cesa_2019_2091

pdk
tasks
remediates CVE-2018-15686, CVE-2018-16866, and CVE-2018-16888 as described in CESA-2019:2091 and similar bulletins

Paul Anderson

hpcprofessional

1,639 downloads

873 latest version

5.0 quality score

Version information

  • 0.2.0 (latest)
  • 0.1.0
released Dec 9th 2019
This version is compatible with:
  • Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2016.4.x
  • Puppet >= 4.10.0 < 7.0.0
  • CentOS
    ,
    OracleLinux
    ,
    RedHat
    ,
    Scientific
Tasks:
  • remediate

Start using this module

Documentation

hpcprofessional/cesa_2019_2091 — version 0.2.0 Dec 9th 2019

cesa_2019_2091

This module contains a Bolt Task that will remediate CVEs described in CESA-2019:2091 and parallel issues present on other Enterprise Linux 7 (EL7) platforms.

Table of Contents

  1. Description
  2. Setup - The basics of getting started with cesa_2019_2091
  3. Usage - Configuration options and additional functionality
  4. Limitations - OS compatibility, etc.
  5. Development - Guide for contributing to the module

Description

This remediation addresses the following CVEs:

Remediation is performed by using yum to updating key systemd packages to newer versions. Affected systemd RPM packages include:

  • systemd
  • systemd-libs
  • systemd-sysv

Setup

Beginning with cesa_2019_2091

Using a Puppet file or other method, install in an appropriate place such that the task is visible to your task runner.

EXAMPLE

$ bolt task show

cesa_2019_2091::remediate   remediates CVE-2018-15686, CVE-2018-16866, and CVE-2018-16888

Usage

Using your prefered method of running bolt tasks, run the task.

EXAMPLE

$ bolt task run cesa_2019_2091::remediate -n cent7-1,cent7-2,cent7-3

Limitations

This remediation relies on yum, yum repositories, and related technologies to update RPM packages.

This remediation updates the relevant RPM packages to the latest available version without additional version checks. If your system remains vulnerable to these CVEs, it is likely sufficiently updated RPMs are not available in your yum repository as presntly configured.

This remediation targets the standard systemd packages most likely to be affected by these CVEs. Additional packages which may require attention are described in the relevant CentOS-CR-announce mailing list announcement

Development

Pull requests welcome

Release Notes

Version Notes
0.1.0 Initial release