Scanning this manifest with cvescan no vulnerability is shown for CVE-2021-3444
$ cvescan --priority all --manifest ./bionic-20210309-minimal-bionic-minimal-cloudimg-amd64-gke-on-prem-1.7.manifest
✅ Ubuntu vulnerability datbase successfully downloaded!
✅ Scan complete!
CVE ID PRIORITY PACKAGE FIXED VERSION REPOSITORY
CVE-2019-16884 medium runc 1.0.0~rc10-0ubuntu1~18.04.2 Ubuntu Archive
CVE-2019-19921 medium runc 1.0.0~rc10-0ubuntu1~18.04.2 Ubuntu Archive
CVE-2020-15157 medium docker.io 19.03.6-0ubuntu1~18.04.2 Ubuntu Archive
CVE-2021-3429 medium cloud-init 21.1-19-gbad84ad4-0ubuntu1~18.04.1 Ubuntu Archive
CVE-2021-3449 high libssl1.1 1.1.1-1ubuntu2.1~18.04.9 Ubuntu Archive
CVE-2021-3449 high openssl 1.1.1-1ubuntu2.1~18.04.9 Ubuntu Archive
CVE-2021-21300 medium git 1:2.17.1-1ubuntu0.8 Ubuntu Archive
CVE-2021-21300 medium git-man 1:2.17.1-1ubuntu0.8 Ubuntu Archive
CVE-2021-28153 medium libglib2.0-0 2.56.4-0ubuntu0.18.04.8 Ubuntu Archive
CVE-2021-28153 medium libglib2.0-data 2.56.4-0ubuntu0.18.04.8 Ubuntu Archive
Summary
------------------------------------ ------
Ubuntu Release bionic
Installed Packages 417
CVE Priority All
Unique Packages Fixable by Patching 9
Unique CVEs Fixable by Patching 7
Vulnerabilities Fixable by Patching 10
Fixes Available by `apt-get upgrade` 10
------------------------------------ ------
This is not accurate and can be proven using oscap
# Install oscap
sudo apt install libopenscap8
# Download the up to data Oval data for the bionic release of Ubuntu
wget https://security-metadata.canonical.com/oval/oci.com.ubuntu.bionic.usn.oval.xml.bz2
# Extract this data
bunzip2 oci.com.ubuntu.bionic.usn.oval.xml.bz2
# Copy the downloaded manifest to "manifest" in current directory
cp -v bionic-20210309-minimal-bionic-minimal-cloudimg-amd64-gke-on-prem-1.7.manifest.txt manifest
# Run oscap eval against your local manifest and the Oval data you downloaded - this will generate HTML report cloud-report-vulnerable.html in the same directory.
oscap oval eval --report cloud-report-vulnerable.html oci.com.ubuntu.bionic.usn.oval.xml
This produces cloud-report-vulnerable.html (
cloud-report-vulnerable.html.tar.gz attached) which lists the kernel as vulnerable to CVE-2021-3444.
After speaking with mdeslaur on Canonical security team it appears that the oval generation script adds the meta source package and the signed source package which the json used by cvescan does not appear to contain.
Is it possible to bring both data sources in sync so that using cvescan will result in the same output as oscap?
In the attached json we can see that the section for CVE-2021-3444 lists the following:
We have encountered an issue with a GKE image which
cvescan
is showing as not vulnerable but did have kernel packages installed that were vulnerable.This was confirmed by scanning using oscap and the oci Oval data instead.
The CVE was https://ubuntu.com/security/CVE-2021-3444 the manifest was bionic-20210309-minimal-bionic-minimal-cloudimg-amd64-gke-on-prem-1.7.manifest.txt
Scanning this manifest with cvescan no vulnerability is shown for CVE-2021-3444
This is not accurate and can be proven using oscap
This produces cloud-report-vulnerable.html ( cloud-report-vulnerable.html.tar.gz attached) which lists the kernel as vulnerable to CVE-2021-3444.
I have attached the oval data used by
oscap oval eval
as com.ubuntu.bionic.cve.oval.xml.tar.gz and the json data used bycvescan
as ubuntu-vuln-db-bionic.json.tar.gzAfter speaking with mdeslaur on Canonical security team it appears that the oval generation script adds the meta source package and the signed source package which the json used by cvescan does not appear to contain.
Is it possible to bring both data sources in sync so that using
cvescan
will result in the same output as oscap?In the attached json we can see that the section for CVE-2021-3444 lists the following:
But the Oval data for CVE-2021-3444 does appear to include packages present in the manifest.