**POTENTIAL FALSE POSITIVE** RHSA-2021:0339 - Linux-Firmware Security Update - Red Hat Enterprise Linux 7 (x86_64)

This update is specific to Bluetooth, and is reporting relevant on both vm and physical servers without BT components installed ?
If BT is not enabled/detected, should this be not relevant ?
https://bugzilla.redhat.com/show_bug.cgi?id=1893914

Can you take the 3 relevance statements from the RHSA-2021:0339 fixlet (ID#21033901 in my lab) and run them against the RHEL endpoints in question in order to determine which one is causing the fixlet to provide the false positive in question? This can be done via the integrated QNA utility installed with the BESClient (on Linux /opt/BESClient/bin/qna) or the Query feature/utility within the WebUI.

Assuming that’s it’s the 1st or 2nd statement, then we’ll have to determine which of the packages being queried is causing this condition within your environment.

@cmcannady @bma have received this statement from Red Hat -

"The issue/vulnerability requires that the system have a Bluetooth device to be exploited.

The upstream Intel bulletin lists the specific devices which are impacted:

As you note, server hardware (nor VMs) would typically have any of this so shouldn’t be impacted."

The relevance is the Fixlet is just detecting whether this firmware version has been installed, the scope (with relevance) needs to be limit the Fixlet to installed/active BT in the firmware versions listed per Intel’s article.

Well, sure, it’s a patch’s applicability, not a vulnerability assessment.

1 Like

Agree but according to Intel -

Affected Products:
Intel® Wireless Bluetooth® products:

Intel® Wi-Fi 6 AX201
Intel® Wi-Fi 6 AX200
Intel® Wireless-AC 9560
Intel® Wireless-AC 9462
Intel® Wireless-AC 9461
Intel® Wireless-AC 9260
Intel® Dual Band Wireless-AC 8265
Intel® Dual Band Wireless-AC 8260
Intel® Dual Band Wireless-AC 3168
Intel® Wireless 7265 (Rev D) Family
Intel® Dual Band Wireless-AC 3165

1 Like

I haven’t actually dug into their repo yet, but I think Red Hat published updated RPM packages to their Server repos.
Of course each customer makes their own determination on risk posture, but I think if Red Hat published an update, tagged it as an RHSA, I’d want the Fixlet to detect and apply it.

I don’t argue it’s unnecessary on (most) Server hardware, but I also wouldn’t necessarily regard it as a false-positive. Bluetooth could be disabled now and turned back on later (and become vulnerable), and it’s not unusual to run Server operating systems on Workstation-class machines (or even some of the laptops on my shelf); and I could also consider that what I thought was a fully-patched Server image could suddenly become vulnerable when cloned to one of these devices if we excluded the fixlet based on the current hardware.

1 Like