[DigitalToday reporter Chi-gyu Hwang] “As concerns grow that security threats will become more sophisticated and spread further with the expansion of AI, it has become more important to keep OS infrastructure up to date.”
Choi Won-young (최원영), an executive director at Red Hat Korea, said preventing exposure to vulnerabilities starting with the OS is the beginning of stronger security. He repeatedly stressed the need to reduce vulnerabilities in the OS, saying many companies surprisingly do not keep OS patches up to date for various reasons.
The number of CVEs (Common Vulnerabilities and Exposures) is increasing every year.
According to the company, CVEs grew to 40,297 in 2024 from 894 when first counted in 1999. It is not only the number that has grown. The rate at which attackers actually exploit them is also rising. Still, companies’ responses to vulnerability management remain insufficient in some areas.
Identifying and fixing vulnerabilities can be a demanding task for corporate IT staff, and the response often falls short, it said. That is why many vulnerabilities are left unpatched. Patch management is reported to be inadequate not only at sites using free versions of Linux, but also at companies using Linux through paid subscriptions that include technical support services.
Choi said obstacles blocking security patches are often not technical issues. He cited a combination of factors, including a field practice of avoiding changes to servers in operation, workers avoiding patch tasks for fear it will become their responsibility, and executives preferring the status quo because they would be held accountable if a service outage occurs. He said Red Hat is also speeding up company-level support to help enterprises apply OS patches more easily.
He pointed to the kernel live patch foundation, kpatch. Choi said kpatch lets users apply security patches without rebooting. He said it allows immediate action without stopping services when an emergency vulnerability occurs, and provides patches within three days when possible even for zero-day vulnerabilities for which no patch has been released.
According to the company, Red Hat responds to patch-related issues through a four-step process: investigating the issue, identifying affected products, assessing severity, and deciding measures. Customers can immediately check detailed explanations on the Red Hat site whenever a vulnerability occurs.
Choi explained that users register hosts in Red Hat Satellite, a solution for managing servers based on Red Hat Linux, analyse vulnerabilities with Lightspeed, a systems management tool, create playbooks for response, execute patches and leave the results as reports. He said security levels are raised by repeating the process.
OS version management supports step-by-step upgrades with the Leapp tool. Choi said companies can move in order from CentOS 7.9 to RHEL 7.9, 8.10, 9.7 and 10.1.
RHEL image mode, a technology to build, deploy and manage an operating system like a container image, also warrants attention.
Choi said it creates a system as a fixed image to block unauthorised changes at the source, and even users with root privileges cannot change the image arbitrarily. He said updates run in the background in an A/B method, so a new version is applied when rebooting, and if problems arise the system can immediately return to the previous version.
In RHEL 10, a soft reboot function has also been newly added. The company said physical server downtime is cut to within a few seconds because it switches only user space, skipping hardware initialisation and the kernel boot stage.
Choi said image mode and soft reboot help keep the OS in a verified, up-to-date state without service interruptions. He said a hard reboot is still needed when updating the kernel or drivers.
Click Here For The Original Source
