Changes to Oracle Linux Ksplice Logic

Plugin

All kernel plugins for Oracle Linux

Target Release Date

Tuesday, September 7th, 2021

Change

We currently check CVEs from a security advisory against a list of Ksplice patches installed on the machine. When a Ksplice patch name contains a CVE, we are able to verify that the CVE was patched on the host. 

Unfortunately, not all Ksplice patch names contain the CVE they patch, and this was found to generate false positives. Rather than relying on CVEs to be found in Ksplice patch names, we now compare the effective kernel version against the kernel version supplied by Oracle Linux in their OVAL Advisory. 

Impact

All Oracle Linux kernel plugins will be affected by this improvement. Customers should see more accurate kernel checks against the effective kernel version since we will no longer rely on the CVE in the Ksplice patch name.