CVE vulnerability status in WHM > Security Advisor
As a web-hosting provider, with all the recent urgent CVE's, we have received many tickets from clients simply asking if their server is vulnerable to CVE-XXXX-XXX. cPanel provides knowledgebase articles for urgent CVE's; however, clients may not
- Be aware of these CKB articles
- Have SSH access
- Feel comfortable with the command
- Fully understand the command output
Additionally, sometimes the cPanel provided package patch version may not match the upstream patch version. For example, CVE-2019-16928 is patched in upstream 4.92.3; however, in cPanel's exim package, it's patched in 4.92.4 on cP82 and 4.92.6 in cP78. A client running cP82 and exim 4.92.3 may falsely believe they are secure if following the upstream information on the CVE's.
These type of CVE warnings should be available directly in WHM. Providing these warnings in WHM will offload tickets for web-hosting providers while also giving the client greater confidence in the security of their cPanel server.
The feature should:
- Be dynamic, in order to pull recent CVE warnings without the need of an update
- Provide a clear indication of whether the server is vulnerable to the CVE, or even if the patch is pending in development/QA/upstream
- Link to external info about the CVE, nvd/mitre/Red Hat
- Provide notification toggle in WHM > Contact Manager, perhaps one for vulnerability alert and one for a successful patch alert
- Provide a whmapi1 call indicating whether a specific CVE is patched, vulnerable, or not tracked by this feature
- Provide a whmapi1 call that lists all tracked CVE's that the server is vulnerable to
- Avoid false-positives on corrupt RPM databases