Hi Team,
Our scanners is complaining about CVE-2022-23491 .
Paths: /opt/python-3.7.3/lib/python3.7/site-packages/certifi-2021.10.8.dist-info having this CVE and the fixed version is being said to 2022.12.07 for the certifi packages in Python.
I could not find any related information in Rocky Linux documentation. Can someone educate me on this, also did not find anything in RHEL documentation for RHEL 8.
It’s enough to google rhel8 CVE-2022-23491 and the very first result is: False positive in RHACS for CVE-2022-23491 - Red Hat Customer Portal
Whilst that particular results applies to RHEL based containers, it would be enough to assume that the package has been fixed and the problem is your vulnerability scanner reporting a false positive.
The other problem here is, python under /opt doesn’t look like an officially supplied package by RHEL/ROCKY which would therefore mean you or someone has installed a package outside of RHEL/Rocky repositories - in which case the problem is for you to resolve by updating what was installed outside of dnf/yum, etc. If you do not wish to do that, then remove that and only use official packages from RHEL/Rocky repositories.
Thanks @iwalker , the actual issue was I did not see RHEL 8 in the CVE document from RHEL cve-details which means the python shipped with RHEL 8 does not have this service as a separate one. So the explanation you provided about being installed separately by a developer seems to be correct and we might have to upgrade it independently. Thanks for the explanation. We have recently switched to Rocky OS so we are little new and might ask some silly questions but thanks for answering.
1 Like
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.