Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False ksplice vulnernerabilities reported #1205

Closed
bpfoster opened this issue Sep 1, 2021 · 2 comments · Fixed by #1209
Closed

False ksplice vulnernerabilities reported #1205

bpfoster opened this issue Sep 1, 2021 · 2 comments · Fixed by #1209
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@bpfoster
Copy link
Contributor

bpfoster commented Sep 1, 2021

Description

Scanning the latest oraclelinux:8 image reports a number of vulnerabilities:

$ trivy -d i oraclelinux:8
2021-09-01T08:37:25.994-0400	DEBUG	Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2021-09-01T08:37:26.004-0400	DEBUG	cache dir:  /home/dev/.cache/trivy
2021-09-01T08:37:26.004-0400	DEBUG	DB update was skipped because DB is the latest
2021-09-01T08:37:26.004-0400	DEBUG	DB Schema: 1, Type: 1, UpdatedAt: 2021-09-01 08:54:41.313293891 +0000 UTC, NextUpdate: 2021-09-01 14:54:41.313293691 +0000 UTC, DownloadedAt: 2021-09-01 11:03:07.172661178 +0000 UTC
2021-09-01T08:37:26.004-0400	DEBUG	Vulnerability type:  [os library]
2021-09-01T08:37:26.008-0400	DEBUG	Image ID: sha256:fcf3cbfc22ac02e416b686870463a6d0611ffa8f6ec9d24a04121d9c204e0c0a
2021-09-01T08:37:26.008-0400	DEBUG	Diff IDs: [sha256:89ca13798c53c8b13fdcb56109bc25677e22b99d4137c8a7af99d7583c1ecc28]
2021-09-01T08:37:26.009-0400	INFO	Detected OS: oracle
2021-09-01T08:37:26.009-0400	INFO	Detecting Oracle Linux vulnerabilities...
2021-09-01T08:37:26.009-0400	DEBUG	Oracle Linux: os version: 8
2021-09-01T08:37:26.009-0400	DEBUG	Oracle Linux: the number of packages: 190
2021-09-01T08:37:26.012-0400	INFO	Number of language-specific files: 0


oraclelinux:8 (oracle 8.4)
==========================
Total: 15 (UNKNOWN: 0, LOW: 0, MEDIUM: 9, HIGH: 3, CRITICAL: 3)

+-------------------+------------------+----------+-------------------+-----------------------------+---------------------------------------+
|      LIBRARY      | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |        FIXED VERSION        |                 TITLE                 |
+-------------------+------------------+----------+-------------------+-----------------------------+---------------------------------------+
| glibc             | CVE-2019-9169    | CRITICAL | 2.28-151.0.1.el8  | 2:2.28-151.0.1.ksplice2.el8 | glibc: regular-expression             |
|                   |                  |          |                   |                             | match via proceed_next_node           |
|                   |                  |          |                   |                             | in posix/regexec.c leads to           |
|                   |                  |          |                   |                             | heap-based buffer over-read...        |
|                   |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2019-9169  |
+                   +------------------+----------+                   +                             +---------------------------------------+
|                   | CVE-2021-3326    | HIGH     |                   |                             | glibc: Assertion failure in           |
|                   |                  |          |                   |                             | ISO-2022-JP-3 gconv module            |
|                   |                  |          |                   |                             | related to combining characters       |
|                   |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-3326  |
+                   +------------------+----------+                   +                             +---------------------------------------+
|                   | CVE-2016-10228   | MEDIUM   |                   |                             | glibc: iconv program can hang         |
|                   |                  |          |                   |                             | when invoked with the -c option       |
|                   |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2016-10228 |
+                   +------------------+          +                   +                             +---------------------------------------+
|                   | CVE-2019-25013   |          |                   |                             | glibc: buffer over-read in            |
|                   |                  |          |                   |                             | iconv when processing invalid         |
|                   |                  |          |                   |                             | multi-byte input sequences in...      |
|                   |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2019-25013 |
+                   +------------------+          +                   +                             +---------------------------------------+
|                   | CVE-2020-27618   |          |                   |                             | glibc: iconv when processing          |
|                   |                  |          |                   |                             | invalid multi-byte input              |
|                   |                  |          |                   |                             | sequences fails to advance the...     |
|                   |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-27618 |
+-------------------+------------------+----------+                   +                             +---------------------------------------+
| glibc-common      | CVE-2019-9169    | CRITICAL |                   |                             | glibc: regular-expression             |
|                   |                  |          |                   |                             | match via proceed_next_node           |
|                   |                  |          |                   |                             | in posix/regexec.c leads to           |
|                   |                  |          |                   |                             | heap-based buffer over-read...        |
|                   |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2019-9169  |
+                   +------------------+----------+                   +                             +---------------------------------------+
|                   | CVE-2021-3326    | HIGH     |                   |                             | glibc: Assertion failure in           |
|                   |                  |          |                   |                             | ISO-2022-JP-3 gconv module            |
|                   |                  |          |                   |                             | related to combining characters       |
|                   |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-3326  |
+                   +------------------+----------+                   +                             +---------------------------------------+
|                   | CVE-2016-10228   | MEDIUM   |                   |                             | glibc: iconv program can hang         |
|                   |                  |          |                   |                             | when invoked with the -c option       |
|                   |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2016-10228 |
+                   +------------------+          +                   +                             +---------------------------------------+
|                   | CVE-2019-25013   |          |                   |                             | glibc: buffer over-read in            |
|                   |                  |          |                   |                             | iconv when processing invalid         |
|                   |                  |          |                   |                             | multi-byte input sequences in...      |
|                   |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2019-25013 |
+                   +------------------+          +                   +                             +---------------------------------------+
|                   | CVE-2020-27618   |          |                   |                             | glibc: iconv when processing          |
|                   |                  |          |                   |                             | invalid multi-byte input              |
|                   |                  |          |                   |                             | sequences fails to advance the...     |
|                   |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-27618 |
+-------------------+------------------+----------+                   +                             +---------------------------------------+
| glibc-langpack-en | CVE-2019-9169    | CRITICAL |                   |                             | glibc: regular-expression             |
|                   |                  |          |                   |                             | match via proceed_next_node           |
|                   |                  |          |                   |                             | in posix/regexec.c leads to           |
|                   |                  |          |                   |                             | heap-based buffer over-read...        |
|                   |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2019-9169  |
+                   +------------------+----------+                   +                             +---------------------------------------+
|                   | CVE-2021-3326    | HIGH     |                   |                             | glibc: Assertion failure in           |
|                   |                  |          |                   |                             | ISO-2022-JP-3 gconv module            |
|                   |                  |          |                   |                             | related to combining characters       |
|                   |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-3326  |
+                   +------------------+----------+                   +                             +---------------------------------------+
|                   | CVE-2016-10228   | MEDIUM   |                   |                             | glibc: iconv program can hang         |
|                   |                  |          |                   |                             | when invoked with the -c option       |
|                   |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2016-10228 |
+                   +------------------+          +                   +                             +---------------------------------------+
|                   | CVE-2019-25013   |          |                   |                             | glibc: buffer over-read in            |
|                   |                  |          |                   |                             | iconv when processing invalid         |
|                   |                  |          |                   |                             | multi-byte input sequences in...      |
|                   |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2019-25013 |
+                   +------------------+          +                   +                             +---------------------------------------+
|                   | CVE-2020-27618   |          |                   |                             | glibc: iconv when processing          |
|                   |                  |          |                   |                             | invalid multi-byte input              |
|                   |                  |          |                   |                             | sequences fails to advance the...     |
|                   |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-27618 |
+-------------------+------------------+----------+-------------------+-----------------------------+---------------------------------------+

All have a reported fix version of 2:2.28-151.0.1.ksplice2.el8.

CVE-2019-9169 has 3 separate errata reports from Oracle:

I do not know anything about ksplice, but my guess is this ksplice2 packaging should be ignored the same as ksplice1.

What did you expect to happen?

No vulnerabilities to be reported

What happened instead?

Vulnerabilities reported that were fixed according to 1 errata, with a ksplice2 fix version.

Output of run with -debug:

See above

Output of trivy -v:

Version: 0.19.2
Vulnerability DB:
  Type: Light
  Version: 1
  UpdatedAt: 2021-09-01 08:54:41.313293891 +0000 UTC
  NextUpdate: 2021-09-01 14:54:41.313293691 +0000 UTC
  DownloadedAt: 2021-09-01 11:03:07.172661178 +0000 UTC

Additional details (base image name, container registry info...):

N/A
@bpfoster bpfoster added the kind/bug Categorizes issue or PR as related to a bug. label Sep 1, 2021
@knqyf263
Copy link
Collaborator

knqyf263 commented Sep 1, 2021

@afdesk Would you mind looking into it?

afdesk added a commit to afdesk/trivy that referenced this issue Sep 2, 2021
@afdesk
fix(oracle): handle advisories contain ksplice versions
1dc0a4e 
Improve a handling of advisories contain ksplice versions:
* when one of them doesn't have ksplice, we'll also skip it
* extract kspliceX and compare it with kspliceY in advisories
* if kspliceX and kspliceY are different, we will skip the advisory.

Fixes aquasecurity#1205
@afdesk afdesk mentioned this issue Sep 2, 2021
Merged
afdesk added a commit to afdesk/trivy that referenced this issue Sep 3, 2021
@afdesk
fix(oracle): handle advisories contain ksplice versions
94ee734 
simplify code and remove duplicated tests

Fixes aquasecurity#1205
knqyf263 pushed a commit that referenced this issue Sep 5, 2021
@afdesk
fix(oracle): handle advisories contain ksplice versions (#1209)
9d61777 
* fix(oracle): handle advisories contain ksplice versions

Improve a handling of advisories contain ksplice versions:
* when one of them doesn't have ksplice, we'll also skip it
* extract kspliceX and compare it with kspliceY in advisories
* if kspliceX and kspliceY are different, we will skip the advisory.

Fixes #1205

* fix(oracle): handle advisories contain ksplice versions

simplify code and remove duplicated tests

Fixes #1205

* run go fmt
@knqyf263
Copy link
Collaborator

knqyf263 commented Sep 5, 2021

This fix will be included in the next release.

liamg pushed a commit that referenced this issue Jun 7, 2022
@afdesk
fix(oracle): handle advisories contain ksplice versions (#1209)
e62d06e 
* fix(oracle): handle advisories contain ksplice versions

Improve a handling of advisories contain ksplice versions:
* when one of them doesn't have ksplice, we'll also skip it
* extract kspliceX and compare it with kspliceY in advisories
* if kspliceX and kspliceY are different, we will skip the advisory.

Fixes #1205

* fix(oracle): handle advisories contain ksplice versions

simplify code and remove duplicated tests

Fixes #1205

* run go fmt
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(oracle): handle advisories contain ksplice versions afdesk/trivy
2 participants
@bpfoster @knqyf263