OVAL shows vulnerabilities when software is not installed

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
21 messages Options
12
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

OVAL shows vulnerabilities when software is not installed

Jesus Linares
Hi all,

I'm running the OVAL files found in https://people.canonical.com/~ubuntu-security/oval/. When I run com.ubuntu.xenial.cve.oval.xml, openscap shows that I have a lot of vulnerabilities in my system, but the software related to the vulnerabilities is not installed in my system. So, what is happening?.

Example:
CVE-2013-2071 on Ubuntu 16.04 LTS (xenial) - medium

java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows context-dependent attackers to obtain sensitive request information intended for other applications in opportunistic circumstances via an application that records the requests that it processes.

If we see the oval file:
-----
<criteria>
 <extend_definition definition_ref="oval:com.ubuntu.xenial:def:100" comment="Ubuntu 16.04 LTS (xenial) is installed." applicability_check="true" />
 <criteria operator="OR">
 <criterion test_ref="oval:com.ubuntu.xenial:tst:20132071000" comment="While related to the CVE in some way, the 'tomcat6' package in xenial is not affected." />
 <criterion test_ref="oval:com.ubuntu.xenial:tst:20132071010" comment="While related to the CVE in some way, the 'tomcat7' package in xenial is not affected (note: '7.0.40-1')." />
 </criteria>
</criteria>

<linux-def:dpkginfo_test id="oval:com.ubuntu.xenial:tst:20132071000" version="1" check_existence="any_exist" check="all" comment="Returns true whether or not the 'tomcat6' package exists.">
<linux-def:object object_ref="oval:com.ubuntu.xenial:obj:20123544000"/>
</linux-def:dpkginfo_test>

<linux-def:dpkginfo_object id="oval:com.ubuntu.xenial:obj:20123544000" version="1" comment="The 'tomcat6' package.">
<linux-def:name>tomcat6</linux-def:name>
</linux-def:dpkginfo_object>
----

The oval is checking if I have installed tomcat 6 or 7. It is not installed in my system, but the check returns always true. It is due to the attribute check_existence="any_exist" (http://oval.mitre.org/language/version5.4/ovaldefinition/documentation/oval-common-schema.html).

Is it a bug?

Thanks.


--
Jesus Linares
IT Security Engineer


--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OVAL shows vulnerabilities when software is not installed

Seth Arnold
On Thu, Oct 20, 2016 at 12:48:04PM +0200, Jesus Linares wrote:
> The oval is checking if I have installed tomcat 6 or 7. It is not installed
> in my system, but the check returns always *true*. It is due to the
> attribute *check_existence="any_exist" (*

> Is it a bug?

I don't know the OVAL format well, but this does look like a bug:

http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py

Search for 'negate' in the code base and I think you'll agree that the
only use of 'check_existence="any_exist"' is also supposed to add
'negate = "True"' to the conditions but that string doesn't appear in any
of the precise, trusty, or xenial oval files.

Any advice is appreciated.

Thanks

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OVAL shows vulnerabilities when software is not installed

Jesus Linares
Hi,

you are right, if the test had "negate", it would be false. So, openscap will not show it as a vulnerability. I do not understand why the py script does not print the "negate" string.

Also, why create a test that always return false?.

is this list the proper site to talk about the oval files of Ubuntu?.

Right now, these oval files are totally useless due to this issue.

Thanks.
Regards.


On Thu, Oct 20, 2016 at 4:03 PM, Seth Arnold <[hidden email]> wrote:
On Thu, Oct 20, 2016 at 12:48:04PM +0200, Jesus Linares wrote:
> The oval is checking if I have installed tomcat 6 or 7. It is not installed
> in my system, but the check returns always *true*. It is due to the
> attribute *check_existence="any_exist" (*

> Is it a bug?

I don't know the OVAL format well, but this does look like a bug:

http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py

Search for 'negate' in the code base and I think you'll agree that the
only use of 'check_existence="any_exist"' is also supposed to add
'negate = "True"' to the conditions but that string doesn't appear in any
of the precise, trusty, or xenial oval files.

Any advice is appreciated.

Thanks

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened




--
Jesus Linares
IT Security Engineer


--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OVAL shows vulnerabilities when software is not installed

Steve Beattie-3
On Thu, Oct 20, 2016 at 05:38:01PM +0200, Jesus Linares wrote:
> you are right, if the test had "negate", it would be false. So, openscap
> will not show it as a vulnerability. I do not understand why the py script
> does not print the "negate" string.
>
> Also, why create a test that always return false?.

This was due to a bug in the OVAL data generator script that caused
negate attribute to never show up. Thanks to a suggested fix by David
Ries, these should now be emitted properly.

> is this list the proper site to talk about the oval files of Ubuntu?.
> Right now, these oval files are totally useless due to this issue.

Yes, this list is the proper place to discuss the OVAL files.
Thanks for the interest in them.

--
Steve Beattie
<[hidden email]>
http://NxNW.org/~steve/

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OVAL shows vulnerabilities when software is not installed

Jesus Linares
Thanks!. I'm glad to help.

Regards.

On Mon, Oct 24, 2016 at 4:59 AM, Steve Beattie <[hidden email]> wrote:
On Thu, Oct 20, 2016 at 05:38:01PM +0200, Jesus Linares wrote:
> you are right, if the test had "negate", it would be false. So, openscap
> will not show it as a vulnerability. I do not understand why the py script
> does not print the "negate" string.
>
> Also, why create a test that always return false?.

This was due to a bug in the OVAL data generator script that caused
negate attribute to never show up. Thanks to a suggested fix by David
Ries, these should now be emitted properly.

> is this list the proper site to talk about the oval files of Ubuntu?.
> Right now, these oval files are totally useless due to this issue.

Yes, this list is the proper place to discuss the OVAL files.
Thanks for the interest in them.

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened




--
Jesus Linares
IT Security Engineer


--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OVAL shows vulnerabilities when software is not installed

Jesus Linares
Hi, 

OVAL files are failing again. It is due to the following error:
File 'com.ubuntu.xenial.cve.oval.xml' line 65535: Element '{<a href="http://oval.mitre.org/XMLSchema/oval-definitions-5}criterion">http://oval.mitre.org/XMLSchema/oval-definitions-5}criterion', attribute 'negate': 'True' is not a valid value of the atomic type 'xs:boolean'.

I think it could be fixed by changing "True" for "true".

Regards.

On Mon, Oct 24, 2016 at 9:51 AM, Jesus Linares <[hidden email]> wrote:
Thanks!. I'm glad to help.

Regards.

On Mon, Oct 24, 2016 at 4:59 AM, Steve Beattie <[hidden email]> wrote:
On Thu, Oct 20, 2016 at 05:38:01PM +0200, Jesus Linares wrote:
> you are right, if the test had "negate", it would be false. So, openscap
> will not show it as a vulnerability. I do not understand why the py script
> does not print the "negate" string.
>
> Also, why create a test that always return false?.

This was due to a bug in the OVAL data generator script that caused
negate attribute to never show up. Thanks to a suggested fix by David
Ries, these should now be emitted properly.

> is this list the proper site to talk about the oval files of Ubuntu?.
> Right now, these oval files are totally useless due to this issue.

Yes, this list is the proper place to discuss the OVAL files.
Thanks for the interest in them.

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened




--
Jesus Linares
IT Security Engineer




--
Jesus Linares
IT Security Engineer


--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OVAL shows vulnerabilities when software is not installed

Steve Beattie-3
On Tue, Oct 25, 2016 at 01:12:15PM +0200, Jesus Linares wrote:
> OVAL files are failing again. It is due to the following error:
>
> > File 'com.ubuntu.xenial.cve.oval.xml' line 65535: Element '{
> > http://oval.mitre.org/XMLSchema/oval-definitions-5}criterion', attribute
> > 'negate': 'True' is not a valid value of the atomic type 'xs:boolean'.
>
>
> I think it could be fixed by changing "*T*rue" for "*t*rue".

Ah nice catch. I've fixed it and caused the OVAL files to be
regenerated, and verified them with "oscap oval validate".

Thanks!

--
Steve Beattie
<[hidden email]>
http://NxNW.org/~steve/

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OVAL shows vulnerabilities when software is not installed

Jesus Linares
Hi all,

the files have the correct syntax. But, I still getting "vulnerabilities" related to software that I do not have installed.

Example:
-----------
<definition class="vulnerability" id="oval:com.ubuntu.xenial:def:20148111000" version="1">
<metadata>
<title>CVE-2014-8111 on Ubuntu 16.04 LTS (xenial) - medium.</title>
<description>Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount rules for subtrees of previous JkMount rules, which allows remote attackers to access otherwise restricted artifacts via unspecified vectors.</description>
<affected family="unix">
<platform>Ubuntu 16.04 LTS</platform>
</affected>
<reference source="CVE" ref_id="CVE-2014-8111" ref_url="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8111" />
<advisory>
<severity>Medium</severity>
<rights>Copyright (C) 2015 Canonical Ltd.</rights>
<public_date>2015-04-21</public_date>
</advisory>
</metadata>
<criteria>
<extend_definition definition_ref="oval:com.ubuntu.xenial:def:100" comment="Ubuntu 16.04 LTS (xenial) is installed." applicability_check="true" />
<criterion test_ref="oval:com.ubuntu.xenial:tst:20148111000" comment="While related to the CVE in some way, the 'libapache-mod-jk' package in xenial is not affected (note: '1:1.2.40+svn150520-1')." />
</criteria>
</definition>

<linux-def:dpkginfo_test id="oval:com.ubuntu.xenial:tst:20148111000" version="1" check_existence="any_exist" check="all" comment="Returns true whether or not the 'libapache-mod-jk' package exists.">
<linux-def:object object_ref="oval:com.ubuntu.xenial:obj:20148111000"/>
</linux-def:dpkginfo_test>

<linux-def:dpkginfo_object id="oval:com.ubuntu.xenial:obj:20148111000" version="1" comment="The 'libapache-mod-jk' package.">
<linux-def:name>libapache-mod-jk</linux-def:name>
</linux-def:dpkginfo_object>
---------------

Openscap shows that my system has that vulnerability, but I do not have installed "libapache-mod-jk" (I tested it with dpkg -l | grep -i apache).

I think this test should have the "negate" due to the comment "While related to the CVE in some way, the 'libapache-mod-jk' package in xenial is not affected". So, maybe the input of the script is wrong?. Where is the input?.

Thanks.

On Tue, Oct 25, 2016 at 6:51 PM, Steve Beattie <[hidden email]> wrote:
On Tue, Oct 25, 2016 at 01:12:15PM +0200, Jesus Linares wrote:
> OVAL files are failing again. It is due to the following error:
>
> > File 'com.ubuntu.xenial.cve.oval.xml' line 65535: Element '{
> > <a href="http://oval.mitre.org/XMLSchema/oval-definitions-5}criterion" rel="noreferrer" target="_blank">http://oval.mitre.org/XMLSchema/oval-definitions-5}criterion', attribute
> > 'negate': 'True' is not a valid value of the atomic type 'xs:boolean'.
>
>
> I think it could be fixed by changing "*T*rue" for "*t*rue".

Ah nice catch. I've fixed it and caused the OVAL files to be
regenerated, and verified them with "oscap oval validate".

Thanks!

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened




--
Jesus Linares
IT Security Engineer


--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OVAL shows vulnerabilities when software is not installed

Seth Arnold
On Fri, Oct 28, 2016 at 11:19:21AM +0200, Jesus Linares wrote:
> I think this test should have the "negate" due to the comment "While
> related to the CVE in some way, the 'libapache-mod-jk' package in* xenial
> is not affected*". So, maybe the input of the script is wrong?. Where is
> the input?.

The input is from the ubuntu-cve-tracker bzr tree;

https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master

In the case of this specific CVE:

http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111

Thanks

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OVAL shows vulnerabilities when software is not installed

Jesus Linares
Hi,

this is from the specific CVE: xenial_libapache-mod-jk: not-affected (1:1.2.40+svn150520-1)

So, if it is not affected for xenial, the check should include the "negate" in order to return that is not a vulnerability, right?.

Regards.


On Fri, Oct 28, 2016 at 9:10 PM, Seth Arnold <[hidden email]> wrote:
On Fri, Oct 28, 2016 at 11:19:21AM +0200, Jesus Linares wrote:
> I think this test should have the "negate" due to the comment "While
> related to the CVE in some way, the 'libapache-mod-jk' package in* xenial
> is not affected*". So, maybe the input of the script is wrong?. Where is
> the input?.

The input is from the ubuntu-cve-tracker bzr tree;

https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master

In the case of this specific CVE:

http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111

Thanks

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened




--
Jesus Linares
IT Security Engineer


--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OVAL shows vulnerabilities when software is not installed

Jesus Linares
Hi,

I'm testing again the oval files for Xenial 16.04 (updated) and OpenSCAP reports 1750 fails... Something weird is happening. I will check out this issue again, but I would appreciate any help.

Here an example:
<linux-def:dpkginfo_test id="oval:com.ubuntu.xenial:tst:20176919000" version="1" check_existence="any_exist" check="all" comment="Returns true whether or not the 'drupal7' package exists.">
<linux-def:object object_ref="oval:com.ubuntu.xenial:obj:20076752000"/>
</linux-def:dpkginfo_test>
<linux-def:dpkginfo_object id="oval:com.ubuntu.xenial:obj:20076752000" version="1" comment="The 'drupal7' package.">
<linux-def:name>drupal7</linux-def:name>
</linux-def:dpkginfo_object>

If the check return always true, it doesn't make sense...

Thanks.
Regards.



On Wed, Nov 2, 2016 at 11:29 AM, Jesus Linares <[hidden email]> wrote:
Hi,

this is from the specific CVE: xenial_libapache-mod-jk: not-affected (1:1.2.40+svn150520-1)

So, if it is not affected for xenial, the check should include the "negate" in order to return that is not a vulnerability, right?.

Regards.


On Fri, Oct 28, 2016 at 9:10 PM, Seth Arnold <[hidden email]> wrote:
On Fri, Oct 28, 2016 at 11:19:21AM +0200, Jesus Linares wrote:
> I think this test should have the "negate" due to the comment "While
> related to the CVE in some way, the 'libapache-mod-jk' package in* xenial
> is not affected*". So, maybe the input of the script is wrong?. Where is
> the input?.

The input is from the ubuntu-cve-tracker bzr tree;

https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master

In the case of this specific CVE:

http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111

Thanks

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened




--
Jesus Linares
IT Security Engineer




--
Jesus Linares
IT Security Engineer


--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OVAL shows vulnerabilities when software is not installed

Jesus Linares
Hi,


In that line there is an if-else. The else has the logic to add the "negate" attribute, but the if doesn't have it.

It is neccesary to replace the lines 111 to 113, for:

negation_attribute = 'negate = "true" ' if 'negate' in test_refs[0] and test_refs[0]['negate'] else ''
mapping['criteria'] = '<criterion test_ref="{0}" comment="{1}" {2}/>'.format(test_refs[0]['id'], escape(test_refs[0]['comment']), negation_attribute)

In this way, the scan reports 109 fails instead of 1750. Now, I'm going to review these 109 fails.

Please, update the script ASAP.

Thanks.
Regards.


On Tue, Jul 4, 2017 at 7:50 PM, Jesus Linares <[hidden email]> wrote:
Hi,

I'm testing again the oval files for Xenial 16.04 (updated) and OpenSCAP reports 1750 fails... Something weird is happening. I will check out this issue again, but I would appreciate any help.

Here an example:
<linux-def:dpkginfo_test id="oval:com.ubuntu.xenial:tst:20176919000" version="1" check_existence="any_exist" check="all" comment="Returns true whether or not the 'drupal7' package exists.">
<linux-def:object object_ref="oval:com.ubuntu.xenial:obj:20076752000"/>
</linux-def:dpkginfo_test>
<linux-def:dpkginfo_object id="oval:com.ubuntu.xenial:obj:20076752000" version="1" comment="The 'drupal7' package.">
<linux-def:name>drupal7</linux-def:name>
</linux-def:dpkginfo_object>

If the check return always true, it doesn't make sense...

Thanks.
Regards.



On Wed, Nov 2, 2016 at 11:29 AM, Jesus Linares <[hidden email]> wrote:
Hi,

this is from the specific CVE: xenial_libapache-mod-jk: not-affected (1:1.2.40+svn150520-1)

So, if it is not affected for xenial, the check should include the "negate" in order to return that is not a vulnerability, right?.

Regards.


On Fri, Oct 28, 2016 at 9:10 PM, Seth Arnold <[hidden email]> wrote:
On Fri, Oct 28, 2016 at 11:19:21AM +0200, Jesus Linares wrote:
> I think this test should have the "negate" due to the comment "While
> related to the CVE in some way, the 'libapache-mod-jk' package in* xenial
> is not affected*". So, maybe the input of the script is wrong?. Where is
> the input?.

The input is from the ubuntu-cve-tracker bzr tree;

https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master

In the case of this specific CVE:

http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111

Thanks

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened




--
Jesus Linares
IT Security Engineer




--
Jesus Linares
IT Security Engineer




--
Jesus Linares
IT Security Engineer


--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OVAL shows vulnerabilities when software is not installed

Jesus Linares
Hi,

it seems there are more errors. For example, I get a "fail" for the check: CVE-2012-2150.

If we review the oval file for that check:

<definition class="vulnerability" id="oval:com.ubuntu.xenial:def:20122150000" version="1">
    ...
<criteria>
<extend_definition definition_ref="oval:com.ubuntu.xenial:def:100" comment="Ubuntu 16.04 LTS (xenial) is installed." applicability_check="true" />
<criterion test_ref="oval:com.ubuntu.xenial:tst:20122150000" comment="The 'xfsprogs' package in xenial is affected and needs fixing." />
</criteria>
</definition>
<linux-def:dpkginfo_test id="oval:com.ubuntu.xenial:tst:20122150000" version="1" check_existence="at_least_one_exists" check="all" comment="Does the 'xfsprogs' package exist?">
<linux-def:object object_ref="oval:com.ubuntu.xenial:obj:20122150000"/>
</linux-def:dpkginfo_test>
<linux-def:dpkginfo_object id="oval:com.ubuntu.xenial:obj:20122150000" version="1" comment="The 'xfsprogs' package.">
<linux-def:name>xfsprogs</linux-def:name>
</linux-def:dpkginfo_object>

It is checking if the xfsprogs package exists. In my machine I have xfsprogs 4.3.0+nmu1ubuntu1 installed. So, the oscap is working properly. The point is: is my xfsprogs vulnerable?. If we take a look at the input file to generate the oval: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150

xfs_metadump in xfsprogs before 3.2.4 does not properly obfuscate file data, which allows remote attackers to obtain sensitive information by reading a generated image.

The description says: xfsprogs before 3.2.4 and I have the version 4. Oval is only checking if the package exists, but not its version. The reason is:

If we take a look at other checks:
So, my final questions are:
There are 109 fails after fix the issue that I commented in the previous email and my OS is updated, so I suspect it is happening the same in the rest of checks.

Thanks.
Regards.




On Wed, Jul 5, 2017 at 3:19 PM, Jesus Linares <[hidden email]> wrote:
Hi,


In that line there is an if-else. The else has the logic to add the "negate" attribute, but the if doesn't have it.

It is neccesary to replace the lines 111 to 113, for:

negation_attribute = 'negate = "true" ' if 'negate' in test_refs[0] and test_refs[0]['negate'] else ''
mapping['criteria'] = '<criterion test_ref="{0}" comment="{1}" {2}/>'.format(test_refs[0]['id'], escape(test_refs[0]['comment']), negation_attribute)

In this way, the scan reports 109 fails instead of 1750. Now, I'm going to review these 109 fails.

Please, update the script ASAP.

Thanks.
Regards.


On Tue, Jul 4, 2017 at 7:50 PM, Jesus Linares <[hidden email]> wrote:
Hi,

I'm testing again the oval files for Xenial 16.04 (updated) and OpenSCAP reports 1750 fails... Something weird is happening. I will check out this issue again, but I would appreciate any help.

Here an example:
<linux-def:dpkginfo_test id="oval:com.ubuntu.xenial:tst:20176919000" version="1" check_existence="any_exist" check="all" comment="Returns true whether or not the 'drupal7' package exists.">
<linux-def:object object_ref="oval:com.ubuntu.xenial:obj:20076752000"/>
</linux-def:dpkginfo_test>
<linux-def:dpkginfo_object id="oval:com.ubuntu.xenial:obj:20076752000" version="1" comment="The 'drupal7' package.">
<linux-def:name>drupal7</linux-def:name>
</linux-def:dpkginfo_object>

If the check return always true, it doesn't make sense...

Thanks.
Regards.



On Wed, Nov 2, 2016 at 11:29 AM, Jesus Linares <[hidden email]> wrote:
Hi,

this is from the specific CVE: xenial_libapache-mod-jk: not-affected (1:1.2.40+svn150520-1)

So, if it is not affected for xenial, the check should include the "negate" in order to return that is not a vulnerability, right?.

Regards.


On Fri, Oct 28, 2016 at 9:10 PM, Seth Arnold <[hidden email]> wrote:
On Fri, Oct 28, 2016 at 11:19:21AM +0200, Jesus Linares wrote:
> I think this test should have the "negate" due to the comment "While
> related to the CVE in some way, the 'libapache-mod-jk' package in* xenial
> is not affected*". So, maybe the input of the script is wrong?. Where is
> the input?.

The input is from the ubuntu-cve-tracker bzr tree;

https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master

In the case of this specific CVE:

http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111

Thanks

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened




--
Jesus Linares
IT Security Engineer




--
Jesus Linares
IT Security Engineer




--
Jesus Linares
IT Security Engineer




--
Jesus Linares
IT Security Engineer


--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OVAL shows vulnerabilities when software is not installed

Tyler Hicks-2
On 07/05/2017 09:57 AM, Jesus Linares wrote:

> Hi,
>
> it seems there are more errors. For example, I get a "fail" for the
> check: CVE-2012-2150.
>
> If we review the oval file for that check:
>
>     <definition class="vulnerability"
>     id="oval:com.ubuntu.xenial:def:20122150000" version="1">
>         ...
>     <criteria>
>     <extend_definition definition_ref="oval:com.ubuntu.xenial:def:100"
>     comment="Ubuntu 16.04 LTS (xenial) is installed."
>     applicability_check="true" />
>     <criterion test_ref="oval:com.ubuntu.xenial:tst:20122150000"
>     comment="The 'xfsprogs' package in xenial is affected and needs
>     fixing." />
>     </criteria>
>     </definition>
>     <linux-def:dpkginfo_test id="oval:com.ubuntu.xenial:tst:20122150000"
>     version="1" check_existence="at_least_one_exists" check="all"
>     comment="Does the 'xfsprogs' package exist?">
>     <linux-def:object object_ref="oval:com.ubuntu.xenial:obj:20122150000"/>
>     </linux-def:dpkginfo_test>
>     <linux-def:dpkginfo_object
>     id="oval:com.ubuntu.xenial:obj:20122150000" version="1" comment="The
>     'xfsprogs' package.">
>     <linux-def:name>xfsprogs</linux-def:name>
>     </linux-def:dpkginfo_object>
>
>
> It is checking if the /xfsprogs /package exists. In my machine I have
> /xfsprogs 4.3.0+nmu1ubuntu1/ installed. So, the oscap is working
> properly. The point is: is my xfsprogs vulnerable?. If we take a look at
> the input file to generate the
> oval: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
>
>     xfs_metadump in *xfsprogs before 3.2.4* does not properly obfuscate
>     file data, which allows remote attackers to obtain sensitive
>     information by reading a generated image.
>
>
> The description says: xfsprogs before 3.2.4 and I have the version 4.
> Oval is only checking if the package exists, but not its version. The
> reason is:
>
> The function /parse_package_status
> (http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L117) /parses
> the line:
>
>   * "xenial_xfsprogs: needed"
>     of http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
>     to
>   * "{'note': "The 'xfsprogs' package in trusty is affected and needs
>     fixing.", 'status': 'vulnerable'}".
>   * That means check only the package, not the version, because there is
>     no version
>     (http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L220)
>
> If we take a look at other checks:
>
>   * "xenial_git: released (1:2.7.4-0ubuntu1.1)" of
>     http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/retired/CVE-2017-8386
>     is parsed to
>   * {'fix-version': '1:2.7.4-0ubuntu1.1', 'note': "The 'git' package in
>     xenial was vulnerable but has been fixed (note:
>     '1:2.7.4-0ubuntu1.1').", 'status': 'fixed'}
>   * Here the version is checked.
>
> So, my final questions are:
>
>   * Who generates this
>     file http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150?
The Ubuntu Security Team generates that file during CVE triage of newly
assigned CVEs.

>   * Why there is no a specific version?

Because all versions are affected. If the status is 'needed', it means
that the Ubuntu Security team has not produced security updates that fix
the CVE. Therefore, all systems with the xfsprogs deb package installed
are affected.

Do you know how that can be conveyed in the OVAL file?

>
> There are 109 fails after fix the issue that I commented in the previous
> email and my OS is updated, so I suspect it is happening the same in the
> rest of checks.

Thanks for tracking down the issue you described in your previous email.
I'll hold off on committing that change until you're able to get to the
bottom of the issue you describe in this email.

Tyler

>
> Thanks.
> Regards.
>
>
>
>
> On Wed, Jul 5, 2017 at 3:19 PM, Jesus Linares <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Hi,
>
>     finally I found the
>     issue: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110>
>
>     In that line there is an if-else. The /else /has the logic to add
>     the "negate" attribute, but the /if/ doesn't have it.
>
>     It is neccesary to replace the lines 111 to 113, for:
>
>         negation_attribute = 'negate = "true" ' if 'negate' in
>         test_refs[0] and test_refs[0]['negate'] else ''
>         mapping['criteria'] = '<criterion test_ref="{0}" comment="{1}"
>         {2}/>'.format(test_refs[0]['id'],
>         escape(test_refs[0]['comment']), negation_attribute)
>
>
>     In this way, the scan reports 109 fails instead of 1750. Now, I'm
>     going to review these 109 fails.
>
>     Please, update the script ASAP.
>
>     Thanks.
>     Regards.
>
>
>     On Tue, Jul 4, 2017 at 7:50 PM, Jesus Linares <[hidden email]
>     <mailto:[hidden email]>> wrote:
>
>         Hi,
>
>         I'm testing again the oval files for Xenial 16.04 (updated) and
>         OpenSCAP reports 1750 /fails/... Something weird is happening. I
>         will check out this issue again, but I would appreciate any help.
>
>         Here an example:
>
>             <linux-def:dpkginfo_test
>             id="oval:com.ubuntu.xenial:tst:20176919000" version="1"
>             check_existence="any_exist" check="all" comment="*Returns
>             true whether or not the 'drupal7' package exists.*">
>             <linux-def:object
>             object_ref="oval:com.ubuntu.xenial:obj:20076752000"/>
>             </linux-def:dpkginfo_test>
>             <linux-def:dpkginfo_object
>             id="oval:com.ubuntu.xenial:obj:20076752000" version="1"
>             comment="The 'drupal7' package.">
>             <linux-def:name>drupal7</linux-def:name>
>             </linux-def:dpkginfo_object>
>
>
>         If the check return always true, it doesn't make sense...
>
>         Thanks.
>         Regards.
>
>
>
>         On Wed, Nov 2, 2016 at 11:29 AM, Jesus Linares <[hidden email]
>         <mailto:[hidden email]>> wrote:
>
>             Hi,
>
>             this is from the specific
>             CVE: xenial_libapache-mod-jk:not-affected(1:1.2.40+svn150520-1)
>
>             So, if it is not affected for xenial, the check should
>             include the "negate" in order to return that is not a
>             vulnerability, right?.
>
>             Regards.
>
>
>             On Fri, Oct 28, 2016 at 9:10 PM, Seth Arnold
>             <[hidden email]
>             <mailto:[hidden email]>> wrote:
>
>                 On Fri, Oct 28, 2016 at 11:19:21AM +0200, Jesus Linares
>                 wrote:
>                 > I think this test should have the "negate" due to the comment "While
>                 > related to the CVE in some way, the 'libapache-mod-jk'
>                 package in* xenial
>                 > is not affected*". So, maybe the input of the script
>                 is wrong?. Where is
>                 > the input?.
>
>                 The input is from the ubuntu-cve-tracker bzr tree;
>
>                 https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master
>                 <https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master>
>
>                 In the case of this specific CVE:
>
>                 http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111
>                 <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111>
>
>                 Thanks
>
>                 --
>                 ubuntu-hardened mailing list
>                 [hidden email]
>                 <mailto:[hidden email]>
>                 https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened>
>
>
>
>
>             --
>             *Jesus Linares*
>             /IT Security Engineer/
>             /
>             /
>
>
>
>
>         --
>         *Jesus Linares*
>         /IT Security Engineer/
>         /
>         /
>
>
>
>
>     --
>     *Jesus Linares*
>     /IT Security Engineer/
>     /
>     /
>
>
>
>
> --
> *Jesus Linares*
> /IT Security Engineer/
> /
> /
>
>


--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened

signature.asc (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OVAL shows vulnerabilities when software is not installed

Jesus Linares
Hi Tyler,

The Ubuntu Security Team generates that file during CVE triage of newly assigned CVEs.

that is a manual process, right?.

Because all versions are affected. If the status is 'needed', it means
that the Ubuntu Security team has not produced security updates that fix
the CVE. Therefore, all systems with the xfsprogs deb package installed
are affected.

So, right now, all systems with xfsprogs are vulnerable?. The cve was in 2012, it is not possible...

The description says that only affects to versions before 3.2.4. I think you just need to update the file: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150 changing the line:

xenial_xfsprogs: needed
to
xenial_xfsprogs: released (version?)


If that line has the version, the python script will generate the proper oval file.


I think I can't help more here, because the error is in the input files, not in the scripts.

What do you think?.
Thanks.
Regards.



On Wed, Jul 5, 2017 at 5:12 PM, Tyler Hicks <[hidden email]> wrote:
On 07/05/2017 09:57 AM, Jesus Linares wrote:
> Hi,
>
> it seems there are more errors. For example, I get a "fail" for the
> check: CVE-2012-2150.
>
> If we review the oval file for that check:
>
>     <definition class="vulnerability"
>     id="oval:com.ubuntu.xenial:def:20122150000" version="1">
>         ...
>     <criteria>
>     <extend_definition definition_ref="oval:com.ubuntu.xenial:def:100"
>     comment="Ubuntu 16.04 LTS (xenial) is installed."
>     applicability_check="true" />
>     <criterion test_ref="oval:com.ubuntu.xenial:tst:20122150000"
>     comment="The 'xfsprogs' package in xenial is affected and needs
>     fixing." />
>     </criteria>
>     </definition>
>     <linux-def:dpkginfo_test id="oval:com.ubuntu.xenial:tst:20122150000"
>     version="1" check_existence="at_least_one_exists" check="all"
>     comment="Does the 'xfsprogs' package exist?">
>     <linux-def:object object_ref="oval:com.ubuntu.xenial:obj:20122150000"/>
>     </linux-def:dpkginfo_test>
>     <linux-def:dpkginfo_object
>     id="oval:com.ubuntu.xenial:obj:20122150000" version="1" comment="The
>     'xfsprogs' package.">
>     <linux-def:name>xfsprogs</linux-def:name>
>     </linux-def:dpkginfo_object>
>
>
> It is checking if the /xfsprogs /package exists. In my machine I have
> /xfsprogs 4.3.0+nmu1ubuntu1/ installed. So, the oscap is working
> properly. The point is: is my xfsprogs vulnerable?. If we take a look at
> the input file to generate the
> oval: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
>
>     xfs_metadump in *xfsprogs before 3.2.4* does not properly obfuscate
>     file data, which allows remote attackers to obtain sensitive
>     information by reading a generated image.
>
>
> The description says: xfsprogs before 3.2.4 and I have the version 4.
> Oval is only checking if the package exists, but not its version. The
> reason is:
>
> The function /parse_package_status
> (http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L117) /parses
> the line:
>
>   * "xenial_xfsprogs: needed"
>     of http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
>     to
>   * "{'note': "The 'xfsprogs' package in trusty is affected and needs
>     fixing.", 'status': 'vulnerable'}".
>   * That means check only the package, not the version, because there is
>     no version
>     (http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L220)
>
> If we take a look at other checks:
>
>   * "xenial_git: released (1:2.7.4-0ubuntu1.1)" of
>     http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/retired/CVE-2017-8386
>     is parsed to
>   * {'fix-version': '1:2.7.4-0ubuntu1.1', 'note': "The 'git' package in
>     xenial was vulnerable but has been fixed (note:
>     '1:2.7.4-0ubuntu1.1').", 'status': 'fixed'}
>   * Here the version is checked.
>
> So, my final questions are:
>
>   * Who generates this
>     file http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150?

The Ubuntu Security Team generates that file during CVE triage of newly
assigned CVEs.

>   * Why there is no a specific version?

Because all versions are affected. If the status is 'needed', it means
that the Ubuntu Security team has not produced security updates that fix
the CVE. Therefore, all systems with the xfsprogs deb package installed
are affected.

Do you know how that can be conveyed in the OVAL file?

>
> There are 109 fails after fix the issue that I commented in the previous
> email and my OS is updated, so I suspect it is happening the same in the
> rest of checks.

Thanks for tracking down the issue you described in your previous email.
I'll hold off on committing that change until you're able to get to the
bottom of the issue you describe in this email.

Tyler

>
> Thanks.
> Regards.
>
>
>
>
> On Wed, Jul 5, 2017 at 3:19 PM, Jesus Linares <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Hi,
>
>     finally I found the
>     issue: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110>
>
>     In that line there is an if-else. The /else /has the logic to add
>     the "negate" attribute, but the /if/ doesn't have it.
>
>     It is neccesary to replace the lines 111 to 113, for:
>
>         negation_attribute = 'negate = "true" ' if 'negate' in
>         test_refs[0] and test_refs[0]['negate'] else ''
>         mapping['criteria'] = '<criterion test_ref="{0}" comment="{1}"
>         {2}/>'.format(test_refs[0]['id'],
>         escape(test_refs[0]['comment']), negation_attribute)
>
>
>     In this way, the scan reports 109 fails instead of 1750. Now, I'm
>     going to review these 109 fails.
>
>     Please, update the script ASAP.
>
>     Thanks.
>     Regards.
>
>
>     On Tue, Jul 4, 2017 at 7:50 PM, Jesus Linares <[hidden email]
>     <mailto:[hidden email]>> wrote:
>
>         Hi,
>
>         I'm testing again the oval files for Xenial 16.04 (updated) and
>         OpenSCAP reports 1750 /fails/... Something weird is happening. I
>         will check out this issue again, but I would appreciate any help.
>
>         Here an example:
>
>             <linux-def:dpkginfo_test
>             id="oval:com.ubuntu.xenial:tst:20176919000" version="1"
>             check_existence="any_exist" check="all" comment="*Returns
>             true whether or not the 'drupal7' package exists.*">
>             <linux-def:object
>             object_ref="oval:com.ubuntu.xenial:obj:20076752000"/>
>             </linux-def:dpkginfo_test>
>             <linux-def:dpkginfo_object
>             id="oval:com.ubuntu.xenial:obj:20076752000" version="1"
>             comment="The 'drupal7' package.">
>             <linux-def:name>drupal7</linux-def:name>
>             </linux-def:dpkginfo_object>
>
>
>         If the check return always true, it doesn't make sense...
>
>         Thanks.
>         Regards.
>
>
>
>         On Wed, Nov 2, 2016 at 11:29 AM, Jesus Linares <[hidden email]
>         <mailto:[hidden email]>> wrote:
>
>             Hi,
>
>             this is from the specific
>             CVE: xenial_libapache-mod-jk:not-affected(1:1.2.40+svn150520-1)
>
>             So, if it is not affected for xenial, the check should
>             include the "negate" in order to return that is not a
>             vulnerability, right?.
>
>             Regards.
>
>
>             On Fri, Oct 28, 2016 at 9:10 PM, Seth Arnold
>             <[hidden email]
>             <mailto:[hidden email]>> wrote:
>
>                 On Fri, Oct 28, 2016 at 11:19:21AM +0200, Jesus Linares
>                 wrote:
>                 > I think this test should have the "negate" due to the comment "While
>                 > related to the CVE in some way, the 'libapache-mod-jk'
>                 package in* xenial
>                 > is not affected*". So, maybe the input of the script
>                 is wrong?. Where is
>                 > the input?.
>
>                 The input is from the ubuntu-cve-tracker bzr tree;
>
>                 https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master
>                 <https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master>
>
>                 In the case of this specific CVE:
>
>                 http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111
>                 <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111>
>
>                 Thanks
>
>                 --
>                 ubuntu-hardened mailing list
>                 [hidden email]
>                 <mailto:[hidden email]>
>                 https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened>
>
>
>
>
>             --
>             *Jesus Linares*
>             /IT Security Engineer/
>             /
>             /
>
>
>
>
>         --
>         *Jesus Linares*
>         /IT Security Engineer/
>         /
>         /
>
>
>
>
>     --
>     *Jesus Linares*
>     /IT Security Engineer/
>     /
>     /
>
>
>
>
> --
> *Jesus Linares*
> /IT Security Engineer/
> /
> /
>
>





--
Jesus Linares
IT Security Engineer


--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OVAL shows vulnerabilities when software is not installed

Tyler Hicks-2
On 07/05/2017 10:30 AM, Jesus Linares wrote:
> Hi Tyler,
>
>     The Ubuntu Security Team generates that file during CVE triage of
>     newly assigned CVEs.
>
>
> that is a manual process, right?.

Yes, it is manual.

>
>     Because all versions are affected. If the status is 'needed', it means
>     that the Ubuntu Security team has not produced security updates that fix
>     the CVE. Therefore, all systems with the xfsprogs deb package installed
>     are affected.
>
>
> So, right now, all systems with /xfsprogs /are vulnerable?. The cve was
> in 2012, it is not possible...
>
> The description says that only affects to versions before 3.2.4. I think
> you just need to update the
> file: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
> changing the line:
>
>     xenial_xfsprogs: needed
>
> to
>
>     xenial_xfsprogs: released (version?)
>
>
> /parse_package_status /function for /needed
> /status: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L149
>
> If that line has the version, the python script will generate the proper
> oval file.
I thought that you were saying that, in general, a 'needed' status
without a version number would generate problematic OVAL data. Now I
understand that you were saying that CVE-2012-2150 needed to be
retriaged. I've done that here:

 http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/revision/12855

I've also committed the oval_lib.py change that you suggested:

 http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/revision/12856

Thanks for debugging the issue and providing a fix! Let us know if you
find any other issues in the generation of OVAL data.

Tyler

>
>
> I think I can't help more here, because the error is in the input files,
> not in the scripts.
>
> What do you think?.
> Thanks.
> Regards.
>
>
>
> On Wed, Jul 5, 2017 at 5:12 PM, Tyler Hicks <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     On 07/05/2017 09:57 AM, Jesus Linares wrote:
>     > Hi,
>     >
>     > it seems there are more errors. For example, I get a "fail" for the
>     > check: CVE-2012-2150.
>     >
>     > If we review the oval file for that check:
>     >
>     >     <definition class="vulnerability"
>     >     id="oval:com.ubuntu.xenial:def:20122150000" version="1">
>     >         ...
>     >     <criteria>
>     >     <extend_definition definition_ref="oval:com.ubuntu.xenial:def:100"
>     >     comment="Ubuntu 16.04 LTS (xenial) is installed."
>     >     applicability_check="true" />
>     >     <criterion test_ref="oval:com.ubuntu.xenial:tst:20122150000"
>     >     comment="The 'xfsprogs' package in xenial is affected and needs
>     >     fixing." />
>     >     </criteria>
>     >     </definition>
>     >     <linux-def:dpkginfo_test
>     id="oval:com.ubuntu.xenial:tst:20122150000"
>     >     version="1" check_existence="at_least_one_exists" check="all"
>     >     comment="Does the 'xfsprogs' package exist?">
>     >     <linux-def:object
>     object_ref="oval:com.ubuntu.xenial:obj:20122150000"/>
>     >     </linux-def:dpkginfo_test>
>     >     <linux-def:dpkginfo_object
>     >     id="oval:com.ubuntu.xenial:obj:20122150000" version="1"
>     comment="The
>     >     'xfsprogs' package.">
>     >     <linux-def:name>xfsprogs</linux-def:name>
>     >     </linux-def:dpkginfo_object>
>     >
>     >
>     > It is checking if the /xfsprogs /package exists. In my machine I have
>     > /xfsprogs 4.3.0+nmu1ubuntu1/ installed. So, the oscap is working
>     > properly. The point is: is my xfsprogs vulnerable?. If we take a look at
>     > the input file to generate the
>     > oval: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150>
>     >
>     >     xfs_metadump in *xfsprogs before 3.2.4* does not properly
>     obfuscate
>     >     file data, which allows remote attackers to obtain sensitive
>     >     information by reading a generated image.
>     >
>     >
>     > The description says: xfsprogs before 3.2.4 and I have the version 4.
>     > Oval is only checking if the package exists, but not its version. The
>     > reason is:
>     >
>     > The function /parse_package_status
>     >
>     (http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L117
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L117>)
>     /parses
>     > the line:
>     >
>     >   * "xenial_xfsprogs: needed"
>     >     of
>     http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150>
>     >     to
>     >   * "{'note': "The 'xfsprogs' package in trusty is affected and needs
>     >     fixing.", 'status': 'vulnerable'}".
>     >   * That means check only the package, not the version, because
>     there is
>     >     no version
>     >     (http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L220
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L220>)
>     >
>     > If we take a look at other checks:
>     >
>     >   * "xenial_git: released (1:2.7.4-0ubuntu1.1)" of
>     >     http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/retired/CVE-2017-8386
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/retired/CVE-2017-8386>
>     >     is parsed to
>     >   * {'fix-version': '1:2.7.4-0ubuntu1.1', 'note': "The 'git'
>     package in
>     >     xenial was vulnerable but has been fixed (note:
>     >     '1:2.7.4-0ubuntu1.1').", 'status': 'fixed'}
>     >   * Here the version is checked.
>     >
>     > So, my final questions are:
>     >
>     >   * Who generates this
>     >     file
>     http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150>?
>
>     The Ubuntu Security Team generates that file during CVE triage of newly
>     assigned CVEs.
>
>     >   * Why there is no a specific version?
>
>     Because all versions are affected. If the status is 'needed', it means
>     that the Ubuntu Security team has not produced security updates that fix
>     the CVE. Therefore, all systems with the xfsprogs deb package installed
>     are affected.
>
>     Do you know how that can be conveyed in the OVAL file?
>
>     >
>     > There are 109 fails after fix the issue that I commented in the previous
>     > email and my OS is updated, so I suspect it is happening the same in the
>     > rest of checks.
>
>     Thanks for tracking down the issue you described in your previous email.
>     I'll hold off on committing that change until you're able to get to the
>     bottom of the issue you describe in this email.
>
>     Tyler
>
>     >
>     > Thanks.
>     > Regards.
>     >
>     >
>     >
>     >
>     > On Wed, Jul 5, 2017 at 3:19 PM, Jesus Linares <[hidden email] <mailto:[hidden email]>
>     > <mailto:[hidden email] <mailto:[hidden email]>>> wrote:
>     >
>     >     Hi,
>     >
>     >     finally I found the
>     >     issue: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110>
>     >     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110>>
>     >
>     >     In that line there is an if-else. The /else /has the logic to add
>     >     the "negate" attribute, but the /if/ doesn't have it.
>     >
>     >     It is neccesary to replace the lines 111 to 113, for:
>     >
>     >         negation_attribute = 'negate = "true" ' if 'negate' in
>     >         test_refs[0] and test_refs[0]['negate'] else ''
>     >         mapping['criteria'] = '<criterion test_ref="{0}" comment="{1}"
>     >         {2}/>'.format(test_refs[0]['id'],
>     >         escape(test_refs[0]['comment']), negation_attribute)
>     >
>     >
>     >     In this way, the scan reports 109 fails instead of 1750. Now, I'm
>     >     going to review these 109 fails.
>     >
>     >     Please, update the script ASAP.
>     >
>     >     Thanks.
>     >     Regards.
>     >
>     >
>     >     On Tue, Jul 4, 2017 at 7:50 PM, Jesus Linares <[hidden email] <mailto:[hidden email]>
>     >     <mailto:[hidden email] <mailto:[hidden email]>>> wrote:
>     >
>     >         Hi,
>     >
>     >         I'm testing again the oval files for Xenial 16.04 (updated) and
>     >         OpenSCAP reports 1750 /fails/... Something weird is
>     happening. I
>     >         will check out this issue again, but I would appreciate any help.
>     >
>     >         Here an example:
>     >
>     >             <linux-def:dpkginfo_test
>     >             id="oval:com.ubuntu.xenial:tst:20176919000" version="1"
>     >             check_existence="any_exist" check="all" comment="*Returns
>     >             true whether or not the 'drupal7' package exists.*">
>     >             <linux-def:object
>     >             object_ref="oval:com.ubuntu.xenial:obj:20076752000"/>
>     >             </linux-def:dpkginfo_test>
>     >             <linux-def:dpkginfo_object
>     >             id="oval:com.ubuntu.xenial:obj:20076752000" version="1"
>     >             comment="The 'drupal7' package.">
>     >             <linux-def:name>drupal7</linux-def:name>
>     >             </linux-def:dpkginfo_object>
>     >
>     >
>     >         If the check return always true, it doesn't make sense...
>     >
>     >         Thanks.
>     >         Regards.
>     >
>     >
>     >
>     >         On Wed, Nov 2, 2016 at 11:29 AM, Jesus Linares <[hidden email] <mailto:[hidden email]>
>     >         <mailto:[hidden email] <mailto:[hidden email]>>> wrote:
>     >
>     >             Hi,
>     >
>     >             this is from the specific
>     >             CVE:
>     xenial_libapache-mod-jk:not-affected(1:1.2.40+svn150520-1)
>     >
>     >             So, if it is not affected for xenial, the check should
>     >             include the "negate" in order to return that is not a
>     >             vulnerability, right?.
>     >
>     >             Regards.
>     >
>     >
>     >             On Fri, Oct 28, 2016 at 9:10 PM, Seth Arnold
>     >             <[hidden email] <mailto:[hidden email]>
>     >             <mailto:[hidden email] <mailto:[hidden email]>>> wrote:
>     >
>     >                 On Fri, Oct 28, 2016 at 11:19:21AM +0200, Jesus Linares
>     >                 wrote:
>     >                 > I think this test should have the "negate" due to the comment "While
>     >                 > related to the CVE in some way, the 'libapache-mod-jk'
>     >                 package in* xenial
>     >                 > is not affected*". So, maybe the input of the script
>     >                 is wrong?. Where is
>     >                 > the input?.
>     >
>     >                 The input is from the ubuntu-cve-tracker bzr tree;
>     >
>     >                 https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master <https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master>
>     >                 <https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master <https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master>>
>     >
>     >                 In the case of this specific CVE:
>     >
>     >                 http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111>
>     >                 <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111>>
>     >
>     >                 Thanks
>     >
>     >                 --
>     >                 ubuntu-hardened mailing list
>     >                 [hidden email]
>     <mailto:[hidden email]>
>     >                 <mailto:[hidden email]
>     <mailto:[hidden email]>>
>     >              
>      https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>     <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened>
>     <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>     <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened>>
>     >
>     >
>     >
>     >
>     >             --
>     >             *Jesus Linares*
>     >             /IT Security Engineer/
>     >             /
>     >             /
>     >
>     >
>     >
>     >
>     >         --
>     >         *Jesus Linares*
>     >         /IT Security Engineer/
>     >         /
>     >         /
>     >
>     >
>     >
>     >
>     >     --
>     >     *Jesus Linares*
>     >     /IT Security Engineer/
>     >     /
>     >     /
>     >
>     >
>     >
>     >
>     > --
>     > *Jesus Linares*
>     > /IT Security Engineer/
>     > /
>     > /
>     >
>     >
>
>
>
>
>
> --
> *Jesus Linares*
> /IT Security Engineer/
> /
> /


--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened

signature.asc (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OVAL shows vulnerabilities when software is not installed

Jesus Linares
Hi Tyler,

thanks for the changes. Now, I have around 109 fails.

According to the scripts, if a CVE has one of the following statuses:
  • needed
  • ignored
  • deferred
  • pending
it is parsed as "vulnerable" status. The oval generated for "vulnerable" CVEs is: "check if the package exist". It doesn't check any version. This may make sense for some packages, but I think it is not possible to have 109 fails in an updated host.

What mean those statuses?. 

I attached a file with the list of cve files that the Ubuntu Security Team should review.

OVAL is a great tool and the Ubuntu process to generate the oval checks is almost ready. I think it just need a little review and be very careful during the process of assign a status to the cve file. This will be very useful for the community.

Thanks.
Regards.



On Wed, Jul 5, 2017 at 6:02 PM, Tyler Hicks <[hidden email]> wrote:
On 07/05/2017 10:30 AM, Jesus Linares wrote:
> Hi Tyler,
>
>     The Ubuntu Security Team generates that file during CVE triage of
>     newly assigned CVEs.
>
>
> that is a manual process, right?.

Yes, it is manual.

>
>     Because all versions are affected. If the status is 'needed', it means
>     that the Ubuntu Security team has not produced security updates that fix
>     the CVE. Therefore, all systems with the xfsprogs deb package installed
>     are affected.
>
>
> So, right now, all systems with /xfsprogs /are vulnerable?. The cve was
> in 2012, it is not possible...
>
> The description says that only affects to versions before 3.2.4. I think
> you just need to update the
> file: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
> changing the line:
>
>     xenial_xfsprogs: needed
>
> to
>
>     xenial_xfsprogs: released (version?)
>
>
> /parse_package_status /function for /needed
> /status: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L149
>
> If that line has the version, the python script will generate the proper
> oval file.

I thought that you were saying that, in general, a 'needed' status
without a version number would generate problematic OVAL data. Now I
understand that you were saying that CVE-2012-2150 needed to be
retriaged. I've done that here:

 http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/revision/12855

I've also committed the oval_lib.py change that you suggested:

 http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/revision/12856

Thanks for debugging the issue and providing a fix! Let us know if you
find any other issues in the generation of OVAL data.

Tyler

>
>
> I think I can't help more here, because the error is in the input files,
> not in the scripts.
>
> What do you think?.
> Thanks.
> Regards.
>
>
>
> On Wed, Jul 5, 2017 at 5:12 PM, Tyler Hicks <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     On 07/05/2017 09:57 AM, Jesus Linares wrote:
>     > Hi,
>     >
>     > it seems there are more errors. For example, I get a "fail" for the
>     > check: CVE-2012-2150.
>     >
>     > If we review the oval file for that check:
>     >
>     >     <definition class="vulnerability"
>     >     id="oval:com.ubuntu.xenial:def:20122150000" version="1">
>     >         ...
>     >     <criteria>
>     >     <extend_definition definition_ref="oval:com.ubuntu.xenial:def:100"
>     >     comment="Ubuntu 16.04 LTS (xenial) is installed."
>     >     applicability_check="true" />
>     >     <criterion test_ref="oval:com.ubuntu.xenial:tst:20122150000"
>     >     comment="The 'xfsprogs' package in xenial is affected and needs
>     >     fixing." />
>     >     </criteria>
>     >     </definition>
>     >     <linux-def:dpkginfo_test
>     id="oval:com.ubuntu.xenial:tst:20122150000"
>     >     version="1" check_existence="at_least_one_exists" check="all"
>     >     comment="Does the 'xfsprogs' package exist?">
>     >     <linux-def:object
>     object_ref="oval:com.ubuntu.xenial:obj:20122150000"/>
>     >     </linux-def:dpkginfo_test>
>     >     <linux-def:dpkginfo_object
>     >     id="oval:com.ubuntu.xenial:obj:20122150000" version="1"
>     comment="The
>     >     'xfsprogs' package.">
>     >     <linux-def:name>xfsprogs</linux-def:name>
>     >     </linux-def:dpkginfo_object>
>     >
>     >
>     > It is checking if the /xfsprogs /package exists. In my machine I have
>     > /xfsprogs 4.3.0+nmu1ubuntu1/ installed. So, the oscap is working
>     > properly. The point is: is my xfsprogs vulnerable?. If we take a look at
>     > the input file to generate the
>     > oval: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150>
>     >
>     >     xfs_metadump in *xfsprogs before 3.2.4* does not properly
>     obfuscate
>     >     file data, which allows remote attackers to obtain sensitive
>     >     information by reading a generated image.
>     >
>     >
>     > The description says: xfsprogs before 3.2.4 and I have the version 4.
>     > Oval is only checking if the package exists, but not its version. The
>     > reason is:
>     >
>     > The function /parse_package_status
>     >
>     (http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L117
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L117>)
>     /parses
>     > the line:
>     >
>     >   * "xenial_xfsprogs: needed"
>     >     of
>     http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150>
>     >     to
>     >   * "{'note': "The 'xfsprogs' package in trusty is affected and needs
>     >     fixing.", 'status': 'vulnerable'}".
>     >   * That means check only the package, not the version, because
>     there is
>     >     no version
>     >     (http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L220
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L220>)
>     >
>     > If we take a look at other checks:
>     >
>     >   * "xenial_git: released (1:2.7.4-0ubuntu1.1)" of
>     >     http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/retired/CVE-2017-8386
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/retired/CVE-2017-8386>
>     >     is parsed to
>     >   * {'fix-version': '1:2.7.4-0ubuntu1.1', 'note': "The 'git'
>     package in
>     >     xenial was vulnerable but has been fixed (note:
>     >     '1:2.7.4-0ubuntu1.1').", 'status': 'fixed'}
>     >   * Here the version is checked.
>     >
>     > So, my final questions are:
>     >
>     >   * Who generates this
>     >     file
>     http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150>?
>
>     The Ubuntu Security Team generates that file during CVE triage of newly
>     assigned CVEs.
>
>     >   * Why there is no a specific version?
>
>     Because all versions are affected. If the status is 'needed', it means
>     that the Ubuntu Security team has not produced security updates that fix
>     the CVE. Therefore, all systems with the xfsprogs deb package installed
>     are affected.
>
>     Do you know how that can be conveyed in the OVAL file?
>
>     >
>     > There are 109 fails after fix the issue that I commented in the previous
>     > email and my OS is updated, so I suspect it is happening the same in the
>     > rest of checks.
>
>     Thanks for tracking down the issue you described in your previous email.
>     I'll hold off on committing that change until you're able to get to the
>     bottom of the issue you describe in this email.
>
>     Tyler
>
>     >
>     > Thanks.
>     > Regards.
>     >
>     >
>     >
>     >
>     > On Wed, Jul 5, 2017 at 3:19 PM, Jesus Linares <[hidden email] <mailto:[hidden email]>
>     > <mailto:[hidden email] <mailto:[hidden email]>>> wrote:
>     >
>     >     Hi,
>     >
>     >     finally I found the
>     >     issue: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110>
>     >     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110>>
>     >
>     >     In that line there is an if-else. The /else /has the logic to add
>     >     the "negate" attribute, but the /if/ doesn't have it.
>     >
>     >     It is neccesary to replace the lines 111 to 113, for:
>     >
>     >         negation_attribute = 'negate = "true" ' if 'negate' in
>     >         test_refs[0] and test_refs[0]['negate'] else ''
>     >         mapping['criteria'] = '<criterion test_ref="{0}" comment="{1}"
>     >         {2}/>'.format(test_refs[0]['id'],
>     >         escape(test_refs[0]['comment']), negation_attribute)
>     >
>     >
>     >     In this way, the scan reports 109 fails instead of 1750. Now, I'm
>     >     going to review these 109 fails.
>     >
>     >     Please, update the script ASAP.
>     >
>     >     Thanks.
>     >     Regards.
>     >
>     >
>     >     On Tue, Jul 4, 2017 at 7:50 PM, Jesus Linares <[hidden email] <mailto:[hidden email]>
>     >     <mailto:[hidden email] <mailto:[hidden email]>>> wrote:
>     >
>     >         Hi,
>     >
>     >         I'm testing again the oval files for Xenial 16.04 (updated) and
>     >         OpenSCAP reports 1750 /fails/... Something weird is
>     happening. I
>     >         will check out this issue again, but I would appreciate any help.
>     >
>     >         Here an example:
>     >
>     >             <linux-def:dpkginfo_test
>     >             id="oval:com.ubuntu.xenial:tst:20176919000" version="1"
>     >             check_existence="any_exist" check="all" comment="*Returns
>     >             true whether or not the 'drupal7' package exists.*">
>     >             <linux-def:object
>     >             object_ref="oval:com.ubuntu.xenial:obj:20076752000"/>
>     >             </linux-def:dpkginfo_test>
>     >             <linux-def:dpkginfo_object
>     >             id="oval:com.ubuntu.xenial:obj:20076752000" version="1"
>     >             comment="The 'drupal7' package.">
>     >             <linux-def:name>drupal7</linux-def:name>
>     >             </linux-def:dpkginfo_object>
>     >
>     >
>     >         If the check return always true, it doesn't make sense...
>     >
>     >         Thanks.
>     >         Regards.
>     >
>     >
>     >
>     >         On Wed, Nov 2, 2016 at 11:29 AM, Jesus Linares <[hidden email] <mailto:[hidden email]>
>     >         <mailto:[hidden email] <mailto:[hidden email]>>> wrote:
>     >
>     >             Hi,
>     >
>     >             this is from the specific
>     >             CVE:
>     xenial_libapache-mod-jk:not-affected(1:1.2.40+svn150520-1)
>     >
>     >             So, if it is not affected for xenial, the check should
>     >             include the "negate" in order to return that is not a
>     >             vulnerability, right?.
>     >
>     >             Regards.
>     >
>     >
>     >             On Fri, Oct 28, 2016 at 9:10 PM, Seth Arnold
>     >             <[hidden email] <mailto:[hidden email]>
>     >             <mailto:[hidden email] <mailto:[hidden email]>>> wrote:
>     >
>     >                 On Fri, Oct 28, 2016 at 11:19:21AM +0200, Jesus Linares
>     >                 wrote:
>     >                 > I think this test should have the "negate" due to the comment "While
>     >                 > related to the CVE in some way, the 'libapache-mod-jk'
>     >                 package in* xenial
>     >                 > is not affected*". So, maybe the input of the script
>     >                 is wrong?. Where is
>     >                 > the input?.
>     >
>     >                 The input is from the ubuntu-cve-tracker bzr tree;
>     >
>     >                 https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master <https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master>
>     >                 <https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master <https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master>>
>     >
>     >                 In the case of this specific CVE:
>     >
>     >                 http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111>
>     >                 <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111>>
>     >
>     >                 Thanks
>     >
>     >                 --
>     >                 ubuntu-hardened mailing list
>     >                 [hidden email]
>     <mailto:[hidden email]>
>     >                 <mailto:[hidden email]
>     <mailto:[hidden email]>>
>     >
>      https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>     <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened>
>     <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>     <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened>>
>     >
>     >
>     >
>     >
>     >             --
>     >             *Jesus Linares*
>     >             /IT Security Engineer/
>     >             /
>     >             /
>     >
>     >
>     >
>     >
>     >         --
>     >         *Jesus Linares*
>     >         /IT Security Engineer/
>     >         /
>     >         /
>     >
>     >
>     >
>     >
>     >     --
>     >     *Jesus Linares*
>     >     /IT Security Engineer/
>     >     /
>     >     /
>     >
>     >
>     >
>     >
>     > --
>     > *Jesus Linares*
>     > /IT Security Engineer/
>     > /
>     > /
>     >
>     >
>
>
>
>
>
> --
> *Jesus Linares*
> /IT Security Engineer/
> /
> /





--
Jesus Linares
IT Security Engineer


--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened

xenial_cve_review.txt (18K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OVAL shows vulnerabilities when software is not installed

Tyler Hicks-2
On 07/06/2017 06:24 AM, Jesus Linares wrote:

> Hi Tyler,
>
> thanks for the changes. Now, I have around 109 fails.
>
> According to the scripts, if a CVE has one of the following statuses:
>
>   * needed
>   * ignored
>   * deferred
>   * pending
>
> it is parsed as "vulnerable" status. The oval generated for "vulnerable"
> CVEs is: "check if the package exist". *It doesn't check any version*.
> This may make sense for some packages, but I think it is not possible to
> have 109 fails in an updated host.
>
> What mean those statuses?.
Package statuses are documented here:

 http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/README#L224

> I attached a file with the list of cve files that the Ubuntu Security
> Team should review.

Thanks but that's non-trivial to do.

This highlights a potential problem with the OVAL data. The Ubuntu CVE
Tracker is not always up-to-date so the OVAL data will always have some
number of false positives. It is simply not possible for us to keep
every CVE up-to-date in the tracker at all times.

You're more than welcome to contribute pull requests to the Ubuntu CVE
Tracker project as you triage CVEs:

  https://launchpad.net/ubuntu-cve-tracker

We'd love to see you update any CVEs that you feel are out of date. Thanks!

Tyler

>
> OVAL is a great tool and the Ubuntu process to generate the oval checks
> is almost ready. I think it just need a little review and be very
> careful during the process of assign a status to the cve file. This will
> be very useful for the community.
>
> Thanks.
> Regards.
>
>
>
> On Wed, Jul 5, 2017 at 6:02 PM, Tyler Hicks <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     On 07/05/2017 10:30 AM, Jesus Linares wrote:
>     > Hi Tyler,
>     >
>     >     The Ubuntu Security Team generates that file during CVE triage of
>     >     newly assigned CVEs.
>     >
>     >
>     > that is a manual process, right?.
>
>     Yes, it is manual.
>
>     >
>     >     Because all versions are affected. If the status is 'needed', it means
>     >     that the Ubuntu Security team has not produced security updates that fix
>     >     the CVE. Therefore, all systems with the xfsprogs deb package installed
>     >     are affected.
>     >
>     >
>     > So, right now, all systems with /xfsprogs /are vulnerable?. The
>     cve was
>     > in 2012, it is not possible...
>     >
>     > The description says that only affects to versions before 3.2.4. I think
>     > you just need to update the
>     > file: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150>
>     > changing the line:
>     >
>     >     xenial_xfsprogs: needed
>     >
>     > to
>     >
>     >     xenial_xfsprogs: released (version?)
>     >
>     >
>     > /parse_package_status /function for /needed
>     > /status:
>     http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L149
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L149>
>     >
>     > If that line has the version, the python script will generate the proper
>     > oval file.
>
>     I thought that you were saying that, in general, a 'needed' status
>     without a version number would generate problematic OVAL data. Now I
>     understand that you were saying that CVE-2012-2150 needed to be
>     retriaged. I've done that here:
>
>      http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/revision/12855
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/revision/12855>
>
>     I've also committed the oval_lib.py change that you suggested:
>
>      http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/revision/12856
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/revision/12856>
>
>     Thanks for debugging the issue and providing a fix! Let us know if you
>     find any other issues in the generation of OVAL data.
>
>     Tyler
>
>     >
>     >
>     > I think I can't help more here, because the error is in the input files,
>     > not in the scripts.
>     >
>     > What do you think?.
>     > Thanks.
>     > Regards.
>     >
>     >
>     >
>     > On Wed, Jul 5, 2017 at 5:12 PM, Tyler Hicks <[hidden email] <mailto:[hidden email]>
>     > <mailto:[hidden email] <mailto:[hidden email]>>> wrote:
>     >
>     >     On 07/05/2017 09:57 AM, Jesus Linares wrote:
>     >     > Hi,
>     >     >
>     >     > it seems there are more errors. For example, I get a "fail"
>     for the
>     >     > check: CVE-2012-2150.
>     >     >
>     >     > If we review the oval file for that check:
>     >     >
>     >     >     <definition class="vulnerability"
>     >     >     id="oval:com.ubuntu.xenial:def:20122150000" version="1">
>     >     >         ...
>     >     >     <criteria>
>     >     >     <extend_definition
>     definition_ref="oval:com.ubuntu.xenial:def:100"
>     >     >     comment="Ubuntu 16.04 LTS (xenial) is installed."
>     >     >     applicability_check="true" />
>     >     >     <criterion test_ref="oval:com.ubuntu.xenial:tst:20122150000"
>     >     >     comment="The 'xfsprogs' package in xenial is affected
>     and needs
>     >     >     fixing." />
>     >     >     </criteria>
>     >     >     </definition>
>     >     >     <linux-def:dpkginfo_test
>     >     id="oval:com.ubuntu.xenial:tst:20122150000"
>     >     >     version="1" check_existence="at_least_one_exists"
>     check="all"
>     >     >     comment="Does the 'xfsprogs' package exist?">
>     >     >     <linux-def:object
>     >     object_ref="oval:com.ubuntu.xenial:obj:20122150000"/>
>     >     >     </linux-def:dpkginfo_test>
>     >     >     <linux-def:dpkginfo_object
>     >     >     id="oval:com.ubuntu.xenial:obj:20122150000" version="1"
>     >     comment="The
>     >     >     'xfsprogs' package.">
>     >     >     <linux-def:name>xfsprogs</linux-def:name>
>     >     >     </linux-def:dpkginfo_object>
>     >     >
>     >     >
>     >     > It is checking if the /xfsprogs /package exists. In my
>     machine I have
>     >     > /xfsprogs 4.3.0+nmu1ubuntu1/ installed. So, the oscap is working
>     >     > properly. The point is: is my xfsprogs vulnerable?. If we
>     take a look at
>     >     > the input file to generate the
>     >     > oval:
>     http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150>
>     >  
>      <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150>>
>     >     >
>     >     >     xfs_metadump in *xfsprogs before 3.2.4* does not properly
>     >     obfuscate
>     >     >     file data, which allows remote attackers to obtain sensitive
>     >     >     information by reading a generated image.
>     >     >
>     >     >
>     >     > The description says: xfsprogs before 3.2.4 and I have the
>     version 4.
>     >     > Oval is only checking if the package exists, but not its
>     version. The
>     >     > reason is:
>     >     >
>     >     > The function /parse_package_status
>     >     >
>     >  
>      (http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L117
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L117>
>     >  
>      <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L117
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L117>>)
>     >     /parses
>     >     > the line:
>     >     >
>     >     >   * "xenial_xfsprogs: needed"
>     >     >     of
>     >     http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150>
>     >     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150>>
>     >     >     to
>     >     >   * "{'note': "The 'xfsprogs' package in trusty is affected and needs
>     >     >     fixing.", 'status': 'vulnerable'}".
>     >     >   * That means check only the package, not the version, because
>     >     there is
>     >     >     no version
>     >     >     (http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L220
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L220>
>     >  
>      <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L220
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L220>>)
>     >     >
>     >     > If we take a look at other checks:
>     >     >
>     >     >   * "xenial_git: released (1:2.7.4-0ubuntu1.1)" of
>     >     >     http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/retired/CVE-2017-8386
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/retired/CVE-2017-8386>
>     >     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/retired/CVE-2017-8386
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/retired/CVE-2017-8386>>
>     >     >     is parsed to
>     >     >   * {'fix-version': '1:2.7.4-0ubuntu1.1', 'note': "The 'git'
>     >     package in
>     >     >     xenial was vulnerable but has been fixed (note:
>     >     >     '1:2.7.4-0ubuntu1.1').", 'status': 'fixed'}
>     >     >   * Here the version is checked.
>     >     >
>     >     > So, my final questions are:
>     >     >
>     >     >   * Who generates this
>     >     >     file
>     >     http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150>
>     >  
>      <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150>>?
>     >
>     >     The Ubuntu Security Team generates that file during CVE triage of newly
>     >     assigned CVEs.
>     >
>     >     >   * Why there is no a specific version?
>     >
>     >     Because all versions are affected. If the status is 'needed', it means
>     >     that the Ubuntu Security team has not produced security updates that fix
>     >     the CVE. Therefore, all systems with the xfsprogs deb package installed
>     >     are affected.
>     >
>     >     Do you know how that can be conveyed in the OVAL file?
>     >
>     >     >
>     >     > There are 109 fails after fix the issue that I commented in the previous
>     >     > email and my OS is updated, so I suspect it is happening the same in the
>     >     > rest of checks.
>     >
>     >     Thanks for tracking down the issue you described in your previous email.
>     >     I'll hold off on committing that change until you're able to get to the
>     >     bottom of the issue you describe in this email.
>     >
>     >     Tyler
>     >
>     >     >
>     >     > Thanks.
>     >     > Regards.
>     >     >
>     >     >
>     >     >
>     >     >
>     >     > On Wed, Jul 5, 2017 at 3:19 PM, Jesus Linares <[hidden email] <mailto:[hidden email]> <mailto:[hidden email]
>     <mailto:[hidden email]>>
>     >     > <mailto:[hidden email] <mailto:[hidden email]> <mailto:[hidden email]
>     <mailto:[hidden email]>>>> wrote:
>     >     >
>     >     >     Hi,
>     >     >
>     >     >     finally I found the
>     >     >     issue: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110>
>     >     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110>>
>     >     >     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110>
>     >     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110>>>
>     >     >
>     >     >     In that line there is an if-else. The /else /has the logic to add
>     >     >     the "negate" attribute, but the /if/ doesn't have it.
>     >     >
>     >     >     It is neccesary to replace the lines 111 to 113, for:
>     >     >
>     >     >         negation_attribute = 'negate = "true" ' if 'negate' in
>     >     >         test_refs[0] and test_refs[0]['negate'] else ''
>     >     >         mapping['criteria'] = '<criterion test_ref="{0}" comment="{1}"
>     >     >         {2}/>'.format(test_refs[0]['id'],
>     >     >         escape(test_refs[0]['comment']), negation_attribute)
>     >     >
>     >     >
>     >     >     In this way, the scan reports 109 fails instead of 1750. Now, I'm
>     >     >     going to review these 109 fails.
>     >     >
>     >     >     Please, update the script ASAP.
>     >     >
>     >     >     Thanks.
>     >     >     Regards.
>     >     >
>     >     >
>     >     >     On Tue, Jul 4, 2017 at 7:50 PM, Jesus Linares <[hidden email] <mailto:[hidden email]> <mailto:[hidden email]
>     <mailto:[hidden email]>>
>     >     >     <mailto:[hidden email] <mailto:[hidden email]> <mailto:[hidden email]
>     <mailto:[hidden email]>>>> wrote:
>     >     >
>     >     >         Hi,
>     >     >
>     >     >         I'm testing again the oval files for Xenial 16.04 (updated) and
>     >     >         OpenSCAP reports 1750 /fails/... Something weird is
>     >     happening. I
>     >     >         will check out this issue again, but I would appreciate any help.
>     >     >
>     >     >         Here an example:
>     >     >
>     >     >             <linux-def:dpkginfo_test
>     >     >             id="oval:com.ubuntu.xenial:tst:20176919000" version="1"
>     >     >             check_existence="any_exist" check="all" comment="*Returns
>     >     >             true whether or not the 'drupal7' package exists.*">
>     >     >             <linux-def:object
>     >     >             object_ref="oval:com.ubuntu.xenial:obj:20076752000"/>
>     >     >             </linux-def:dpkginfo_test>
>     >     >             <linux-def:dpkginfo_object
>     >     >             id="oval:com.ubuntu.xenial:obj:20076752000" version="1"
>     >     >             comment="The 'drupal7' package.">
>     >     >             <linux-def:name>drupal7</linux-def:name>
>     >     >             </linux-def:dpkginfo_object>
>     >     >
>     >     >
>     >     >         If the check return always true, it doesn't make sense...
>     >     >
>     >     >         Thanks.
>     >     >         Regards.
>     >     >
>     >     >
>     >     >
>     >     >         On Wed, Nov 2, 2016 at 11:29 AM, Jesus Linares <[hidden email] <mailto:[hidden email]> <mailto:[hidden email]
>     <mailto:[hidden email]>>
>     >     >         <mailto:[hidden email] <mailto:[hidden email]> <mailto:[hidden email]
>     <mailto:[hidden email]>>>> wrote:
>     >     >
>     >     >             Hi,
>     >     >
>     >     >             this is from the specific
>     >     >             CVE:
>     >     xenial_libapache-mod-jk:not-affected(1:1.2.40+svn150520-1)
>     >     >
>     >     >             So, if it is not affected for xenial, the check should
>     >     >             include the "negate" in order to return that is not a
>     >     >             vulnerability, right?.
>     >     >
>     >     >             Regards.
>     >     >
>     >     >
>     >     >             On Fri, Oct 28, 2016 at 9:10 PM, Seth Arnold
>     >     >             <[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     >             <mailto:[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email]
>     <mailto:[hidden email]>>>> wrote:
>     >     >
>     >     >                 On Fri, Oct 28, 2016 at 11:19:21AM +0200, Jesus Linares
>     >     >                 wrote:
>     >     >                 > I think this test should have the "negate" due to the comment "While
>     >     >                 > related to the CVE in some way, the 'libapache-mod-jk'
>     >     >                 package in* xenial
>     >     >                 > is not affected*". So, maybe the input of the script
>     >     >                 is wrong?. Where is
>     >     >                 > the input?.
>     >     >
>     >     >                 The input is from the ubuntu-cve-tracker bzr tree;
>     >     >
>     >     >                 https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master <https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master>
>     <https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master
>     <https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master>>
>     >     >                 <https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master <https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master>
>     <https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master
>     <https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master>>>
>     >     >
>     >     >                 In the case of this specific CVE:
>     >     >
>     >     >                 http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111>
>     >     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111>>
>     >     >                 <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111>
>     >     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111>>>
>     >     >
>     >     >                 Thanks
>     >     >
>     >     >                 --
>     >     >                 ubuntu-hardened mailing list
>     >     >                 [hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>>
>     >     >                 <mailto:[hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>>>
>     >     >
>     >      https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>     <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened>
>     >     <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>     <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened>>
>     >     <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>     <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened>
>     >     <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>     <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened>>>
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >             --
>     >     >             *Jesus Linares*
>     >     >             /IT Security Engineer/
>     >     >             /
>     >     >             /
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >         --
>     >     >         *Jesus Linares*
>     >     >         /IT Security Engineer/
>     >     >         /
>     >     >         /
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >     --
>     >     >     *Jesus Linares*
>     >     >     /IT Security Engineer/
>     >     >     /
>     >     >     /
>     >     >
>     >     >
>     >     >
>     >     >
>     >     > --
>     >     > *Jesus Linares*
>     >     > /IT Security Engineer/
>     >     > /
>     >     > /
>     >     >
>     >     >
>     >
>     >
>     >
>     >
>     >
>     > --
>     > *Jesus Linares*
>     > /IT Security Engineer/
>     > /
>     > /
>
>
>
>
>
> --
> *Jesus Linares*
> /IT Security Engineer/
> /
> /


--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened

signature.asc (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OVAL shows vulnerabilities when software is not installed

Seth Arnold
In reply to this post by Jesus Linares
On Thu, Jul 06, 2017 at 01:24:12PM +0200, Jesus Linares wrote:
> it is parsed as "vulnerable" status. The oval generated for "vulnerable"
> CVEs is: "check if the package exist". *It doesn't check any version*. This
> may make sense for some packages, but I think it is not possible to have
> 109 fails in an updated host.

Strictly speaking, 109 fails in an updated host may make perfect sense:

- The Ubuntu security team provides security support for packages in
  main. The security team triages CVEs into different priorities and
  may not get around to fixing 'low' or 'negligible' CVEs quickly.

- The Ubuntu community provides security support for packages in universe.
  The community may update some packages frequently (mariadb comes to
  mind) while others never get updated.

- As Tyler mentioned, it's possible for individual CVE entries to
  incorrectly mark that an update is still needed for an issue even
  though a fix has filtered in through Debian, perhaps years ago. We
  fix these as we find them but probably the majority of fixes in this
  category comes from Ubuntu community members researching the open CVEs
  on their systems.

This is one of my hopes of having a good OVAL tool: no one can inspect
4000 open CVEs to see which ones still need to be closed. But 109 is an
approachable problem. If everyone with more open CVEs than they expect
investigates a few we'll have this list knocked down in no time!

Thanks

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OVAL shows vulnerabilities when software is not installed

Jesus Linares
Thanks for the explanation. I understand that is not trivial. It may be a good idea to review the Redhat OVAL process because it works very well: https://www.redhat.com/security/data/oval/.

But 109 is an approachable problem
 
I don't agree. If I have 100 Ubuntu servers and I run oscap every day... I will get 10900 useless alerts. Of course, I can ignore them, but it is also a hard task. On the other hand, 109 fails will be 200 in one year?. I think the Ubuntu oval feed must be a feed with 0 false positives to be useful. I mean, false positives must be fixed when you are aware of them.

Do not misunderstand, I appreciate all the work done, but I think this process still needs a revision.

Thanks a lot!.


On Fri, Jul 7, 2017 at 2:13 AM, Seth Arnold <[hidden email]> wrote:
On Thu, Jul 06, 2017 at 01:24:12PM +0200, Jesus Linares wrote:
> it is parsed as "vulnerable" status. The oval generated for "vulnerable"
> CVEs is: "check if the package exist". *It doesn't check any version*. This
> may make sense for some packages, but I think it is not possible to have
> 109 fails in an updated host.

Strictly speaking, 109 fails in an updated host may make perfect sense:

- The Ubuntu security team provides security support for packages in
  main. The security team triages CVEs into different priorities and
  may not get around to fixing 'low' or 'negligible' CVEs quickly.

- The Ubuntu community provides security support for packages in universe.
  The community may update some packages frequently (mariadb comes to
  mind) while others never get updated.

- As Tyler mentioned, it's possible for individual CVE entries to
  incorrectly mark that an update is still needed for an issue even
  though a fix has filtered in through Debian, perhaps years ago. We
  fix these as we find them but probably the majority of fixes in this
  category comes from Ubuntu community members researching the open CVEs
  on their systems.

This is one of my hopes of having a good OVAL tool: no one can inspect
4000 open CVEs to see which ones still need to be closed. But 109 is an
approachable problem. If everyone with more open CVEs than they expect
investigates a few we'll have this list knocked down in no time!

Thanks

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened




--
Jesus Linares
IT Security Engineer


--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
12
Loading...