CPS Release Change Reference, Release 21.1.0 (2)

CentOS Security Enhancements/Kernel Upgrade

Feature Summary and Revision History

Table 1. Summary Data
Applicable Product(s) or Functional Area	CPS
Applicable Platform(s)	Not Applicable
Default Setting	Not Applicable
Related Changes in This Release	Not Applicable
Related Documentation	Not Applicable

Table 2. Revision History
Revision Details	Release
Kernel upgraded to 4.18.0-193.14.2.el8_2	21.1.0
CentOS upgraded to 8.1 Kernel upgraded to 4.18.0-147.5.1.el8_1 Grafana upgraded to 6.7.1-1	20.2.0
Kernel upgraded to 3.10.0-957. 21.3.el7	19.5.0
Kernel upgraded to 3.10.0-957.12.2.el7 Grafana upgraded to 6.2.2-1	19.4.0
CentOS upgraded to 7.6 (1810) Kernel upgraded to 3.10.0-957.10.1.el7	19.3.0
Kernel upgraded to 3.10.0-957.5.1.el7	19.2.0
Kernel upgraded to 3.10.0-957.e17	19.1.0
First introduced: kernel upgraded to 3.10.0-862.14.4.el7.x86_64	18.5.0

Feature Description

In this release, Kernel is upgraded from 4.18.0-147.5.1.el8_1 to 4.18.0-193.14.2.el8_2 to fix the vulnerabilities.

The following changes are displayed in the latest Kernel version.

# rpm -qa | grep kernel-[0-9]
kernel-4.18.0-193.14.2.el8_2.x86_64
## cat /etc/redhat-release
CentOS Linux release 8.1.1911 (Core)
# uname -a
Linux lab 4.18.0-193.14.2.el8_2.x86_64 #1 SMP Sun Jul 26 03:54:29 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

For service-related issues, you can use journactl to get systemctl logs.

The following tables list the vulnerabilities that have been fixed as a part of this release:

Table 3. Cisco Internal Alert Manager (CIAM) CVEs
CVE	Name	RPM Upgraded to
CVE-2019-5481	CentOS 8 : curl (RHSA-2020:1792)	7.61.1-12.el8
CVE-2020-12049	CentOS 8 : dbus (RHSA-2020:3014)	1.12.8-10.el8_2
CVE-2020-11501	CentOS 8 : gnutls (RHSA-2020:1998)	3.6.8-11.el8_2
CVE-2020-13777	CentOS 8 : gnutls (RHSA-2020:2637)	3.6.8-11.el8_2
CVE-2019-10166	CentOS 8 : virt:rhel (RHSA-2019:1580)	4.5.0-42.module_el8.2.0
CVE-2019-10167	CentOS 8 : virt:rhel (RHSA-2019:1580)	4.5.0-42.module_el8.2.0
CVE-2019-10168	CentOS 8 : virt:rhel (RHSA-2019:1580)	4.5.0-42.module_el8.2.0
CVE-2020-10757	CentOS 8 : kernel (RHSA-2020:3010)	4.18.0-193.14.2.el8_2
CVE-2019-3882	CentOS 8 : kernel (RHSA-2019:3517)	4.18.0-193.14.2.el8_2
CVE-2019-3887	CentOS 8 : kernel (RHSA-2019:2703)	4.18.0-193.14.2.el8_2
CVE-2019-10639	CentOS 8 : kernel (RHSA-2020:1769)	4.18.0-193.14.2.el8_2
CVE-2019-18282	CentOS 8 : kernel (RHSA-2020:1769)	4.18.0-193.14.2.el8_2
CVE-2019-3016	CentOS 8 : kernel (RHSA-2020:3010)	4.18.0-193.14.2.el8_2
CVE-2020-10754	CentOS 8 : NetworkManager (RHSA-2020:3011)	1.22.8-5.el8_2
CVE-2020-11080	CentOS 8 : nghttp2 (RHSA-2020:2755)	1.33.0-3.el8_2.1
CVE-2019-1549	CentOS 8 : openssl (RHSA-2020:1840)	1.1.1g-11.el8
CVE-2019-11034	CentOS 8 : php:7.2 (RHSA-2020:1624)	7.2.24-1.module_el8.2.0
CVE-2019-11035	CentOS 8 : php:7.2 (RHSA-2020:1624)	7.2.24-1.module_el8.2.0
CVE-2019-11036	CentOS 8 : php:7.2 (RHSA-2020:1624)	7.2.24-1.module_el8.2.0
CVE-2019-11039	CentOS 8 : php:7.2 (RHSA-2020:1624)	7.2.24-1.module_el8.2.0
CVE-2019-11040	CentOS 8 : php:7.2 (RHSA-2020:1624)	7.2.24-1.module_el8.2.0
CVE-2019-9640	CentOS 8 : php:7.2 (RHSA-2020:1624)	7.2.24-1.module_el8.2.0
CVE-2019-11041	CentOS 8 : php:7.2 (RHSA-2020:1624)	7.2.24-1.module_el8.2.0
CVE-2019-11042	CentOS 8 : php:7.2 (RHSA-2020:1624)	7.2.24-1.module_el8.2.0
CVE-2019-11043	CentOS 8 : php:7.2 (RHSA-2019:3735)	7.2.24-1.module_el8.2.0
CVE-2019-9022	CentOS 8 : php:7.2 (RHSA-2020:1624)	7.2.24-1.module_el8.2.0
CVE-2019-18934	CentOS 8 : unbound (RHSA-2020:1716)	1.7.3-11.el8_2
CVE-2020-12663	CentOS 8 : unbound (RHSA-2020:2416)	1.7.3-11.el8_2
CVE-2020-12662	CentOS 8 : unbound (RHSA-2020:2416)	1.7.3-11.el8_2
CVE-2020-10713	CentOS 8 : grub2 (RHSA-2020:3216)	2.02-87.el8_2
CVE-2020-14308	CentOS 8 : grub2 (RHSA-2020:3216)	2.02-87.el8_2
CVE-2020-14309	CentOS 8 : grub2 (RHSA-2020:3216)	2.02-87.el8_2
CVE-2020-14310	CentOS 8 : grub2 (RHSA-2020:3216)	2.02-87.el8_2
CVE-2020-14311	CentOS 8 : grub2 (RHSA-2020:3216)	2.02-87.el8_2
CVE-2020-15705	CentOS 8 : grub2 (RHSA-2020:3216)	2.02-87.el8_2
CVE-2020-15706	CentOS 8 : grub2 (RHSA-2020:3216)	2.02-87.el8_2
CVE-2020-15707	CentOS 8 : grub2 (RHSA-2020:3216)	2.02-87.el8_2
CVE-2019-8457	CentOS 8 : sqlite (RHSA-2020:1810)	3.26.0-11.el8
CVE-2020-8616	CentOS 8 : bind (RHSA-2020:2338)	9.11.20-5.el8
CVE-2020-8617	CentOS 8 : bind (RHSA-2020:2338)	9.11.20-5.el8
CVE-2020-11008	CentOS 8 : git (RHSA-2020:1980)	2.27.0-1.el8
CVE-2020-5260	CentOS 8 : git (RHSA-2020:1513)	2.27.0-1.el8
CVE-2019-19330	CentOS 8 : haproxy (RHSA-2020:1725)	1.8.23-5.el8
CVE-2019-18277	CentOS 8 : haproxy (RHSA-2020:1725)	1.8.23-5.el8
CVE-2020-11100	CentOS 8 : haproxy (RHSA-2020:1288)	1.8.23-5.el8
CVE-2018-14404	CentOS 8 : libxml2 (RHSA-2020:1827)	2.9.7-8.el8
CVE-2019-11596	CentOS 8 : memcached (RHSA-2020:1576)	1.5.22-2.el8
CVE-2019-10164	CentOS 8 : postgresql:10 (RHSA-2020:3669)	postgresql-0:10.14-1.module_el8.2.0
CVE-2019-10208	CentOS 8 : postgresql:10 (RHSA-2020:3669)	postgresql-0:10.14-1.module_el8.2.0
CVE-2020-14349	CentOS 8 : postgresql:10 (RHSA-2020:3669)	postgresql-0:10.14-1.module_el8.2.0
CVE-2020-14350	CentOS 8 : postgresql:10 (RHSA-2020:3669)	postgresql-0:10.14-1.module_el8.2.0
CVE-2019-10192	CentOS 8 : redis:5 (RHSA-2019:2002)	0:5.0.3-2.module_el8.2.0
CVE-2019-10193	CentOS 8 : redis:5 (RHSA-2019:2002)	0:5.0.3-2.module_el8.2.0
CVE-2019-10197	CentOS 8 : samba (RHSA-2020:1878)	4.12.3-12.el8.3
CVE-2019-14907	CentOS 8 : samba (RHSA-2020:1878)	4.12.3-12.el8.3
CVE-2019-18634	CentOS 8 : sudo (RHSA-2020:0487)	1.8.29-6.el8_3.1
CVE-2019-3843	CentOS 8 : systemd (RHSA-2020:1794)	239-41.el8_3
CVE-2019-3844	CentOS 8 : systemd (RHSA-2020:1794)	239-41.el8_3
CVE-2019-13232	CentOS 8 : unzip (RHSA-2020:1787)	6.0-43.el8
CVE-2020-8631	CentOS 8 : cloud-init (RHSA-2020:4650)	19.4-11.el8
CVE-2020-8632	CentOS 8 : cloud-init (RHSA-2020:4650)	19.4-11.el8
CVE-2021-3156	CentOS 8 : sudo (RHSA-2021:0218)	1.8.29-6.el8_3.1
CVE-2019-17006	CentOS 8 : nss, nspr (RHSA-2020:3280)	nspr:4.25.0-2.el8_2 nss:3.53.1-11.el8_2

Support to Restrict NTP and Grafana Service Ports

Feature Summary and Revision History

Table 4. Summary Data
Applicable Product(s) or Functional Area	CPS
Applicable Platform(s)	Not Applicable
Default Setting	Enabled - Always-on
Related Changes in This Release	Not Applicable
Related Documentation	Not Applicable

Table 5. Revision History
Revision Details	Release
First introduced	21.1.0

Feature Description

CPS now restricts NTP and Grafana service ports to be connected through internal network only.

Previous Behavior:

Currently, Policy Director (LB) VMs accept NTP time synchronization requests on both internal and external interface (port 123).
Grafana server default port 3000 is listening on all the interface which exposes the system to vulnerabilities attacks for service.

New Behavior: In this release:

Incoming time sync requests from external sources are blocked i.e., Policy Director (LB) VMs can't act as NTP Server source for external sources. Policy Director (LB) VMs will continue to sync time from External NTP Servers same as in previous releases.
Grafana service is bound to internal interface thus restricting external access.
Chronyd only allows one bind address.

Bias-Free Language

Book Title

CPS Release Change Reference, Release 21.1.0 (2)

Chapter Title

Product Security

Results

Chapter: Product Security

Product Security

CentOS Security Enhancements/Kernel Upgrade

Feature Summary and Revision History

Feature Description

Support to Restrict NTP and Grafana Service Ports

Feature Summary and Revision History

Feature Description

Was this Document Helpful?

Contact Cisco