Closed gh-greg closed 2 years ago
Hi @gh-greg -- we are already using Canonical's vulnerability feeds when matching Ubuntu packages! Is there a specific reason to use OVAL otherwise?
If you'd like to see the data source for each vulnerability, you could run something like:
grype -o json ubuntu:latest | jq '.matches[].vulnerability.dataSource'
This is what we see, which is from Canonical:
"http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-29458"
"http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-3219"
"http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-3358"
"http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-37434"
@kzantow : Let's close this. I must have gone off "half-cocked", and today cannot fully reproduce, what I was talking about when I filed this.
[PRISMACLOUD]
| CVE | SEV | CVSS| PACKAGE | VERSION | STATUS | DESCRIPTION |
+---------------------------------------------------------------------------------------------------------------+
| CVE-2019-12098 | low | 7.40| heimdal | 7.5.0+dfsg-1ubuntu0.1 | needed | In the client side of Heimd |
| | | | | | | failure to verify anonymous |
| | | | | | | key exchange permits a man-i |
| | | | | | | This issu... |
+-----------------+-------+------+-----------+------------------------+---------+-------------------------------+
| CVE-2021-3671 | low | 6.50| heimdal | 7.5.0+dfsg-1ubuntu0.1 | needed | A null pointer de-reference |
| | | | | | | samba kerberos server handle |
| | | | | | | TGS-REQ (Ticket Granting Ser |
| | | | | | | authent... |
+-----------------+-------+------+-----------+------------------------+---------+-------------------------------+
GRYPE:
NAME: INSTALLED: FIXED-IN : VULNERABILITY: SEVERITY:
libgssapi3-heimdal 7.5.0+dfsg-1 7.5.0+dfsg-1ubuntu0.1 CVE-2022-3116 Medium
libgssapi3-heimdal 7.5.0+dfsg-1 7.5.0+dfsg-1ubuntu0.1 a->CVE-2021-3671 Low
libgssapi3-heimdal 7.5.0+dfsg-1 7.5.0+dfsg-1ubuntu0.1 b->CVE-2019-12098 Low
libgssapi3-heimdal 7.5.0+dfsg-1 7.5.0+dfsg-1ubuntu0.1 CVE-2018-16860 Medium
libhcrypto4-heimdal 7.5.0+dfsg-1 7.5.0+dfsg-1ubuntu0.1 CVE-2022-3116 Medium
libhcrypto4-heimdal 7.5.0+dfsg-1 7.5.0+dfsg-1ubuntu0.1 a->CVE-2021-3671 Low
libhcrypto4-heimdal 7.5.0+dfsg-1 7.5.0+dfsg-1ubuntu0.1 b->CVE-2019-12098 Low
libhcrypto4-heimdal 7.5.0+dfsg-1 7.5.0+dfsg-1ubuntu0.1 CVE-2018-16860 Medium
libheimbase1-heimdal 7.5.0+dfsg-1 7.5.0+dfsg-1ubuntu0.1 CVE-2022-3116 Medium
libheimbase1-heimdal 7.5.0+dfsg-1 7.5.0+dfsg-1ubuntu0.1 a->CVE-2021-3671 Low
libheimbase1-heimdal 7.5.0+dfsg-1 7.5.0+dfsg-1ubuntu0.1 b->CVE-2019-12098 Low
libheimbase1-heimdal 7.5.0+dfsg-1 7.5.0+dfsg-1ubuntu0.1 CVE-2018-16860 Medium
libheimntlm0-heimdal 7.5.0+dfsg-1 7.5.0+dfsg-1ubuntu0.1 CVE-2022-3116 Medium
libheimntlm0-heimdal 7.5.0+dfsg-1 7.5.0+dfsg-1ubuntu0.1 a->CVE-2021-3671 Low
libheimntlm0-heimdal 7.5.0+dfsg-1 7.5.0+dfsg-1ubuntu0.1 b->CVE-2019-12098 Low
libheimntlm0-heimdal 7.5.0+dfsg-1 7.5.0+dfsg-1ubuntu0.1 CVE-2018-16860 Medium
libhx509-5-heimdal 7.5.0+dfsg-1 7.5.0+dfsg-1ubuntu0.1 CVE-2022-3116 Medium
libhx509-5-heimdal 7.5.0+dfsg-1 7.5.0+dfsg-1ubuntu0.1 a->CVE-2021-3671 Low
libhx509-5-heimdal 7.5.0+dfsg-1 7.5.0+dfsg-1ubuntu0.1 b->CVE-2019-12098 Low
libhx509-5-heimdal 7.5.0+dfsg-1 7.5.0+dfsg-1ubuntu0.1 CVE-2018-16860 Medium
libkrb5-26-heimdal 7.5.0+dfsg-1 7.5.0+dfsg-1ubuntu0.1 CVE-2022-3116 Medium
libkrb5-26-heimdal 7.5.0+dfsg-1 7.5.0+dfsg-1ubuntu0.1 a->CVE-2021-3671 Low
libkrb5-26-heimdal 7.5.0+dfsg-1 7.5.0+dfsg-1ubuntu0.1 b->CVE-2019-12098 Low
libkrb5-26-heimdal 7.5.0+dfsg-1 7.5.0+dfsg-1ubuntu0.1 CVE-2018-16860 Medium
libroken18-heimdal 7.5.0+dfsg-1 7.5.0+dfsg-1ubuntu0.1 CVE-2022-3116 Medium
libroken18-heimdal 7.5.0+dfsg-1 7.5.0+dfsg-1ubuntu0.1 a->CVE-2021-3671 Low
libroken18-heimdal 7.5.0+dfsg-1 7.5.0+dfsg-1ubuntu0.1 b->CVE-2019-12098 Low
libroken18-heimdal 7.5.0+dfsg-1 7.5.0+dfsg-1ubuntu0.1 CVE-2018-16860 Medium
libwind0-heimdal 7.5.0+dfsg-1 7.5.0+dfsg-1ubuntu0.1 CVE-2022-3116 Medium
libwind0-heimdal 7.5.0+dfsg-1 7.5.0+dfsg-1ubuntu0.1 a->CVE-2021-3671 Low
libwind0-heimdal 7.5.0+dfsg-1 7.5.0+dfsg-1ubuntu0.1 b->CVE-2019-12098 Low
libwind0-heimdal 7.5.0+dfsg-1 7.5.0+dfsg-1ubuntu0.1 CVE-2018-16860 Medium
UBUNTU: https://ubuntu.com/security/cves?q=Heimdal&package=&priority=&version=&status= https://ubuntu.com/security/notices?order=newest&release=xenial&details=Heimdal+
ID: PRI: PKG: 14.04 ESM 16.04 ESM 18.04 LTS 20.04 LTS 22.04 LTS 22.10
CVE-2021-25216 Medium bind9 Needs triage Released Released Released Released —
b->CVE-2019-12098 Low heimdal Released Released Released Not vulnerable Not vulnerable —
CVE-2018-16860 Medium samba Released Released Released Released Released —
CVE-2018-16860 heimdal Released Released Released Not vulnerable Not vulnerable —
CVE-2017-17439 Medium heimdal Not vulnerable Not vulnerable Not vulnerable — — —
CVE-2017-6594 Low heimdal Ignored Ignored Not vulnerable Not vulnerable Not vulnerable —
CVE-2017-11103 Medium samba Released Released — — — —
CVE-2017-11103 Medium heimdal Released Released — — — —
CVE-2015-5913 Medium heimdal Not vulnerable Not vulnerable — — — —
CVE-2011-4862 Medium inetutils Not vulnerable Not vulnerable — — — —
CVE-2011-4862 heimdal Not vulnerable Not vulnerable — — — —
CVE-2011-4862 krb5 Not vulnerable Not vulnerable — — — —
CVE-2011-4862 krb5-appl Does not exist Does not exist — — — —
CVE-2009-0361 Low libpam-heimdal — — — — — —
Thanks for following up @gh-greg !
Ubuntu: Add as a Vulnerability Specification Source:
As Ubuntu seems to have the largest Linux market share, proposed to directly include Canonical "OVAL/Security-Notices", as a Grype Vulnerability source.
In 2022, Ubuntu seemed to be the largest Linux Market Share: https://www.enterpriseappstoday.com/stats/linux-statistics.html
Thus, Ubuntu based Docker containers are deployed in lots of microservices. Once working, long term Ubuntu releases may stay in product deployment for an extended period ... gathering discovered defects.
Today, Ubuntu issues "Security Notices" , through a service known as OVAL.
https://ubuntu.com/security/oval # oscap oval eval --report report.html oci.com.ubuntu.focal.usn.oval.xml https://ubuntu.com/security/notices https://ubuntu.com/security/notices/USN-5675-1
Why is this needed:
Tenable, Grype's competition, seems to be using Ubuntu's security feed, as a data source. What are other vendors besides Tenable, doing ?
https://www.tenable.com/
(1) Example: Is Ubuntu publishing Vulns, that Mitre is not listing ?
(1.a) Ubuntu : Flags "Heimdal vulnerabilities"
https://ubuntu.com/security/notices?order=newest&release=xenial&details=Heimdal+
(1.b) Mitre CVE : By way of contrast, these Ubuntu "Heimdal vulnerabilities", do not seem to be clearly noted , or even found, here in the CVE/Mitre Vulnerability feed:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=heimdal+ubuntu
Additional context:
(a) Possibly Related Issues:
(b) Is there already a Grype enhancement, to suggest using Canonical Ubuntu as a Vulnerability Source ?
https://github.com/anchore/grype/issues?page=1&q=is%3Aissue+is%3Aopen++ubuntu
(c) What are the existing Data Sources , of Grype Vulnerability specifications ?
Using this source file, Grype seems to use these things as Vulnerability Data Sources:
https://github.com/anchore/grype/blob/a000a69b84211b9d928aff676d0b44b9ae83f7dc/schema/cyclonedx/vulnerability.xsd