CVEs incorrectly applied to EAP versions of IntelliJ IDEA

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)

https://fleetdm.com

Other

3.09k stars 426 forks source link

CVEs incorrectly applied to EAP versions of IntelliJ IDEA #22723

Open ddribeiro opened 3 weeks ago

ddribeiro commented 3 weeks ago

Fleet version: 4.57.2

💥 Actual behavior

CVEs are being incorrectly applied to EAP versions of IntelliJ IDEA. For example, CVE-2017-8316 is listed on NVD as affecting up to (excluding) 2017.2.2.

Fleet is returning EAP versions of IntelliJ as affected by this CVE when they shouldn't apply.

🕯️ More info (optional)

N/A

JoStableford commented 3 weeks ago

Linked to Unthread ticket:

Incorrect CVE Applicability for IntelliJ IDEA EAP Versions #2968)

sharon-fdm commented 3 weeks ago

@mostlikelee, is this a duplicate?

mostlikelee commented 3 weeks ago

@sharon-fdm I don't believe so

mostlikelee commented 1 day ago

After further investigation, Jetbrains EAP products are only providing build numbers instead of the common version string (ie. 2024.3`). We will attempt to reach out to Jetbrains, but other options to consider:

pull the version string from the application name IntelliJ IDEA 2024.3 EAP.app
skip all EAP versions in vuln processing (CPE translation skip)

iansltx commented 3 hours ago

Confirmed with JetBrains that EAP versions can reliably be correlated with published versions by e.g.

243.xx.yy -> EAP for 2024.3

(prepend 20, split 3rd digit of major version to minor version, truncate)

We'll want to ensure we're dealing with a three-digit major version prior to doing this munging since if you go back far enough there are some two-digit versions.

Since EAP versions are prereleases, an EAP should be considered as an earlier version than the release; if a vuln was fixed in 2024.3 then EAP 243.xx.yy would be vulnerable, but EAP 244.xx.yy wouldn't be.