I have a number of Oracle Linux 8.8 machines and Crowdstrike is flagging all of them for vulnerabilities associated with the python packages installed with python 3.6. Oracle says python 3.6 is required for the system, but I can't find updates that address the Crowdstrike-identified issues. For example, babel 2.5.1-7.el8 is flagged as vulnerable, and dnf only finds python3-babel 2.5.1-7.el8 from the ol8_appstream repo to install. Oracle states they're keeping 3.6 up-to-date, so there must surely be updates to address years-old cve's? I tried installing python 3.9 and 3.11, but that left the vulnerable packages in place and didn't really accomplish anything as far as Crowdstrike was concerned. How can I update these python packages?
Asked
Active
Viewed 573 times
1 Answers
2
How can I update these python packages?
That might be the wrong thing to focus on.
For starters: there is the issue with how some/many vulnerability scanners determine exposure to vulnerabilities only by looking at the version number a piece of software identifies itself with and that approach is flawed in the face of distributions that back-port security updates (as explained a bit more here and for example here and on RedHat.com).
Second: most vendors maintain a system where you can look up CVE's and they might have determined that despite that their version could be vulnerable their packaged version is actually NOT vulnerable/exploitable because of reasons (e.g. the vendor already overrode insecure defaults (set by the developer in the source tree) with more secure default settings in the RPM package they shipped for tool X version Y).
Third: your system might actually be vulnerable and the enterprise Linux vendor won't fix.
You can of course try to get what you pay for and escalate with your account manager.
And/or then also your normal risk management procedures and options apply:
- assess
- take mitigating measures
- accept the risk
HBruijn
- 84,206
- 24
- 145
- 224