First, go to RedHat CVE database and search for CVE-2024-1086. It will lead you to this page, which lists the errata that fixed the CVE in each RHEL release.
For basic RHEL 8.x (i.e. the latest patch level), that'll be RHSA-2024-1607, and for RHEL 8.8 Extended Update Support, that'll be RHSA-2024-1404.
Since you are apparently running RHEL 8.8 by your kernel version number, look at the Updated Packages tab on RHSA-2024-1404 page.
It tells you that the kernel package that first contained the patch for your release is kernel-4.18.0-477.51.1.el8_8.x86_64.rpm
.
You are running kernel release 4.18.0-477.55.1.el8_8.x86_64
. The patch level 477.55.1.el8_8
is greater than 477.51.1.el8_8
, so yes, your kernel is patched and you are not vulnerable.
The client's scanner might be unaware of RHEL 8.8 Extended Support, and so would "want" to see kernel version 4.18.0-513.24.1.el8_9.x86_64
or greater, which would be the answer if you had updated to RHEL 8.9 or greater. But if you are using RHEL 8.8 Extended Support, the most common reason for that is that there is an expensive application that either doesn't support RHEL 8.9 yet, or simply the app is not certified for it and the client wants/needs the application in a certified state.
A kernel version should not be considered a single incrementing line, but a tree graph, as there can be several special-purpose kernel sub-series. As you can see in the RedHat CVE database page linked above, RHEL 8.x series includes at least:
- the RHEL 8.x "main" kernel series
- -rt (real-time enhanced) kernels
- 8.2 Advanced Update Support kernels
- 8.4 Advanced Mission Critical kernels
- 8.4 Telecommunications kernels
- 8.4 and 8.6 for SAP kernels
- 8.6 and 8.8 Extended Update kernels
All of these have their own kernel RPMs, with their own patch level numbers. If you use any of the special-purpose kernel series, your client should verify that their vulnerability scanner also knows about that particular kernel series, or you will get false positives.
If there is doubt whether a vulnerability is patched or not, it is important to check the latest applicable patch level information in the vendor's CVE database.
Checking just the RPM changelog may indicate that a vulnerability has been patched, but it won't tell you if the security researchers later realized "oops, it turned out the initial patch won't provide complete protection, here's a better patch". In situations like that, the vendor's CVE database should point you straight to the later patch.
And so, you can be confident that if your RPM patch level is equal or greater than the level reported as fixed in the CVE database, and that version is actually running, then the vulnerability is well and truly fixed according to the best available information.
rpm
command strongly suggests the patch has been installed; the next step is to rununame -r
and verify that the kernel version that is actually running matches or exceeds the version of the kernel package that brought the patch.4.18.0-477.55.1.el8_8.x86_64
but not sure if this kernel version is vulnerable or not, or how to check that.5.0.2
was older than the required4.7
.