Why Trivy rates CVE-2023-22081 as high?

[d-mankowski-synerise]

Question

We have a minimal SBOM that contains only Amazon Corretto 17.0.8.7.1 installed on Amazon Linux 2 Docker image:

SBOM

{
    "bomFormat" : "CycloneDX",
    "specVersion" : "1.6",
    "serialNumber" : "urn:uuid:20976c1c-2d3e-4785-a4bd-0dda2e2804e0",
    "version" : 1,
    "metadata" : {},
    "components" : [
      {
        "type" : "operating-system",
        "bom-ref" : "457a2baa-344a-4b8f-a69b-bea1c2231a98",
        "name" : "amazon",
        "version" : "2 (Karoo)",
        "properties" : [
          {
            "name" : "aquasecurity:trivy:Class",
            "value" : "os-pkgs"
          },
          {
            "name" : "aquasecurity:trivy:Type",
            "value" : "amazon"
          }
        ]
      },
      {
        "type" : "library",
        "bom-ref" : "57a9c8be-e6a4-498b-bc39-b8bc47123081",
        "supplier" : {
          "name" : "Amazon"
        },
        "name" : "java-17-amazon-corretto-devel",
        "version" : "1:17.0.8.7.1-1",
        "hashes" : [],
        "licenses" : [],
        "purl" : "pkg:rpm/amazon/[email protected]?arch=x86_64&distro=amazon-2%2B%28Karoo%29&epoch=1",
        "properties" : [
          {
            "name" : "aquasecurity:trivy:LayerDiffID",
            "value" : "sha256:cefb6a56b2e94e962e365e4a0c4e6674ff477e700a2e46fa508bf327864ed1e4"
          },
          {
            "name" : "aquasecurity:trivy:PkgID",
            "value" : "[email protected]_64"
          },
          {
            "name" : "aquasecurity:trivy:PkgType",
            "value" : "amazon"
          },
          {
            "name" : "aquasecurity:trivy:SrcEpoch",
            "value" : "1"
          },
          {
            "name" : "aquasecurity:trivy:SrcName",
            "value" : "java-17-amazon-corretto-devel"
          },
          {
            "name" : "aquasecurity:trivy:SrcRelease",
            "value" : "1"
          },
          {
            "name" : "aquasecurity:trivy:SrcVersion",
            "value" : "17.0.8.7.1"
          }
        ]
      }
    ],
    "dependencies" : []
  }

We generate vulnerability report for it: trivy sbom --scanners vuln --ignore-unfixed --severity HIGH,CRITICAL --format json sbom_jdk_17.0.8.7.1.json and CVE-2023-22081 is rated as HIGH:

Vulnerability report

        {
          "VulnerabilityID": "CVE-2023-22081",
          "PkgID": "[email protected]_64",
          "PkgName": "java-17-amazon-corretto-devel",
          "PkgIdentifier": {
            "PURL": "pkg:rpm/amazon/[email protected]?arch=x86_64\u0026distro=amazon-2%2B%28Karoo%29\u0026epoch=1",
            "UID": "f1a588d62b27b478",
            "BOMRef": "57a9c8be-e6a4-498b-bc39-b8bc47123081"
          },
          "InstalledVersion": "1:17.0.8.7.1-1",
          "FixedVersion": "1:17.0.9+8-1.amzn2.1",
          "Status": "fixed",
          "Layer": {},
          "SeveritySource": "amazon",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-22081",
          "DataSource": {
            "ID": "amazon",
            "Name": "Amazon Linux Security Center",
            "URL": "https://alas.aws.amazon.com/"
          },
          "Title": "OpenJDK: certificate path validation issue during client authentication (8309966)",
          "Description": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u381, 8u381-perf, 11.0.20, 17.0.8, 21; Oracle GraalVM for JDK: 17.0.8, 21; Oracle GraalVM Enterprise Edition: 20.3.11, 21.3.7 and  22.3.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).",
          "Severity": "HIGH",
          "VendorSeverity": {
            "alma": 2,
            "amazon": 3,
            "oracle-oval": 2,
            "redhat": 2,
            "rocky": 2,
            "ubuntu": 2
          },
          "CVSS": {
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
              "V3Score": 5.3
            }
          },
          "References": [
            "https://access.redhat.com/errata/RHSA-2023:6738",
            "https://access.redhat.com/security/cve/CVE-2023-22081",
            "https://bugzilla.redhat.com/2243627",
            "https://bugzilla.redhat.com/2243805",
            "https://bugzilla.redhat.com/show_bug.cgi?id=2237170",
            "https://bugzilla.redhat.com/show_bug.cgi?id=2243627",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22081",
            "https://errata.almalinux.org/9/ALSA-2023-6738.html",
            "https://errata.rockylinux.org/RLSA-2023:5742",
            "https://linux.oracle.com/cve/CVE-2023-22081.html",
            "https://linux.oracle.com/errata/ELSA-2023-6887.html",
            "https://lists.debian.org/debian-lts-announce/2023/10/msg00041.html",
            "https://nvd.nist.gov/vuln/detail/CVE-2023-22081",
            "https://security.netapp.com/advisory/ntap-20231027-0006/",
            "https://ubuntu.com/security/notices/USN-6527-1",
            "https://ubuntu.com/security/notices/USN-6528-1",
            "https://www.cve.org/CVERecord?id=CVE-2023-22081",
            "https://www.debian.org/security/2023/dsa-5537",
            "https://www.debian.org/security/2023/dsa-5548",
            "https://www.oracle.com/security-alerts/cpuoct2023.html"
          ],
          "PublishedDate": "2023-10-17T22:15:13.573Z",
          "LastModifiedDate": "2024-02-16T15:55:30.903Z"
        }

According to the documentation, severity is taken from the vendor - which is Amazon in this case. This can be seen in the vulnerability report:

"SeveritySource": "amazon",

but what I don't understand is, why Trivy reports that vendor severity in case of amazon is 3:

          "VendorSeverity": {
            "alma": 2,
            "amazon": 3,
            "oracle-oval": 2,
            "redhat": 2,
            "rocky": 2,
            "ubuntu": 2
          }

while Amazon itself reports this severity as Medium (like literally every other vendor): https://explore.alas.aws.amazon.com/CVE-2023-22081.html

Is there something that I am missing, or is it just a bug?

Target

Container Image

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Operating System

macOS 15.3

Version

❯ trivy --version
Version: 0.58.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-01-29 06:16:23.360498445 +0000 UTC
  NextUpdate: 2025-01-30 06:16:23.360498274 +0000 UTC
  DownloadedAt: 2025-01-29 10:00:51.754919 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2025-01-26 02:19:56.659115848 +0000 UTC
  NextUpdate: 2025-01-29 02:19:56.659115688 +0000 UTC
  DownloadedAt: 2025-01-26 13:03:34.031354 +0000 UTC
Check Bundle:
  Digest: sha256:ef2d9ad4fce0f933b20a662004d7e55bf200987c180e7f2cd531af631f408bb3
  DownloadedAt: 2024-09-11 14:04:32.945679 +0000 UTC

[knqyf263]

Thanks for your detailed report.
It looks like the database accidentally takes the severity from ALAS-2023-427, rated as Important (= HIGH in Trivy). This advisory also fixes CVE-2023-22081, but this is for Amazon Linux 2023. We need to take it from ALAS-2023-2314 since your package is installed in Amazon Linux 2.

At first glance, it seems like a bug, but we need to investigate it.

[d-mankowski-synerise]

The other problem is, that not only OS doesn't match, but the package as well (the advisory rated as important is for package java-11-amazon-corretto, while it should be java-17-amazon-corretto)

[knqyf263]

Yes, to optimize the database size, CVE-ID is used as a key for vendors except for Red Hat and Debian in our database. This is because most vendors used to rate the same severity for the same CVE-ID regardless of product streams.