Uploaded image for project: 'Red Hat Insights Engineering'
  1. Red Hat Insights Engineering
  2. RHINENG-15100

Every Satellite 6 version is showing falsely affected by CVE-2014-0241 in Vulnerability service

XMLWordPrintable

    • Important
    • 5

      ** Note that this is a public ticket, please refrain from adding any sensitive data. **

      Description of Problem

      Before opening this JIRA, The CVE https://access.redhat.com/security/cve/CVE-2014-0241 used to show "Red Hat Satellite 6" as affected and "Red Hat Satellite 6.0" as fixed. 

      Once reached out to secalert@redhat.com for this + few other CVEs, The SR INC3253909 was opened and many of the CVE information were corrected including this one. 

      Now if we open the CVE, it shows a list of two "Red Hat Satellite 6.0" and the status is Fixed. But if i register a Satellite 6.11 or 6.14 or 6.15 with Red Hat Insights, then the satellite still shows up as affected by the CVE CVE-2014-0241 and that is very much misleading. 

      How reproducible

      Always

      Steps to Reproduce

      1. Install a Satellite 6.X version
      2. Register it with insights
      3. Check the system profile in Insights Inventory and then navigate to the list of CVEs.

      Actual Behavior

      If we clear the "Available" filter, then among many, CVE-2014-0241 is also showing up as affecting the system which it should not. 

      Expected Behavior

      No such false-positives

      Business Impact / Additional info

      End-users cannot trust the data provided by RedHat on CVEs due to many false-positives reported by the Vulnerability service 

              psegedy Patrik Segedy
              rhn-support-saydas Sayan Das
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: