I currently have a RockyLinux 8.7 host running SQLite 3.26.0.
We are currently undergoing an audit, and this version of SQLite has been flagged as a security vulnerability. However when I run DNF it tells me that there are no updates for it.
How can I update the package in such case?
Also we do not use SQLite for anything in our workloads. All this server needs running from my point of view is: SAMBA, SFTP, SSH and NTP.
Hi there,
What tool is reporting the vulnerability, and does it say what CVE it is supposedly vulnerable to? RHEL (and Rocky) have a policy of backporting security fixes into older versions of software, which can often cause false positives from security tools which are simply matching on a version string and not understanding the backport policy which may have fixed a vuln.
In this case, I am not seeing any vulnerabilities in sqlite since November of 2022, which released vesion 3.26.0-16.
@neil Thanks for the quick reply!
The vulnerability has been notified by Qualys. Here are the details:
I’m very unsure why it’s reporting that. As near as I can tell, it is referring to CVE-2020-13871 [1], which is not applicable [2] to any version of RHEL. That vulnerability is only existing in SQLite 3.32.2, which is not available in any RHEL /Rocky version at this time. It is possible that you have other software which bundles this SQLite version, and that is what Qualys is detecting.
[1] NVD - CVE-2020-13871
[2] Red Hat Customer Portal - Access to 24x7 support and knowledge
I don’t understand.
According to:
https://rockylinux.pkgs.org/8/rockylinux-baseos-aarch64/
I have 3.26.0-16, and this is the latest version reported here:
https://rockylinux.pkgs.org/8/rockylinux-baseos-aarch64/sqlite-3.26.0-16.el8_6.aarch64.rpm.html
And this is the version that Qualys is reporting the vulnerability for.
I did not install SQLite for any of my needs. Can I uninstall? How can I know if it is safe to uninstall?
Chances are Qualys is reporting it wrong. So to explain, if Qualys thinks that the CVE was fixed in version 3.32.3, then Qualys most likely sees any version earlier than 3.32.3 as being vulnerable, without actually checking properly.
For example, with Nessus, if I do not allow Nessus SSH access to my server to actually check/verify, it just reports that Apache is vulnerable to something, and yet it’s not. Once it obtained SSH access and could scan what was actually installed, etc, it then reported correctly.
This unfortunately is a little annoying with security scanners, when they go by the version number, rather than actually checking, was that vulnerability for just version 3.32.2 or was it for earlier versions as well. Going by the CVE, the only version vulnerable is 3.32.2. And since your version is not 3.32.2 then you are not vulnerable, and Qualys is reporting a false positive.
Incidently, I scanned my Rocky8 with sqlite installed, and it doesn’t report any problems/vulnerabilities. Which means it has scanned it properly, unlike Qualys.
You can do:
dnf remove sqlite
but if you see a load of other packages being removed as well, you need to check/verify and ensure they are not a package you need. Sometimes sqlite can be pulled in as a dependency.
@iwalker thanks so much for the reply. It turns out that our auditor has seen the light on this, and you are right on the money. Here is what he said (about the SQLite report), after reading this thread:
This was reported as an issue on Linux 8 [sic]. However, it has be re-assessed at the beginning of December as CVSS 5.4 therefore it doesn’t need to be patched [for the certification being pursued]. I will mark it as a False Positive.
Well… That was emotional !!! Thank you guys so much for your help. 