Linux distributions support the parallel installation of multiple kernel versions. When installing a new kernel, a boot entry and an 'initrd' are automatically created, so no further manual configuration is needed.
Now, what about the vulnerabilities detected on non-running kernel?Argument from Linux support teams:
A non-running kernel with vulnerabilities does not pose a threat to your system; the kernel must be booted for those vulnerabilities to become an issue. So if you truly never boot the older kernels, you are not exposed to the vulnerabilities.
Argument from VM vendors:
We cannot know if the machine is rebooted into a vulnerable kernel at times, we simply know that it is possible. And so we assume the worst and include those vulnerabilities.
Please refer the below URLs for more details:
https://success.qualys.com/discussions/s/question/0D52L00004Tnxc8SAB/linux-authenticated-scans-non-running-kernels
https://security.stackexchange.com/questions/243688/vulnerabilities-for-multiple-kernel-versions-that-are-installed-on-a-given-serve#:~:text=As%20per%20Exclude%20or%20display%20vulnerabilities%20for%20non-running%20Linux%20kernels
So, Qualys has options to exclude non-running kernel vulnerabilities from the report but other VM vendors are not up to the mark.
In terms of CIA triad, I see this fight between 'Confidentiality' and 'Availability'. VM vendors do not want non-running kernels to boost 'Confidentiality' while platform teams are more concerned about 'Availability'.
No comments from my end, I will leave this debate open ended.
Happy Learning !!
VulnerabilityManagement Cybersecurity
No comments:
Post a Comment