Adjustment of vulnerability descriptions #26557
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
3 tasks
Coverage reportsThe coverage report can be downloaded from here
🔴 Some modules have failed the coverage check |
pereyra-m
reviewed
Nov 23, 2024
Coverage reportsThe coverage report can be downloaded from here
🔴 Some modules have failed the coverage check |
pereyra-m
force-pushed
the
enhancement/26130-vulnerability-detector-port-adjustment-of-vulnerability-descriptions
branch
3 times, most recently
from
d47e1c7
to
244c02b
Compare
UpdateThe functions coverage is a technical debt, and there is a problem with the templetized classes. |
Coverage reportsThe coverage report can be downloaded from here
🔴 Some modules have failed the coverage check |
Co-authored-by: Sebastian Falcone <[email protected]> Co-authored-by: Gabriel Valenzuela <[email protected]> Co-authored-by: Octavio Valle <[email protected]>
Co-authored-by: Sebastian Falcone <[email protected]> Co-authored-by: Gabriel Valenzuela <[email protected]> Co-authored-by: Octavio Valle <[email protected]>
Co-authored-by: Sebastian Falcone <[email protected]> Co-authored-by: Miguel Cazajous <[email protected]>
sebasfalcone
force-pushed
the
enhancement/26130-vulnerability-detector-port-adjustment-of-vulnerability-descriptions
branch
2 times, most recently
from
3d5645b
to
31dea83
Compare
Coverage reportsThe coverage report can be downloaded from here
🔴 Some modules have failed the coverage check |
sebasfalcone
commented
Nov 26, 2024
There was a problem hiding this comment.
Testing 🟢
Command used:
curl -vsS --unix-socket test.sock --header "Content-Type: application/json" --request POST --data @input.json http://localhost/vulnerability/scan | jq
ADP detection - ADP description - ADP scoring
The vulnerability is detected using the NVD feed and the description and CVSS scoring are obtained from there as well
- Input
{
"type": "packagelist",
"agent": {
"id": "041"
},
"packages": [
{
"format": "win",
"name": "Postman x86_64 6.3.0",
"vendor": "Postman",
"install_time": "2024-08-27T20:15:18+00:00",
"version": "6.3.0",
"architecture": " ",
"description": " ",
"size": 0,
"location": "C:\\Users\\Administrator\\AppData\\Local\\Postman",
"priority": " ",
"checksum": "c4b71764ef99e7002f3132852a84a5c1e1b25fcc",
"item_id": "61e71c9fe4bab8cd4a5eb2a10ec16c99f8326c7b"
}
],
"hotfixes": [],
"os": {
"architecture": "x86_64",
"checksum": "1691178971959743855",
"hostname": "fd9b83c25f30",
"major_version": "10",
"minor_version": "0",
"build": "19045",
"name": "Microsoft Windows 10 Pro",
"display_version": "22H2",
"platform": "windows",
"version": "10.0.19045",
"scan_time": "2023/08/04 19:56:11"
}
}
- Output
[
{
"assigner": "mitre",
"category": "Packages",
"classification": "CVSS",
"condition": "Package less than or equal to 6.3.0",
"cvss": {
"cvss2": {
"vector": {
"access_complexity": "MEDIUM",
"authentication": "NONE",
"availability": "NONE",
"confidentiality_impact": "PARTIAL",
"integrity_impact": "NONE"
}
}
},
"cwe_reference": "CWE-295",
"description": "An information-disclosure issue was discovered in Postman through 6.3.0. It validates a server's X.509 certificate and presents an error if the certificate is not valid. Unfortunately, the associated HTTPS request data is sent anyway. Only the response is not displayed. Thus, all contained information of the HTTPS request is disclosed to a man-in-the-middle attacker (for example, user credentials).",
"detected_at": "2024-11-26T22:25:01.949Z",
"enumeration": "CVE",
"id": "CVE-2018-17215",
"item_id": "61e71c9fe4bab8cd4a5eb2a10ec16c99f8326c7b",
"published_at": "2018-09-26T21:29:01Z",
"reference": "https://seclists.org/bugtraq/2018/Sep/56, https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-016.txt",
"score": {
"base": 4.3,
"version": "2.0"
},
"severity": "Medium",
"source": "National Vulnerability Database",
"under_evaluation": false,
"updated": "2024-02-01T19:55:49Z"
}
]ADP detection - ADP description - CNA scoring
The vulnerability is detected using the alas feed and the description is obtained from there as well, but the CVSS scoring is obtained from the NVD
- Input
{
"type": "packagelist",
"agent":
{
"id": "001"
},
"packages":
[
{
"architecture": "x86_64",
"description": "Network Security Services Softoken Module",
"format": "rpm",
"groups": "System Environment/Libraries",
"install_time": "1702931526",
"location": " ",
"name": "nss-softokn",
"priority": " ",
"size": 1294014,
"source": " ",
"vendor": "Amazon.com",
"version": "3.53.1-6.48.amzn1",
"checksum": "1e6ce14f97f57d1bbd46ff8e5d3e133171a1bbce",
"item_id": "ec465b7eb5fa011a336e95614072e4c7f1a65a53"
}
],
"hotfixes":
[],
"os":
{
"architecture": "x86_64",
"checksum": "1691178971959743855",
"hostname": "a51c01971248",
"codename": "bullseye",
"major_version": "2018",
"minor_version": "03",
"name": "Amazon Linux AMI",
"platform": "amzn",
"version": "2018.03",
"scan_time": "2023/08/04 19:56:11",
"kernel_release": "6.6.54-2-MANJARO",
"kernel_name": "Linux",
"kernel_version": "#1 SMP PREEMPT_DYNAMIC Tue Oct 8 03:11:08 UTC 2024"
}
}- Output
[
{
"assigner": "mozilla",
"category": "Packages",
"classification": "CVSS",
"condition": "Package less than 3.53.1-6.49.amzn1",
"cvss": {
"cvss3": {
"vector": {
"attack_vector": "",
"availability": "LOW",
"confidentiality_impact": "LOW",
"integrity_impact": "NONE",
"privileges_required": "NONE",
"scope": "UNCHANGED",
"user_interaction": "NONE"
}
}
},
"cwe_reference": "",
"description": "NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private data. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.",
"detected_at": "2024-11-26T21:20:57.279Z",
"enumeration": "CVE",
"id": "CVE-2023-5388",
"item_id": "ec465b7eb5fa011a336e95614072e4c7f1a65a53",
"published_at": "2024-03-19T12:15:07Z",
"reference": "https://bugzilla.mozilla.org/show_bug.cgi?id=1780432, https://lists.debian.org/debian-lts-announce/2024/03/msg00022.html, https://lists.debian.org/debian-lts-announce/2024/03/msg00028.html, https://www.mozilla.org/security/advisories/mfsa2024-12/, https://www.mozilla.org/security/advisories/mfsa2024-13/, https://www.mozilla.org/security/advisories/mfsa2024-14/",
"score": {
"base": 6.5,
"version": "3.1"
},
"severity": "Medium",
"source": "Amazon Linux Security Center",
"under_evaluation": false,
"updated": "2024-11-14T22:35:01Z"
}
]ADP detection - CNA description - ADP scoring
The vulnerability is detected using the debian feed and the CVSS scoring is obtained from there as well, but the description is obtained from the NVD
- Input
{
"type": "packagelist",
"agent": {
"id": "001"
},
"packages": [
{
"architecture": "amd64",
"checksum": "1e6ce14f97f57d1bbd46ff8e5d3e133171a1bbce",
"description": "system and service manager",
"format": "deb",
"groups": "libs",
"item_id": "ec465b7eb5fa011a336e95614072e4c7f1a65a53",
"multiarch": "same",
"name": "systemd",
"priority": "optional",
"scan_time": "2023/08/04 19:56:11",
"size": 72,
"source": "systemd",
"vendor": "Debian vendor",
"version": "247.3-7+deb11u4"
}
],
"hotfixes": [],
"os": {
"architecture": "x86_64",
"checksum": "1691178971959743855",
"hostname": "debian",
"codename": "bullseye",
"major_version": "11",
"minor_version": "0",
"name": "Debian",
"patch": "6",
"platform": "debian",
"version": "Bullseye",
"scan_time": "2023/08/04 19:56:11",
"kernel_release": "5.4.0-155-generic",
"kernel_name": "Linux",
"kernel_version": "#172-Ubuntu SMP Fri Jul 7 16:10:02 UTC 2023"
}
}- Output
[
{
"assigner": "redhat",
"category": "Packages",
"classification": "CVSS",
"condition": "Package less than 247.3-7+deb11u6",
"cvss": {
"cvss3": {
"vector": {
"attack_vector": "",
"availability": "NONE",
"confidentiality_impact": "NONE",
"integrity_impact": "HIGH",
"privileges_required": "NONE",
"scope": "UNCHANGED",
"user_interaction": "NONE"
}
}
},
"cwe_reference": "CWE-300",
"description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.",
"detected_at": "2024-11-26T22:27:35.213Z",
"enumeration": "CVE",
"id": "CVE-2023-7008",
"item_id": "ec465b7eb5fa011a336e95614072e4c7f1a65a53",
"published_at": "2023-12-23T13:15:07Z",
"reference": "https://bugzilla.redhat.com/show_bug.cgi?id=2222261, https://bugzilla.redhat.com/show_bug.cgi?id=2222672, https://github.com/systemd/systemd/issues/25676, https://access.redhat.com/security/cve/CVE-2023-7008, https://access.redhat.com/errata/RHSA-2024:2463, https://access.redhat.com/errata/RHSA-2024:3203",
"score": {
"base": 5.9,
"version": "3.1"
},
"severity": "Medium",
"source": "Debian Security Tracker",
"under_evaluation": false,
"updated": "2024-09-16T17:16:02Z"
}
]Default values used
No CVSS information in adp or NVD, therefore severity information is set using default values
- Input
{
"type": "packagelist",
"agent": {
"id": "001"
},
"packages": [
{
"architecture": "amd64",
"description": "Secure Sockets Layer toolkit - cryptographic utility",
"format": "deb",
"groups": "utils",
"install_time": " ",
"location": " ",
"multiarch": "foreign",
"name": "openssl",
"priority": "important",
"size": 2053,
"vendor": "Ubuntu Developers <[email protected]>",
"version": "3.0.2-0ubuntu1.15",
"item_id": "openssl302"
}
],
"hotfixes": [],
"os": {
"architecture": "x86_64",
"hostname": "jammy",
"codename": "jammy",
"major_version": "22",
"minor_version": "04",
"name": "Ubuntu",
"patch": "1",
"platform": "ubuntu",
"version": "22.04.1 LTS (Jammy Jellyfish)",
"kernel_release": "5.15.0-107-generic",
"kernel_name": "Linux",
"kernel_version": "#117-Ubuntu SMP Fri Apr 26 12:26:49 UTC 2024"
}
}- Output
{
"assigner": "openssl",
"category": "Packages",
"classification": "-",
"condition": "Package less than 3.0.2-0ubuntu1.17",
"cwe_reference": "",
"description": "Issue summary: Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions Impact summary: An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is being used (but not if early_data support is also configured and the default anti-replay protection is in use). In this case, under certain conditions, the session cache can get into an incorrect state and it will fail to flush properly as it fills. The session cache will continue to grow in an unbounded manner. A malicious client could deliberately create the scenario for this failure to force a Denial of Service. It may also happen by accident in normal operation. This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS clients. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.0.2 is also not affected by this issue.",
"detected_at": "2024-11-26T22:36:46.465Z",
"enumeration": "CVE",
"id": "CVE-2024-2511",
"item_id": "openssl302",
"published_at": "2024-04-08T14:15:07Z",
"reference": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068658, https://ubuntu.com/security/notices/USN-6937-1, https://www.cve.org/CVERecord?id=CVE-2024-2511, https://www.openssl.org/news/secadv/20240408.txt",
"score": {
"base": -1.0,
"version": "-"
},
"severity": "-",
"source": "Canonical Security Tracker",
"under_evaluation": true,
"updated": "2024-10-14T15:15:13Z"
}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR takes the following changes to
master(5.x)void DescriptionsHelper::vulnerabilityDescription#26823The UT were adapted and in some cases, the changes were omitted because not all functionalities/class have its counterpart in
masterbranch.Testing
QA efficacy tests
I generated the tools and run the test workflow. The tests pass
Details
Manual tests
Input for all the tests:
Details
Porting: #25480
Details
{ "assigner": "mozilla", "category": "Packages", "classification": "", "condition": "Package default status", "cwe_reference": "", "description": "NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private data. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.", "detected_at": "2024-10-25T22:59:16.965Z", "enumeration": "CVE", "id": "CVE-2023-5388", "item_id": "ec465b7eb5fa011a336e95614072e4c7f1a65a53", "published_at": "2024-03-19T12:15:07Z", "reference": "https://bugzilla.mozilla.org/show_bug.cgi?id=1780432, https://lists.debian.org/debian-lts-announce/2024/03/msg00022.html, https://lists.debian.org/debian-lts-announce/2024/03/msg00028.html, https://www.mozilla.org/security/advisories/mfsa2024-12/, https://www.mozilla.org/security/advisories/mfsa2024-13/, https://www.mozilla.org/security/advisories/mfsa2024-14/", "score": { "base": 0.0, "version": "" }, "severity": "", "source": "Red Hat CVE Database", "updated": "2024-03-25T17:15:51Z" },Porting: #25482
Details
{ "assigner": "mozilla", "category": "Packages", "classification": "", "condition": "Package default status", "cwe_reference": "", "description": "NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private data. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.", "detected_at": "2024-10-28T12:15:44.509Z", "enumeration": "CVE", "id": "CVE-2023-5388", "item_id": "ec465b7eb5fa011a336e95614072e4c7f1a65a53", "published_at": "2024-03-19T12:15:07Z", "reference": "https://bugzilla.mozilla.org/show_bug.cgi?id=1780432, https://lists.debian.org/debian-lts-announce/2024/03/msg00022.html, https://lists.debian.org/debian-lts-announce/2024/03/msg00028.html, https://www.mozilla.org/security/advisories/mfsa2024-12/, https://www.mozilla.org/security/advisories/mfsa2024-13/, https://www.mozilla.org/security/advisories/mfsa2024-14/", "score": { "base": 0.0, "version": "" }, "severity": "", "source": "Red Hat CVE Database", "under_evaluation": true, "updated": "2024-03-25T17:15:51Z" }{ "assigner": "mozilla", "category": "Packages", "classification": "CVSS", "condition": "Package default status", "cvss": { "cvss3": { "vector": { "attack_vector": "", "availability": "NONE", "confidentiality_impact": "LOW", "integrity_impact": "NONE", "privileges_required": "NONE", "scope": "UNCHANGED", "user_interaction": "REQUIRED" } } }, "cwe_reference": "CWE-203", "description": "Multiple NSS NIST curves were susceptible to a side-channel attack known as \"Minerva\". This attack could potentially allow an attacker to recover the private key. This vulnerability affects Firefox < 121.", "detected_at": "2024-10-28T12:15:44.510Z", "enumeration": "CVE", "id": "CVE-2023-6135", "item_id": "ec465b7eb5fa011a336e95614072e4c7f1a65a53", "published_at": "2023-12-19T14:15:07Z", "reference": "https://bugzilla.mozilla.org/show_bug.cgi?id=1853908, https://www.mozilla.org/security/advisories/mfsa2023-56/, https://security.gentoo.org/glsa/202401-10", "score": { "base": 4.3, "version": "3.1" }, "severity": "Medium", "source": "Red Hat CVE Database", "under_evaluation": false, "updated": "2024-01-07T11:15:14Z" }Porting #25681
Details
To verify this feature, I'll take a package from a Debian agent because this OS has different CVSS and descriptions sources
Selected package
Results
{ "assigner": "GitHub_M", "category": "Packages", "classification": "CVSS", "condition": "Package default status", "cvss": { "cvss3": { "vector": { "attack_vector": "", "availability": "HIGH", "confidentiality_impact": "NONE", "integrity_impact": "NONE", "privileges_required": "NONE", "scope": "UNCHANGED", "user_interaction": "REQUIRED" } } }, "cwe_reference": "CWE-416", "description": "Vim is a UNIX editor that, prior to version 9.0.2121, has a heap-use-after-free vulnerability. When executing a `:s` command for the very first time and using a sub-replace-special atom inside the substitution part, it is possible that the recursive `:s` call causes free-ing of memory which may later then be accessed by the initial `:s` command. The user must intentionally execute the payload and the whole process is a bit tricky to do since it seems to work only reliably for the very first :s command. It may also cause a crash of Vim. Version 9.0.2121 contains a fix for this issue.", "detected_at": "2024-11-23T03:47:03.144Z", "enumeration": "CVE", "id": "CVE-2023-48706", "item_id": "ec465b7eb5fa011a336e95614072e4c7f1a65a53", "published_at": "2023-11-22T22:15:08Z", "reference": "https://github.com/gandalf4a/crash_report/blob/main/vim/vim_huaf, https://github.com/vim/vim/security/advisories/GHSA-c8qm-x72m-q53q, https://github.com/vim/vim/pull/13552, http://www.openwall.com/lists/oss-security/2023/11/22/3, https://github.com/vim/vim/commit/26c11c56888d01e298cd8044caf860f3c26f57bb, https://lists.fedoraproject.org/archives/list/[email protected]/message/DNMFS3IH74KEMMESOA3EOB6MZ56TWGFF/, https://lists.fedoraproject.org/archives/list/[email protected]/message/IVA7K73WHQH4KVFDJQ7ELIUD2WK5ZT5E/, https://security.netapp.com/advisory/ntap-20240105-0001/", "score": { "base": 4.7, "version": "3.1" }, "severity": "Medium", "source": "Debian Security Tracker", "under_evaluation": false, "updated": "2024-01-05T18:15:29Z" }Related logs
DB query
Details
Another example with ALAS
Input
Result
[ { "assigner": "mozilla", "category": "Packages", "classification": "CVSS", "condition": "Package less than 3.53.1-6.49.amzn1", "cvss": { "cvss3": { "vector": { "attack_vector": "", "availability": "LOW", "confidentiality_impact": "LOW", "integrity_impact": "NONE", "privileges_required": "NONE", "scope": "UNCHANGED", "user_interaction": "NONE" } } }, "cwe_reference": "", "description": "NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private data. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.", "detected_at": "2024-11-23T04:23:15.555Z", "enumeration": "CVE", "id": "CVE-2023-5388", "item_id": "ec465b7eb5fa011a336e95614072e4c7f1a65a53", "published_at": "2024-03-19T12:15:07Z", "reference": "https://bugzilla.mozilla.org/show_bug.cgi?id=1780432, https://lists.debian.org/debian-lts-announce/2024/03/msg00022.html, https://lists.debian.org/debian-lts-announce/2024/03/msg00028.html, https://www.mozilla.org/security/advisories/mfsa2024-12/, https://www.mozilla.org/security/advisories/mfsa2024-13/, https://www.mozilla.org/security/advisories/mfsa2024-14/", "score": { "base": 6.5, "version": "3.1" }, "severity": "Medium", "source": "Amazon Linux Security Center", "under_evaluation": false, "updated": "2024-11-14T22:35:01Z" } ]Related logs
DB query
Porting #25711 and #26842
Details
Both PRs define the default values and one extends the other one, so the evidence verifies both developments.
If we repeat the first input, we find that now the
classificationfield has an hyphen as value{ "assigner": "mozilla", "category": "Packages", "classification": "-", "condition": "Package default status", "cvss": { "cvss3": { "vector": { "attack_vector": "", "availability": "NONE", "confidentiality_impact": "HIGH", "integrity_impact": "NONE", "privileges_required": "LOW", "scope": "UNCHANGED", "user_interaction": "NONE" } } }, "cwe_reference": "", "description": "DOCUMENTATION: It was discovered that the numerical library used in NSS for RSA cryptography leaks information whether high order bits of the RSA decryption result are zero. This information can be used to mount a Bleichenbacher or Manger like attack against all RSA decryption operations. As the leak happens before any padding operations, it affects all padding modes: PKCS#1 v1.5, OAEP, and RSASVP. Both API level calls and TLS server operation are affected.", "detected_at": "2024-11-23T04:45:41.092Z", "enumeration": "CVE", "id": "CVE-2023-5388", "item_id": "ec465b7eb5fa011a336e95614072e4c7f1a65a53", "published_at": "2024-03-19T12:15:07Z", "reference": "https://access.redhat.com/security/cve/CVE-2023-5388", "score": { "base": 6.5, "version": "3.1" }, "severity": "Medium", "source": "Red Hat CVE Database", "under_evaluation": true, "updated": "2024-11-14T22:35:01Z" }