Patching CentOS: What You Need to Know
CentOS patches are in high demand — with CentOS 6 and CentOS 8 end-of-life and no longer supported by the community, many systems are vulnerable to attacks. But it's not enough to just install a security patch and call it day. Knowing when to patch CentOS vs. up/downgrade to a supported version (or migrate to a CentOS alternative) can be tricky to determine, but it's an essential part of CentOS security.
In this blog, our expert offers tips on how and when to patch CentOS and patch management best practices to keep CentOS protected from vulnerabilities.
Why Patching CentOS Is Important
Software updates, which often come in the form of patches, provide improved features and functionality, while repairing defects and eliminating exploitable security problems. For operating systems like CentOS, updates are essential to keeping organizational infrastructure available, stable, and safe. At the same time, updates increase end-user satisfaction by improving performance and fixing other known productivity problems that have been discovered since the original software release.
Ongoing maintenance of software like CentOS can also reduce costs by avoiding the heavy burden of accumulated technical debt and avoiding the productivity consequences and reputation damage that can result from unplanned outages and/or data leaks.
Back to topWhen to Update vs. When to Upgrade CentOS
Updates should be driven primarily by external forces to avoid immediate negative consequences. Upgrades should be driven primarily by internal forces to leverage emerging improvements.
Updates protect systems from attacks by applying security patches that minimize or eliminate an attack vector, and they help keep a system stable and performant by fixing defects in existing features or functionality. Upgrades, on the other hand, lay a new foundation that consolidates all previous fixes into a new install and adds new features and functionality to improve the overall system performance and user experience.
Updates guarantee backward compatibility, which introduces less risk to applications. Upgrades do not always guarantee backward compatibility, so they are released to make more dramatic underlying changes (sometimes compatibility breaking changes) that require more rigorous testing and changes to downstream applications before adopting.
With CentOS and any business-critical software, it is advisable to diligently keep up with both updates and upgrades; however, that doesn't mean apply all updates, much less upgrades, immediately.
Updating and upgrading are equally important activities, but they differ in motivation and procedure. Updates require a patch management strategy that is tuned toward a reactionary posture, whereas upgrades follow a roadmap with proactive horizon planning in stages.
Need Long-Term Support for EOL CentOS?
OpenLogic offers both technical and long-term support for CentOS 6, 7, and 8, with patches for high-severity CVEs. We can also help you with your CentOS migration strategy.
You should continuously patch as protection from bad actors and to stay closer to mainline changes coming in future upgrades or, in the case of CentOS, behaviorally compatible alternatives (i.e. Rocky Linux, AlmaLinux). To be clear, continuously doesn't equate to immediately. A solid CentOS patch management strategy will categorize and prioritize patches based on the risks and needs of your systems.
It is desirable to defer patches for a short period of time to allow any negative consequences or side effects of a patch to surface; however, this is not always an option due to the immediate threat of the defect outweighing the risk of potential side effects. This is especially true for security patches, as malware authors monitor security defects and actively seek out un-patched systems.
You should upgrade CentOS on a planned timeline that fits best with your roadmap for new feature additions and your staff's capacity to handle the change with the professional rigor required. However, it is also essential to be aware of the planned software end-of-life (EOL) timeline. Once a CentOS version reaches EOL, CVEs may go unpatched. Therefore, organizations should have a plan that ensures that upgrades occur before the software reaches EOL or secure a source of patches from a reputable commercial LTS vendor.
Which Versions of CentOS Are End-of-Life?
Back to topCentOS 6 and CentOS 8 are both EOL. Currently, CentOS 7 is the only version that is still supported by the community, but it will become end-of-life in June 2024.
Known CentOS Vulnerabilities
As a testament to the ongoing sense of urgency, here are some current and/or recent CVEs that impact various CentOS versions. These are top of mind, as they are recent; however, keep in mind, malware authors never stop patrolling for systems that are vulnerable to patched defects. They are only deterred by systems that have actually been patched.
CentOS 8.x
CVE-2022-37434 is a critical vulnerability in the zlib
and rsync
packages on CentOS8. Successful exploitation could lead to things like disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS).
CentOS 7.x
CVE-2022-41903 is a critical vulnerability in the git
package on CentOS7 that was recently patched. Failing to apply this patch can ultimately open the door to arbitrary code execution via misaligned heap writes due to an integer overflow.
CentOS 6.x
CVE-2023-22809 is a high vulnerability in the sudo
package on both CentOS6 and CentOS8. Successful exploitation can allow a local bad actor to append arbitrary entries to the list of files to process, which can lead to privilege escalation.
How to Get and Install CentOS Patches
The happy path for updating is simple:
- Open a command prompt (locally or remote via
ssh
) - Run
yum check-update
to display information about available updates (sudo
maybe required) - Run
yum update
to pull and apply all the available updates listed
There are of course many permutations of this sequence to tailor an update to specific needs. For example, run yum update <package-name>
to pull and apply an update related to a particular package.
The real complications arise in coordinating required outages, preparing to validate the success, and planning to recover from any failures. This requires communication and engagement with stakeholders across the organization. Attention to these details upfront can minimize disruption and avoid negative attention.
Related video >>How OpenLogic Builds CentOS Patches
Back to topCentOS Patch Management: Best Practices
Depending on the scale of operations, maintaining and managing the CentOS lifecycle can be full-time work for an individual or divided up among a team. Here are the basic tenants of good CentOS patch management:
1. Inventory and Attribute Assets
It is imperative to know the environment as a foundation for discovery, prioritization, and remediation. Maintain key attributes of all existing installs, including hardware details, connectivity, software versions, system class (i.e. dev/test/prod), owner point-of-contact, business purpose, etc.
2. Actively Discover Threats
There are tools available and subscriptions to services that will assist in scanning systems and identifying potential threats. Every organization should frequently and consistently review the results of one or more of these scans to stay aware of threats to the known inventory of systems.
It is also important to establish real-time monitoring of systems in the inventory to watch for anomalies or unusual activity that may indicate a compromised or malfunctioning system.
It is critical to understand that this step in the lifecycle is quite complicated. It can create an abundance of information. It can become noise even to a trained eye; therefore, it is highly advised to use automated alerts that apply filtering or artificial intelligence based on business policies to highlight significant events or alarming trends.
3. Analyze Risk and Impact of Vulnerabilities
Defects can and will arise without warning. Some are more critical, some have a higher likelihood of occurring on your systems, and some have a more immediate or costly impact than others. It is wise to have a preconceived and thoughtful methodology for curating defects and determining an appropriate response. This will save time, energy, money, and reputation.
Some of the curation methodology will be based on asking questions about the system inventory:
- Which systems are vulnerable?
- Which systems are critical?
- Which systems are customer-facing?
Some of the curation methodology will be based on business factors, or the answers to questions such as:
- Does the defect compromise regulatory compliance?
- Will patching outages effect revenue streams?
- Can complacency result in a data breach?
Something as simple as a checklist can go a long way toward categorizing and prioritizing systems to receive updates. However, this should evolve into guiding principles and policies that drive sound and ethical business decisions.
4. Engage Stakeholders
It is important to provide information, gather feedback, and request assistance from the owners and users of systems that are impacted. Adequate communication and interaction with these individuals will help set expectations, avoid surprises, and hopefully solidify success.
5. Test Installation and Rollback Procedures
Patches can fail, resulting in unusable or corrupted systems. They can also apply properly, yet have unexpected downstream side effects on applications. It is always wise to install the patches in a controlled lab environment to build procedural competence, as well as confidence in the result.
Organizations should strive to establish and maintain rapid and thorough testing procedures, as this is a telltale sign of organizational maturity and a contributor to ongoing success. At a minimum, run the tests provided with the patch.
This is another area that greatly benefits from automation. For large enterprises, it is critical to use a toolkit like Puppet or Ansible to make these tasks repeatable and self-reporting. Otherwise, human error is inevitable and key failure indicators can slip through the cracks.
6. Execute Installation and Validate the Outcome
This is the step most organizations remember. Some because it is the only step they took, and luckily it worked fine; others because this is the only step they took, and unfortunately it failed, and everyone is now asking them why.
All kidding aside, installing the patch is the moment of truth, where the rubber hits the road. It is where all the hard preparation work pays off. Whether a patch applies correctly or not, the outcome of the change event should be a success, as there is validation in place to determine the result and a follow-through plan based on pass or failure.
7. Communicate and Document Results
Always be prepared to send a summary communication that outlines the successes and failures of the change event. This is an opportunity to celebrate a win or reset and provide details of next steps. In any case, documentation on the systems should be updated to reflect the current state, including the asset inventory, to set a new baseline for future changes.
Back to topFinal Thoughts
Anyone tasked with making decisions about patching CentOS and establishing patch management protocols will benefit from having a clear prioritization and assessment process in place. The steps outlined above are a good starting point for improving your CentOS security posture, and hopefully this blog has made a solid case for why patching CentOS is important, especially if you are running an EOL version.
Do You Have a Plan for CentOS 7 EOL?
Watch this on-demand webinar to learn about CentOS LTS from OpenLogic which allows you to stay on CentOS 7 until 2029.
Additional Resources
- Video - How OpenLogic Builds CentOS Patches
- Datasheet - CentOS LTS and Technical Support
- Blog - Best Practices for Keeping Your Linux Server Secure
- White Paper - Decision Maker's Guide to Enterprise Linux
- Blog - Setting a CentOS Migration Strategy
- Blog - CentOS Commands Cheat Sheet
- Blog - Top Linux Distributions of 2024
- Blog - CentOS Stream 9
- Blog - The Long-Term Outlook for CentOS 7 Support