Current (Feb 2024) High-Severity unfixed Linux Kernel CVEs
[Originally posted on ServerFault, was told it would fit better here]
Our vulnerability scanner (AWS Inspector V2) in the last couple of weeks started reporting ~10 High severity CVEs with the Linux kernel in our version of Debian (Bookworm, upgraded to latest available kernel version - 6.1.76) used by our app's Docker image, along with dozens more Medium severity CVEs. All of these are unfixed / unpatched. There are also a couple affecting nss and expat packages, but most are Linux itself.
We've actually never seen multiple High severity CVEs go unpatched for this long before - not sure if in the past similar ones were just not yet triaged or reported by our scanner.
These vulnerabilities, as far as I can tell, seem to:
- Mostly affect essentially every version of the Linux kernel up to ones not available in any Debian version (or other major distro versions, like RHEL)
- Go back multiple years - most are from 2023/2024, but there's one High severity one from 2021, and multiple Medium severity ones from 2020
Here is the list of High severity Linux vulnerabilities we see (Debian CVE links included, but these are Linux kernel):
- CVE-2023-6535 - linux
- CVE-2024-0841 - linux
- CVE-2023-6270 - linux
- CVE-2023-6356 - linux
- CVE-2021-3847 - linux
- CVE-2024-21803 - linux
- CVE-2021-3864 - linux
- CVE-2023-2176 - linux (can't add link due to reputation requirement)
- CVE-2024-23307 - linux (can't add link due to reputation requirement)
- CVE-2023-6536 - linux (can't add link due to reputation requirement)
- CVE-2023-3640 - linux (can't add link due to reputation requirement)
You can see one of these CVEs affecting all of the newer RHEL versions, for example (although they classify it as a Moderate severity rather than high): https://access.redhat.com/security/cve/CVE-2023-3640
We're getting closer to our internal SLAs for resolving High severity CVEs, and with no OS patch fixes in sight, and seemingly many other Linux distros similarly affected, are not quite sure what to do. So... my questions are:
- Is our vulnerability scanner just being overly sensitive with these? Should we "suppress" them until fixes are available? Reading through a couple, I'm guessing exploits for most, given how our app works, are unlikely, but it's hard to really know if they are impossible
- Is there some other course we should take here? Should we be trying to port our app to a different Linux distro? AWS was happy to tell us that Amazon Linux is mostly unaffected, but given they use the same Linux kernels as everyone else, they may just be ignoring the same CVEs rather than truly unaffected.
