[Bug] Unknown type "X509V3ExtensionsType" Python Error in OpenCTI Anlyzers

[cwrw404]

Description

I have a docker instance running TheHive's Cortex and OpenCTI all within the same docker-compose stack (so connected).

When attempting to run an analyzer against OpenCTI, I get the error below.

This seems to be related to an outdated version of OpenCTI Python library - is there a way to update it?

Environment

Docker container setup using Portainer stack (docker-compose) Cortex v3.1.4-1 OpenCTI v5.3.5

Reproducible Steps

Submit any IoC (in this instance it's a known indicator ending in .xyz which has been redacted from the log) for analysis using OpenCTI_SearchObservables_2_0 or OpenCTI_SearchExactObservable_2_0 in Cortex

Expected Output

Query the OpenCTI db and retrieve known results

Actual Output

Cortex Error

ERROR:root:Unknown type "X509V3ExtensionsType".
Traceback (most recent call last):
  File "/worker/OpenCTI/opencti.py", line 111, in <module>
    OpenCTIAnalyzer().run()
  File "/worker/OpenCTI/opencti.py", line 65, in run
    observables = opencti["api_client"].stix_cyber_observable.list(search=data)
  File "/usr/local/lib/python3.10/site-packages/pycti/entities/opencti_stix_cyber_observable.py", line 370, in list
    result = self.opencti.query(
  File "/usr/local/lib/python3.10/site-packages/pycti/api/opencti_api_client.py", line 314, in query
    raise ValueError(
ValueError: {'name': 'Unknown type "X509V3ExtensionsType".', 'message': 'Unknown type "X509V3ExtensionsType".'}

OpenCTI log:

{"category":"APP","error":{"stacktrace":["GraphQLError: Unknown type \"X509V3ExtensionsType\".","at Object.NamedType (/opt/opencti/build/node_modules/graphql/validation/rules/KnownTypeNamesRule.js:65:11)","at Object.enter (/opt/opencti/build/node_modules/graphql/language/visitor.js:301:32)","at Object.enter (/opt/opencti/build/node_modules/graphql/utilities/TypeInfo.js:391:27)","at visit (/opt/opencti/build/node_modules/graphql/language/visitor.js:197:21)","at validate (/opt/opencti/build/node_modules/graphql/validation/validate.js:91:18)","at v (/opt/opencti/build/node_modules/apollo-server-core/src/requestPipeline.ts:470:12)","at processGraphQLRequest (/opt/opencti/build/node_modules/apollo-server-core/src/requestPipeline.ts:261:30)","at runMicrotasks (<anonymous>)","at processTicksAndRejections (node:internal/process/task_queues:96:5)","at processHTTPRequest (/opt/opencti/build/node_modules/apollo-server-core/src/runHttpQuery.ts:433:24)"]},"inner_relation_creation":0,"level":"error","message":"API Call","operation":"Unspecified","operation_query":"query StixCyberObservables($types:[String]$filters:[StixCyberObservablesFiltering]$search:String$first:Int$after:ID$orderBy:StixCyberObservablesOrdering$orderMode:OrderingMode){stixCyberObservables(types:$types filters:$filters search:$search first:$first after:$after orderBy:$orderBy orderMode:$orderMode){edges{node{id standard_id entity_type parent_types spec_version created_at updated_at createdBy{...on Identity{id standard_id entity_type parent_types spec_version identity_class name description roles contact_information x_opencti_aliases created modified objectLabel{edges{node{id value color}}}}...on Organization{x_opencti_organization_type x_opencti_reliability}...on Individual{x_opencti_firstname x_opencti_lastname}}objectMarking{edges{node{id standard_id entity_type definition_type definition created modified x_opencti_order x_opencti_color}}}objectLabel{edges{node{id value color}}}externalReferences{edges{node{id standard_id entity_type source_name description url hash external_id created modified importFiles{edges{node{id name size metaData{mimetype version}}}}}}}observable_value x_opencti_description x_opencti_score indicators{edges{node{id pattern pattern_type}}}...on AutonomousSystem{number name rir}...on Directory{path path_enc ctime mtime atime}...on DomainName{value}...on EmailAddr{value display_name}...on EmailMessage{is_multipart attribute_date content_type message_id subject received_lines body}...on Artifact{mime_type payload_bin url encryption_algorithm decryption_key hashes{algorithm hash}importFiles{edges{node{id name size}}}}...on StixFile{extensions size name name_enc magic_number_hex mime_type ctime mtime atime x_opencti_additional_names hashes{algorithm hash}}...on X509Certificate{is_self_signed version serial_number signature_algorithm issuer subject subject_public_key_algorithm subject_public_key_modulus subject_public_key_exponent validity_not_before validity_not_after hashes{algorithm hash}}...on IPv4Addr{value}...on IPv6Addr{value}...on MacAddr{value}...on Mutex{name}...on NetworkTraffic{extensions start end is_active src_port dst_port protocols src_byte_count dst_byte_count src_packets dst_packets}...on Process{extensions is_hidden pid created_time cwd command_line environment_variables}...on Software{name cpe swid languages vendor version}...on Url{value}...on UserAccount{extensions user_id credential account_login account_type display_name is_service_account is_privileged can_escalate_privs is_disabled account_created account_expires credential_last_changed account_first_login account_last_login}...on WindowsRegistryKey{attribute_key modified_time number_of_subkeys}...on WindowsRegistryValueType{name data data_type}...on X509V3ExtensionsType{basic_constraints name_constraints policy_constraints key_usage extended_key_usage subject_key_identifier authority_key_identifier subject_alternative_name issuer_alternative_name subject_directory_attributes crl_distribution_points inhibit_any_policy private_key_usage_period_not_before private_key_usage_period_not_after certificate_policies policy_mappings}...on XOpenCTICryptographicKey{value}...on XOpenCTICryptocurrencyWallet{value}...on XOpenCTIText{value}...on XOpenCTIUserAgent{value}importFiles{edges{node{id name size metaData{mimetype version}}}}}}pageInfo{startCursor endCursor hasNextPage hasPreviousPage globalCount}}}","size":112,"time":95,"timestamp":"2022-06-13T20:33:15.379Z","type":"READ_ERROR","user":{"ip":"::ffff:10.0.0.2","user_id":"redacted-the-admin-api"},"variables":{"after":null,"filters":null,"first":100,"orderBy":null,"orderMode":null,"search":"badwebsite.xyz","types":null},"version":"5.3.5"}

[alfwazi]

I have the same issue, Could someone tell me how to access the file opencti.py on Portainer environment?

[sercuz]

Hello all, I have the exact same issue. Can anyone help us in this bug?

[cwrw404]

The version in the current cortexneurons/opencti_searchobservables:2 docker image is pycti v5.0.3. The actual current version is pycti v5.3.5

One option is to go into the cortexneurons/opencti_searchobservables:2 docker image (remember to override the entrypoint to a bash shell), update pycti, create a new local image and add the updated analyzer as a custom analyzer (this will help - https://thehive-project.github.io/Cortex-Analyzers/dev_guides/dockerize-your-custom-analyzers-responders/)

You'll need to drop into Cortex container and update the various files. I found it easier to move files from /opt/cortex/jobs as that is mapped to the host by the default settings.

I was so nearly there but struggled with getting Cortex to see my updated local image... which might be another bug?

[robben-ar]

I have the same problem. I ran the upgrade "pip3 install pycti==5.3.7" ok. This resolves the hashes analysis from TheHive to OpenCTI vía Cortex but with the domain/url/hostname/IP analysis it returns the following error in Cortex:

{ "errorMessage": "", "input": null, "success": false }

[bakhtawarw]

@cwrw404 I installed older version of Opencti i.e. 5.0.3, it uses pycti 5.0.3. But still opencti cortex analyzer isn't working. I am experiencing the error of unknown cryptographic key.

[igcoser]

Hi! Any solution found for this bug?

[igcoser]

I have the same problem. I ran the upgrade "pip3 install pycti==5.3.7" ok. This resolves the hashes analysis from TheHive to OpenCTI vía Cortex but with the domain/url/hostname/IP analysis it returns the following error in Cortex:

{ "errorMessage": "", "input": null, "success": false }

Hi. I have the same problem. Could you resolve it?

[SamuelHassine]

Just need a new tag here to take into account the new version of the Python library in the analyzer.