1. To check if a backported fix is already applied:

•    Open the VAPT sheet and look for the "Vulnerability CVE IDs" column.

•    SSH into the gateway system.

•    For each CVE ID, run the command:

rpm -qa --changelog | grep <CVE ID> 

Example.

 

•    If the command returns any output, it confirms that the backported fix is already applied—meaning the vulnerability is addressed.

•    However, note: Sometimes the changelog might not explicitly mention CVE IDs. Instead, it may reference internal Red Hat bug or advisory IDs (e.g., RHEL-xxxxx), as developers often document it that way.



•    So, if grep <CVE ID> gives no output, it doesn’t necessarily mean the fix is missing — it just might be referenced under a RHEL advisory instead. You may need to look into those advisory mappings if further confirmation is needed.


2. To find out when the fix was released:

•    In the same VAPT sheet, refer to the "Vulnerability Reference IDs" column.

•    Copy the Reference ID and search it on Google.

•    You should find an Oracle ELSA (Enterprise Linux Security Advisory) link—Oracle’s way of announcing security updates for their Linux distribution.

Oracle ELSA includes:

•    A unique advisory ID (e.g., ELSA-2025-7422)

•    Affected packages/components

•    CVE mappings

•    Patch details and severity

•    Release date and links to updated RPMs

•    Within the ELSA advisory, you'll find the Release Date, which clearly states when the patch was made available by Oracle.

•    If the release date is later than the "Fixes Up To" date in Release Notes (e.g., "This hotfix includes package updates and fixes up to May 10, 2025"), then it is expected that the vulnerability will appear as open. It will be addressed in the next upcoming OLOS hotfix.

Example:



3. To verify the fixed version of the package:

•    Each Oracle ELSA advisory clearly specifies the minimum fixed version required to address the CVE.

•    Cross-check this version against the currently installed package version on the HySecure gateway.

•    If the installed version is equal to or higher than the one recommended by Oracle, then yes — the CVE is considered resolved.

Example: