Hi,
Recently I upgraded my VyOS VM (hosted on VMware) to version 1.3.0-epa3 to eliminate the previously reported security vulnerabilities. But today OpenVAS reports a higher level of risk for upgraded VyOS (when scanning from inside of the system) as previous.
The following vulnerabilities were found:
Debian: Security Advisory for strongswan (DSA-4989-1) - 7.5 (High)
Debian: Security Advisory for postgresql-11 (DSA-5006-1) - 5.0 (Medium)
Missing Linux Kernel mitigations for ‘iTLB multihit’ hardware vulnerabilities - 6.5 (Medium)
Missing Linux Kernel mitigations for ‘MDS - Microarchitectural Data Sampling’ hardware vulnerabilities - 5.6 (Medium)
Missing Linux Kernel mitigations for ‘SSB - Speculative Store Bypass’ hardware vulnerabilities - 5.5 (Medium)
The first two vulnerabilities concern outdated packages in the system. Is it possible to install newer versions of these packages in VyOS or uninstall them completely?
Hello @Dmitry,
Yes, i’m pretty sure that scanner checked VyOS internally via SSH session. I haven’t installed any additional packages on this VyOS, especially postgresql-11. It’s a clean system with no manually installed additions.
Dave
Hi @Dave , check please installed packages sudo dpkg -l | grep postgre
In the next EPA release or LTS, packets should be updated automatically, but you always can find the required packet on the Debian repo and update it manually, like dpkg -i package_file
I have updated all the Debian packages indicated in the report and the vulnerability rating has dropped significantly. Only hardware or hypervisor-related vulnerabilities remain:
