1

I have a number of Oracle Linux 8.8 machines and Crowdstrike is flagging all of them for vulnerabilities associated with the python packages installed with python 3.6. Oracle says python 3.6 is required for the system, but I can't find updates that address the Crowdstrike-identified issues. For example, babel 2.5.1-7.el8 is flagged as vulnerable, and dnf only finds python3-babel 2.5.1-7.el8 from the ol8_appstream repo to install. Oracle states they're keeping 3.6 up-to-date, so there must surely be updates to address years-old cve's? I tried installing python 3.9 and 3.11, but that left the vulnerable packages in place and didn't really accomplish anything as far as Crowdstrike was concerned. How can I update these python packages?

bangheadhere
  • 11

1 Answers1

2

How can I update these python packages?

That might be the wrong thing to focus on.

For starters: there is the issue with how some/many vulnerability scanners determine exposure to vulnerabilities only by looking at the version number a piece of software identifies itself with and that approach is flawed in the face of distributions that back-port security updates (as explained a bit more here and for example here and on RedHat.com).

Second: most vendors maintain a system where you can look up CVE's and they might have determined that despite that their version could be vulnerable their packaged version is actually NOT vulnerable/exploitable because of reasons (e.g. the vendor already overrode insecure defaults (set by the developer in the source tree) with more secure default settings in the RPM package they shipped for tool X version Y).

Third: your system might actually be vulnerable and the enterprise Linux vendor won't fix.

You can of course try to get what you pay for and escalate with your account manager.

And/or then also your normal risk management procedures and options apply:

  • assess
  • take mitigating measures
  • accept the risk
HBruijn
  • 80,330
  • 24
  • 138
  • 209
  • This Oracle distro has two Pythons. 3.6 is used by the 8.8 OS for DNF/Yum. I think they installed the "other" non-system Python for the 3.9/3.11 packages. The OS should be updating the 3.6 stuff. Could be a stale VM template. https://yum.oracle.com/oracle-linux-python.html – Greg Askew Nov 13 '23 at 22:29
  • Indeed , the system python version should be updated / back ported for known vulnerabilities (except when not applicable) but for your own or third party software the story is different. I missed that distinction in my answer. – HBruijn Nov 14 '23 at 08:51
  • And so, the question remains. How do I update the system python 3.6 components? It's not clear to me from the oracle cve tracking that there's been any backporting, yet there are hundreds of logged vulnerabilities that apply so it doesn't seem likely that they're just ignoring them.... It's possible that crowdstrike is generating false positives, but if so it seems to be pretty focused on just this set of applications - it's not complaining about a lot of other stuff. – bangheadhere Nov 14 '23 at 20:16
  • @bangheadhere You don't specify a specific CVE so no one can direct you to whether or not your operating system provides errata. Looking in the errata repository, the python-babel package you list is the latest security release. (https://linux.oracle.com/errata/ELSA-2021-4201.html) Two CVE are referenced. Are these the CVE that CrowdStrike is referencing? Looking upstream, I see no additional CVE for babel's Python bindings. (https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=python-babel) Searching more broadly for babel seems to find implementations in other products such as emacs. – Aaron Copley Nov 18 '23 at 00:16