2020. To know the latest OSU upgrade on BMC EPD site, see BMC Discovery operating system upgrades.- If the current OSU is an old one, apply the latest OSU and then run the Security Tool again.
This helps to isolate the issue. It may reduce the number of vulnerabilities reported in the previous report as the latest OSU contains updated OS packages. - Based on the latest results, troubleshoot the reported vulnerability.
Step 2: Check the vulnerability details
- Extract the CVE number from the the report of the penetration test tool. For example: CVE-2023-20867
- Search for the CVE details in the support page of the OS used by your Discovery version.
For Discovery 23.3 and higher: Open Oracle Linux Security page, click on "Security Errata" > "Search CVE". In the CVE page, section "Errata", click on the related ELSA release. For example: ELSA-2022-8400
For versions older versions: Open the Red Hat CVE database, search for the CVE. In the "Errata" column of the CVE page, click on the related RHSA release. For example: RHSA-2023:3944 - In the ELSA (or RHSA page), find the name and version of the updated package. For example: libtirpc-1.3.3-0.el9.src.rpm
Step 3: Determine if the vulnerability is a false positive
- In the CVE page, check if the description suggests that Discovery could be impacted.
- Compare the version of the impacted package with the one included in the OS upgrade version of Discovery.
The list of included package is in the Latest Oracle Linux 9 operating system upgrade. The links for the other operating system versions are: - If the impacted package is not included in Discovery, the CVE is a false true.
- If the impacted package included in Discovery but Discovery has a version that contains the fix, the CVE is a false true.
Alternative method: Upgrade to the latest OSU, Login as a tideway user, run the following command and check if the impacted package is reported with a version that includes the fix.
Step 4: The Discovery appliance is affected by a vulnerability in spite of applying the latest OSU
Perform the following steps if you find that the appliance is affected by a vulnerability in spite of applying the latest OSU:
- After you confirm that the package installed on Discovery is affected by a vulnerability, collect its details, which is its CVE ID link.
Collect the output of the following commands:
rpm -q tideway-appliance
rpm -qa | grep <package name>- Contact Customer Support and provide the results collected so far.
BMC provides regular upgrades to the BMC Discovery OS each month. Each upgraded package is checked for appropriateness to the appliance. For more information, see OS upgrades.