Address CVE that Foreman 3.9.1 rpm package dependency is preventing fix from being installed

frostygresh · April 29, 2024, 9:14pm

Are there plans to upgrade the following packages in Foreman install to address a vulnerability with the currently installed version of the noted packages? I am current running Foreman 3.9.1

CVE-2022-29599

Package Installed Version Required Version
slf4j 1.7.25-4.module_el8.6.0+2752+f1f3449e.noarch 1.7.28-3.module_el8.6.0+2786+d7c38b21
apache-commons-lang3 3.7-3.module_el8.6.0+2752+f1f3449e.noarch 3.9-4.module_el8.6.0+2786+d7c38b21

These package dependencies report that these packages are required for candlepin.

Thank you.

areyus · April 30, 2024, 6:44am

From what I can see, this was fixed in https://access.redhat.com/errata/RHSA-2022:4797 and https://access.redhat.com/errata/RHSA-2022:4798 back in 2022.
The packages you mention come from your OS repos, not from Foreman (they come from the appstream repo), so why exactly are you asking for an update from Foreman?
With current OS repos, you should be able to simply update them via dnf update.

frostygresh · April 30, 2024, 4:31pm

I think I have a clearer picture what is going on here. The package triggering the CVE finding is apache-commons-lang3. This package belongs to the maven module and the default enabled version is 3.5. To access the versions required to address the finding, I need to enable module version 3.6.

I’m going to enable to test in my QA testing environment to see if this allows the updated package to apply and that Foreman services are not affected.

the slf4j package targeted by the finding may be a false positive based on the version I currently have installed.

# dnf module provides apache-commons-lang3
Updating Subscription Management repositories.
Last metadata expiration check: 3:07:30 ago on Tue 30 Apr 2024 08:16:04 AM CDT.
apache-commons-lang3-3.12.0-7.module_el8.8.0+3547+dbd3d703.noarch
Module   : maven:3.8:8080020230411075215:89d92b8f:x86_64
Profiles :
Repo     : appstream
Summary  : Java project management and project comprehension tool

apache-commons-lang3-3.7-3.module_el8.6.0+2752+f1f3449e.noarch
Module   : maven:3.5:8060020220530101136:dca7b4a4:x86_64
Profiles :
Repo     : appstream
Summary  : Java project management and project comprehension tool

apache-commons-lang3-3.9-4.module_el8.8.0+3546+09d25189.noarch
Module   : maven:3.6:8080020230411074401:7dadbc74:x86_64
Profiles :
Repo     : appstream
Summary  : Java project management and project comprehension tool

areyus · May 2, 2024, 6:15am

Not sure what kind of “finding” you are referring to, but it sounds like some vulnerability scanner or something alike flagged that.
In that case, as a general rule of thumb: If these scanners just compare version numbers, they are generally useless on RHEL and it’s derivates. RHEL always keeps the version number for the package that was used when the RHEL version or the stream was released, but there will be backports of fixes for security flaws or other bugs. If your scanner does not account for how RedHat based OSes (or I guess, most Linux distros) work, it won’t do a lot for you.