This has been driving me nuts for a few weeks. GCE is reporting vulnerabilities on my CentOS machines that they are vulnerable to bpftool:
Vulnerable package: kernel
Installed version: kernel-3.10.0-957.10.1.el7
Fixed version: kernel-3.10.0-957.27.2.el7
Thing is my version IS the Fixed version. No matter - it keeps returning that I have the wrong installed version. What am I doing wrong?
[admin@dbs-01 ~]$ uname -r
This means that you still have a vulnerable but not active kernel installed side-by-side with the currently active kernel.
See Setting: Report vulnerabilities of inactive Linux kernel(s) separately for some more background information. If you want to accept the risk of having an inactive but vulnerable kernel installed some more information about this is given there as well.
Thanks @cfi. I should have went with my gut and removed the old kernels. Makes perfect sense in hindsight why this is recommended. Much appreciated!
Just as an additional info:
It seems that a few auto-generated local security checks for CentOS related to pbftool should have been generated to mention the kernel packages instead because pbftool is just a “subpackage” of the kerne packages. This has been corrected as of today.