MarcelKemp commented 2 years ago

Target version	Related issue	Related PR
master	https://github.com/wazuh/wazuh/issues/13434	https://github.com/wazuh/wazuh/pull/14356

Description

This issue aims to run manual testing on the Vulnerability Detector fix to detect and scan packages that don't have the version field, such as the one shown in the issue (Tomcat 7). For this purpose, several changes have been added to the CPE Helper, which are mentioned in PR.

Proposed checks

For the following test cases, verify that no issue (memory leaks, service down...) appears during the feed parsing, and the vulnerability database (cve.db) is properly filled with the vulnerabilities from the feeds.

[x] Run Vulnerability Detector with a connected Windows agent that has a Tomcat 7 package.
- [x] An old Tomcat 7 package (which has neither vendor nor version), such as Tomcat 7.0.27.
  
  For this case it will be necessary to add the PoC explained in the PR.
- [x] A recent Tomcat 7 package with vulnerabilities, such as Tomcat 7.0.103.
[x] Test that the CPE Helper fix works correctly.
- [x] Test mock package without version and vendor (adding its corresponding translation) to find its respective vulnerabilities.
- [x] Add translation to the CPE Helper as explained in the PR PoC and test that it shows the corresponding vulnerabilities.
- [x] Add translation to the CPE Helper of a package without version without specifying the action set_version_if_product_matches, so that it shows the new Debug message.

Configuration and considerations

The following configuration should be applied:

  <vulnerability-detector>
    <enabled>yes</enabled>
    <interval>5m</interval>
    <min_full_scan_interval>6h</min_full_scan_interval>
    <run_on_start>yes</run_on_start>

    <!-- Windows OS vulnerabilities -->
    <provider name="msu">
      <enabled>yes</enabled>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Aggregate vulnerabilities -->
    <provider name="nvd">
      <enabled>yes</enabled>
      <update_from_year>2010</update_from_year>
      <update_interval>1h</update_interval>
    </provider>

  </vulnerability-detector>

Note that by default the fix is not tested (as it was producing false positives), so it is necessary to add the PoC or similar input to test it.

Deblintrake09 commented 2 years ago

Review data

Tester	PR commit
@Deblintrake09	369876c

Testing environment

OS	OS version	Deployment	Image/AMI	Notes
Centos	8	`<LOCAL \\| Vagrant`	qactl/centos_8
Windows	Server 2019	`<LOCAL \\| Vagrant`	qactl/windows_server2019

Tested packages

`wazuh-manager`	`wazuh-agent`
master .rpm Manager --- dev branch .rpm Manager	[.rpm agent]()

Conclusion

Status

[x] In progress
[x] Pending Review
[x] Team leader approved
[x] Manager approved

Deblintrake09 commented 2 years ago

Task Results on 4.5 branch

Run vulnerability detector with old package (no vendor or version) :red_circle:

- Install Tomcat package on Windows agent - Wait for syscollector on Agent ``` 2022/08/08 05:34:27 wazuh-modulesd:syscollector[740] wm_syscollector.c:105 at wm_sys_log(): DEBUG: Sync sent: {"component":"syscollector_packages","data":{"attributes":{"architecture":"x86_64","checksum":"bdeef860661a7f5b5f8f4113c37a2dd0ea902a3e","format":"win","install_time":null,"item_id":"68385a2c7db756658f3186f0ae5dea79f202f928","location":null,"name":"Apache Tomcat 7.0 Tomcat72 (remove only)","scan_time":"2022/08/08 12:34:27","vendor":"The Apache Software ``` - Check agent's database in the manager for the package ``` scan_id|scan_time|format|name|priority|section|size|vendor|install_time|version|architecture|multiarch|source|description|location|triaged|cpe|msu_name|checksum|item_id 0|2022/08/08 12:34:20|win|Apache Tomcat 7.0 Tomcat7 (remove only)|||0||||x86_64|||||1|||a6edbf9d208476487d8260fa197a79d236318d41|e2067b0a1eb18c1cb55de6fab5b192e8044556e9 ``` - Wait for Vulnerability Detector scan ``` 2022/08/08 12:34:37 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector_nvd.c:1822 at wm_vuldet_win_nvd_vulnerabilities(): DEBUG: (5451): Analyzing NVD vulnerabilities for agent '001' 2022/08/08 12:34:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector_nvd.c:1834 at wm_vuldet_win_nvd_vulnerabilities(): DEBUG: (5470): It took '1' seconds to 'find NVD' vulnerabilities in agent '001' 2022/08/08 12:34:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector_nvd.c:1836 at wm_vuldet_win_nvd_vulnerabilities(): DEBUG: (5466): Sending vulnerabilities report for agent '001' 2022/08/08 12:34:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector_nvd.c:2335 at wm_vuldet_process_agent_nvd_vulnerabilities(): DEBUG: (5468): The 'Python 3.9.7 (64-bit)' package (3.9.7150.0) from agent '001' is vulnerable to 'CVE-2015-20107'. Condition: 'less than or equal 3.10.4' 2022/08/08 12:34:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector_nvd.c:2335 at wm_vuldet_process_agent_nvd_vulnerabilities(): DEBUG: (5468): The 'Java(TM) SE Development Kit 6 Update 45 (64-bit)' package (1.6.0.450) from agent '001' is vulnerable to 'CVE-2013-4578'. Condition: 'less than or equal 1.7.0' 2022/08/08 12:34:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector_nvd.c:2335 at wm_vuldet_process_agent_nvd_vulnerabilities(): DEBUG: (5468): The 'Java(TM) SE Development Kit 6 Update 45 (64-bit)' package (1.6.0.450) from agent '001' is vulnerable to 'CVE-2012-5373'. Condition: 'less than or equal 1.7.0' 2022/08/08 12:34:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector_nvd.c:1846 at wm_vuldet_win_nvd_vulnerabilities(): DEBUG: (5470): It took '0' seconds to 'report' vulnerabilities in agent '001' 2022/08/08 12:34:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector.c:2750 at wm_vuldet_check_agent_vulnerabilities(): INFO: (5471): Finished vulnerability assessment for agent '001' 2022/08/08 12:34:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector.c:2751 at wm_vuldet_check_agent_vulnerabilities(): DEBUG: (5470): It took '1' seconds to 'scan' vulnerabilities in agent '001' 2022/08/08 12:34:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector.c:8236 at wm_vuldet_run_scan(): INFO: (5472): Vulnerability scan finished. 2022/08/08 12:34:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector.c:8283 at wm_vuldet_run_sleep(): DEBUG: Sleeping for 60 seconds... 2022/08/08 12:35:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector.c:8221 at wm_vuldet_run_scan(): INFO: (5431): Starting vulnerability scan. 2022/08/08 12:35:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector.c:5890 at wm_vuldet_collect_agents_to_scan(): INFO: (5700): Unable to get the OS information for agent '000'. Inventory data may not yet be synchronized. 2022/08/08 12:35:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector.c:2712 at wm_vuldet_check_agent_vulnerabilities(): DEBUG: (5439): A partial scan will be run on agent '001' 2022/08/08 12:35:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector.c:5427 at wm_vuldet_collect_agent_software(): DEBUG: (5437): Collecting agent '001' software. 2022/08/08 12:35:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector.c:5542 at wm_vuldet_collect_agent_software(): WARNING: (5483): No MSU data found, so the Windows hotfixes scan will be disabled for agent '001' 2022/08/08 12:35:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector.c:2731 at wm_vuldet_check_agent_vulnerabilities(): INFO: (5450): Analyzing agent '001' vulnerabilities. 2022/08/08 12:35:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector.c:2750 at wm_vuldet_check_agent_vulnerabilities(): INFO: (5471): Finished vulnerability assessment for agent '001' 2022/08/08 12:35:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector.c:2751 at wm_vuldet_check_agent_vulnerabilities(): DEBUG: (5470): It took '0' seconds to 'scan' vulnerabilities in agent '001' 2022/08/08 12:35:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector.c:8236 at wm_vuldet_run_scan(): INFO: (5472): Vulnerability scan finished. ``` - Check alerts generated ``` # cat /var/ossec/logs/alerts/alerts.json | grep apache ```

Run vulnerability detector with new package (no vendor or version) :red_circle:

- Install Tomcat package on Windows agent ![imagen](https://user-images.githubusercontent.com/14501079/183150334-ac87c30e-925c-4383-8395-037f188a01e7.png) - Wait for syscollector on Agent ``` 2022/08/08 05:34:20 wazuh-modulesd:syscollector[740] wm_syscollector.c:105 at wm_sys_log(): DEBUG: Sync sent: {"component":"syscollector_packages","data":{"attributes":{"architecture":"x86_64","checksum":"a6edbf9d208476487d8260fa197a79d236318d41","format":"win","install_time":null,"item_id":"e2067b0a1eb18c1cb55de6fab5b192e8044556e9","location":null,"name":"Apache Tomcat 7.0 Tomcat7 (remove only)","scan_time":"2022/08/08 12:34:20","vendor":null,"version":null},"index":"e2067b0a1eb18c1cb55de6fab5b192e8044556e9","timestamp":""},"type":"state"} ``` - Check agent's database in the manager for the package ``` scan_id|scan_time|format|name|priority|section|size|vendor|install_time|version|architecture|multiarch|source|description|location|triaged|cpe|msu_name|checksum|item_id 0|2022/08/08 12:34:27|win|Apache Tomcat 7.0 Tomcat72 (remove only)|||0|The Apache Software Foundation||7.0.103|x86_64|||||1|||bdeef860661a7f5b5f8f4113c37a2dd0ea902a3e|68385a2c7db756658f3186f0ae5dea79f202f928 ``` - Wait for Vulnerability Detector scan ``` 2022/08/08 12:34:37 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector_nvd.c:1822 at wm_vuldet_win_nvd_vulnerabilities(): DEBUG: (5451): Analyzing NVD vulnerabilities for agent '001' 2022/08/08 12:34:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector_nvd.c:1834 at wm_vuldet_win_nvd_vulnerabilities(): DEBUG: (5470): It took '1' seconds to 'find NVD' vulnerabilities in agent '001' 2022/08/08 12:34:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector_nvd.c:1836 at wm_vuldet_win_nvd_vulnerabilities(): DEBUG: (5466): Sending vulnerabilities report for agent '001' 2022/08/08 12:34:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector_nvd.c:2335 at wm_vuldet_process_agent_nvd_vulnerabilities(): DEBUG: (5468): The 'Python 3.9.7 (64-bit)' package (3.9.7150.0) from agent '001' is vulnerable to 'CVE-2015-20107'. Condition: 'less than or equal 3.10.4' 2022/08/08 12:34:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector_nvd.c:2335 at wm_vuldet_process_agent_nvd_vulnerabilities(): DEBUG: (5468): The 'Java(TM) SE Development Kit 6 Update 45 (64-bit)' package (1.6.0.450) from agent '001' is vulnerable to 'CVE-2013-4578'. Condition: 'less than or equal 1.7.0' 2022/08/08 12:34:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector_nvd.c:2335 at wm_vuldet_process_agent_nvd_vulnerabilities(): DEBUG: (5468): The 'Java(TM) SE Development Kit 6 Update 45 (64-bit)' package (1.6.0.450) from agent '001' is vulnerable to 'CVE-2012-5373'. Condition: 'less than or equal 1.7.0' 2022/08/08 12:34:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector_nvd.c:1846 at wm_vuldet_win_nvd_vulnerabilities(): DEBUG: (5470): It took '0' seconds to 'report' vulnerabilities in agent '001' 2022/08/08 12:34:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector.c:2750 at wm_vuldet_check_agent_vulnerabilities(): INFO: (5471): Finished vulnerability assessment for agent '001' 2022/08/08 12:34:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector.c:2751 at wm_vuldet_check_agent_vulnerabilities(): DEBUG: (5470): It took '1' seconds to 'scan' vulnerabilities in agent '001' 2022/08/08 12:34:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector.c:8236 at wm_vuldet_run_scan(): INFO: (5472): Vulnerability scan finished. 2022/08/08 12:34:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector.c:8283 at wm_vuldet_run_sleep(): DEBUG: Sleeping for 60 seconds... 2022/08/08 12:35:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector.c:8221 at wm_vuldet_run_scan(): INFO: (5431): Starting vulnerability scan. 2022/08/08 12:35:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector.c:5890 at wm_vuldet_collect_agents_to_scan(): INFO: (5700): Unable to get the OS information for agent '000'. Inventory data may not yet be synchronized. 2022/08/08 12:35:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector.c:2712 at wm_vuldet_check_agent_vulnerabilities(): DEBUG: (5439): A partial scan will be run on agent '001' 2022/08/08 12:35:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector.c:5427 at wm_vuldet_collect_agent_software(): DEBUG: (5437): Collecting agent '001' software. 2022/08/08 12:35:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector.c:5542 at wm_vuldet_collect_agent_software(): WARNING: (5483): No MSU data found, so the Windows hotfixes scan will be disabled for agent '001' 2022/08/08 12:35:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector.c:2731 at wm_vuldet_check_agent_vulnerabilities(): INFO: (5450): Analyzing agent '001' vulnerabilities. 2022/08/08 12:35:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector.c:2750 at wm_vuldet_check_agent_vulnerabilities(): INFO: (5471): Finished vulnerability assessment for agent '001' 2022/08/08 12:35:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector.c:2751 at wm_vuldet_check_agent_vulnerabilities(): DEBUG: (5470): It took '0' seconds to 'scan' vulnerabilities in agent '001' 2022/08/08 12:35:38 wazuh-modulesd:vulnerability-detector[5981] wm_vuln_detector.c:8236 at wm_vuldet_run_scan(): INFO: (5472): Vulnerability scan finished. ``` - Check alerts generated ``` # cat /var/ossec/logs/alerts/alerts.json | grep apache ```

Deblintrake09 commented 2 years ago

Task Results on dev branch

Upgrade install

Run vulnerability detector with old package (no vendor or version) :green_circle:

- Upgrade 4.5 package with dev branch package. - Install Tomcat package on Windows agent ![imagen](https://user-images.githubusercontent.com/14501079/183693127-223fdc74-8743-4569-9871-c9da87f3d3ad.png) - Wait for syscollector on Agent - Check agent's database in the manager for the package ``` SELECT * FROM sys_programs where name like '%apache%'; 0|2022/08/09 15:05:15|win|Apache Tomcat 7.0 Tomcat7 (remove only)|||0||||x86_64|||||0|||a6edbf9d208476487d8260fa197a79d236318d41|e2067b0a1eb18c1cb55de6fab5b192e8044556e9 ``` - Wait for Vulnerability Detector scan ``` 2022/08/09 15:10:08 wazuh-modulesd:vulnerability-detector[5537] wm_vuln_detector.c:6708 at wm_vuldet_insert_agent_data(): DEBUG: (5446): The CPE 'a' from the agent '001' was indexed. 2022/08/09 15:10:08 wazuh-modulesd:vulnerability-detector[5537] wm_vuln_detector_nvd.c:3195 at wm_vuldet_add_dic_cpe(): DEBUG: (5446): The CPE 'a:apache:tomcat:7.0::::::x64:' from the agent '001' was indexed. 2022/08/09 15:10:08 wazuh-modulesd:vulnerability-detector[5537] wm_vuln_detector.c:2731 at wm_vuldet_check_agent_vulnerabilities(): INFO: (5450): Analyzing agent '001' vulnerabilities. 2022/08/09 15:10:08 wazuh-modulesd:vulnerability-detector[5537] wm_vuln_detector_nvd.c:1822 at wm_vuldet_win_nvd_vulnerabilities(): DEBUG: (5451): Analyzing NVD vulnerabilities for agent '001' 2022/08/09 15:10:08 wazuh-modulesd:vulnerability-detector[5537] wm_vuln_detector_nvd.c:1834 at wm_vuldet_win_nvd_vulnerabilities(): DEBUG: (5470): It took '0' seconds to 'find NVD' vulnerabilities in agent '001' 2022/08/09 15:10:08 wazuh-modulesd:vulnerability-detector[5537] wm_vuln_detector_nvd.c:1836 at wm_vuldet_win_nvd_vulnerabilities(): DEBUG: (5466): Sending vulnerabilities report for agent '001' 2022/08/09 15:10:08 wazuh-modulesd:vulnerability-detector[5537] wm_vuln_detector_nvd.c:2335 at wm_vuldet_process_agent_nvd_vulnerabilities(): DEBUG: (5468): The 'Apache Tomcat 7.0 Tomcat7 (remove only)' package (0) from agent '001' is vulnerable to 'CVE-2016-9775'. Condition: 'Version match' 2022/08/09 15:10:08 wazuh-modulesd:vulnerability-detector[5537] wm_vuln_detector_nvd.c:2335 at wm_vuldet_process_agent_nvd_vulnerabilities(): DEBUG: (5468): The 'Apache Tomcat 7.0 Tomcat7 (remove only)' package (0) from agent '001' is vulnerable to 'CVE-2016-9774'. Condition: 'Version match' 2022/08/09 15:10:08 wazuh-modulesd:vulnerability-detector[5537] wm_vuln_detector_nvd.c:2335 at wm_vuldet_process_agent_nvd_vulnerabilities(): DEBUG: (5468): The 'Apache Tomcat 7.0 Tomcat7 (remove only)' package (0) from agent '001' is vulnerable to 'CVE-2016-5388'. Condition: 'greater than or equal 7.0 and less than or equal 7.0.70' 2022/08/09 15:10:08 wazuh-modulesd:vulnerability-detector[5537] wm_vuln_detector_nvd.c:2335 at wm_vuldet_process_agent_nvd_vulnerabilities(): DEBUG: (5468): The 'Apache Tomcat 7.0 Tomcat7 (remove only)' package (0) from agent '001' is vulnerable to 'CVE-2013-4444'. Condition: 'less than or equal 7.0.39' 2022/08/09 15:10:08 wazuh-modulesd:vulnerability-detector[5537] wm_vuln_detector_nvd.c:2335 at wm_vuldet_process_agent_nvd_vulnerabilities(): DEBUG: (5468): The 'Apache Tomcat 7.0 Tomcat7 (remove only)' package (0) from agent '001' is vulnerable to 'CVE-2013-2185'. Condition: 'less than or equal 7.0.39' ``` - Check alerts generated ``` {"timestamp":"2022-08-09T15:10:08.405+0000","rule":{"level":10,"description":"CVE-2016-5388 affects Apache Tomcat 7.0 Tomcat7 (remove only)","id":"23505","firedtimes":3,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"WIN-JLGVA4CR4VI","ip":"FE80:0000:0000:0000:B1E6:42AF:E199:1398"},"manager":{"name":"c3"},"id":"1660057808.6990024","decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"Apache Tomcat 7.0 Tomcat7 (remove only)","version":"0","architecture":"x64","condition":"greater than or equal 7.0 and less than or equal 7.0.70"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"5.100000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"high","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"8.100000"}},"cve":"CVE-2016-5388","title":"CVE-2016-5388 affects Apache Tomcat 7.0 Tomcat7 (remove only)","rationale":"Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an \"httpoxy\" issue. NOTE: the vendor states \"A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388\"; in other words, this is not a CVE ID for a vulnerability.","severity":"High","published":"2016-07-19","updated":"2020-08-14","cwe_reference":"CWE-284","status":"Active","type":"PACKAGE","references":["http://www.kb.cert.org/vuls/id/797896","https://httpoxy.org/","https://www.apache.org/security/asf-httpoxy-response.txt","http://www.securitytracker.com/id/1036331","http://rhn.redhat.com/errata/RHSA-2016-2045.html","http://rhn.redhat.com/errata/RHSA-2016-2046.html","http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html","https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149","https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759","http://www.securityfocus.com/bid/91818","https://access.redhat.com/errata/RHSA-2016:1635","http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html","http://rhn.redhat.com/errata/RHSA-2016-1624.html","https://access.redhat.com/errata/RHSA-2016:1636","https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722","http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html","https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us","https://tomcat.apache.org/tomcat-7.0-doc/changelog.html","https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html","https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E","https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1@%3Cissues.activemq.apache.org%3E","https://lists.apache.org/thread.html/6b414817c2b0bf351138911c8c922ec5dd577ebc0b9a7f42d705752d@%3Cissues.activemq.apache.org%3E","https://lists.apache.org/thread.html/rc6b2147532416cc736e68a32678d3947b7053c3085cf43a9874fd102@%3Cusers.tomcat.apache.org%3E","https://lists.apache.org/thread.html/r2853582063cfd9e7fbae1e029ae004e6a83482ae9b70a698996353dd@%3Cusers.tomcat.apache.org%3E","https://lists.apache.org/thread.html/rf21b368769ae70de4dee840a3228721ae442f1d51ad8742003aefe39@%3Cusers.tomcat.apache.org%3E","https://nvd.nist.gov/vuln/detail/CVE-2016-5388"],"assigner":"secalert@redhat.com","cve_version":"4.0"}},"location":"vulnerability-detector"} {"timestamp":"2022-08-09T15:10:08.418+0000","rule":{"level":7,"description":"CVE-2013-4444 affects Apache Tomcat 7.0 Tomcat7 (remove only)","id":"23504","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"WIN-JLGVA4CR4VI","ip":"FE80:0000:0000:0000:B1E6:42AF:E199:1398"},"manager":{"name":"c3"},"id":"1660057808.6998034","decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"Apache Tomcat 7.0 Tomcat7 (remove only)","version":"0","architecture":"x64","condition":"less than or equal 7.0.39"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2013-4444","title":"CVE-2013-4444 affects Apache Tomcat 7.0 Tomcat7 (remove only)","rationale":"Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file.","severity":"Medium","published":"2014-09-12","updated":"2021-01-07","cwe_reference":"CWE-94","status":"Active","type":"PACKAGE","references":["http://archives.neohapsis.com/archives/bugtraq/2014-09/0075.html","http://tomcat.apache.org/security-7.html","http://openwall.com/lists/oss-security/2014/10/24/12","http://marc.info/?l=bugtraq&m=144498216801440&w=2","http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html","http://www.securityfocus.com/bid/69728","http://www.debian.org/security/2016/dsa-3447","https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04851013","http://www.securitytracker.com/id/1030834","http://seclists.org/fulldisclosure/2021/Jan/23","https://nvd.nist.gov/vuln/detail/CVE-2013-4444"],"assigner":"secalert@redhat.com","cve_version":"4.0"}},"location":"vulnerability-detector"} ```

Run vulnerability detector with new package :green_circle:

- Install Tomcat package on Windows agent ![imagen](https://user-images.githubusercontent.com/14501079/183150334-ac87c30e-925c-4383-8395-037f188a01e7.png) - Wait for syscollector on Agent - Check agent's database in the manager for the package ``` scan_id|scan_time|format|name|priority|section|size|vendor|install_time|version|architecture|multiarch|source|description|location|triaged|cpe|msu_name|checksum|item_id 0|2022/08/10 15:54:58|win|Apache Tomcat 7.0 Tomcat72 (remove only)|||0|The Apache Software Foundation||7.0.103|x86_64|||||1|||bdeef860661a7f5b5f8f4113c37a2dd0ea902a3e|68385a2c7db756658f3186f0ae5dea79f202f928 ``` - Wait for Vulnerability Detector scan ``` 2022/08/05 19:40:48 wazuh-modulesd:vulnerability-detector[9059] wm_vuln_detector.c:5421 at wm_vuldet_collect_agent_software(): DEBUG: (5437): Collecting agent '001' software. 2022/08/05 19:40:48 wazuh-modulesd:vulnerability-detector[9059] wm_vuln_detector_nvd.c:3195 at wm_vuldet_add_dic_cpe(): DEBUG: (5446): The CPE 'a:apache:tomcat:7.0.103::::::x64:' from the agent '001' was indexed. 2022/08/05 19:40:48 wazuh-modulesd:vulnerability-detector[9059] wm_vuln_detector.c:2731 at wm_vuldet_check_agent_vulnerabilities(): INFO: (5450): Analyzing agent '001' vulnerabilities. 2022/08/05 19:40:48 wazuh-modulesd:vulnerability-detector[9059] wm_vuln_detector_nvd.c:1822 at wm_vuldet_win_nvd_vulnerabilities(): DEBUG: (5451): Analyzing NVD vulnerabilities for agent '001' 2022/08/05 19:40:48 wazuh-modulesd:vulnerability-detector[9059] wm_vuln_detector_nvd.c:1834 at wm_vuldet_win_nvd_vulnerabilities(): DEBUG: (5470): It took '0' seconds to 'find NVD' vulnerabilities in agent '001' 2022/08/05 19:40:48 wazuh-modulesd:vulnerability-detector[9059] wm_vuln_detector_nvd.c:1836 at wm_vuldet_win_nvd_vulnerabilities(): DEBUG: (5466): Sending vulnerabilities report for agent '001' 2022/08/05 19:40:48 wazuh-modulesd:vulnerability-detector[9059] wm_vuln_detector_nvd.c:2335 at wm_vuldet_process_agent_nvd_vulnerabilities(): DEBUG: (5468): The 'Apache Tomcat 7.0 Tomcat72 (remove only)' package (7.0.103) from agent '001' is vulnerable to 'CVE-2021-30640'. Condition: 'greater than or equal 7.0.0 and less than 7.0.109' 2022/08/05 19:40:48 wazuh-modulesd:vulnerability-detector[9059] wm_vuln_detector_nvd.c:2335 at wm_vuldet_process_agent_nvd_vulnerabilities(): DEBUG: (5468): The 'Apache Tomcat 7.0 Tomcat72 (remove only)' package (7.0.103) from agent '001' is vulnerable to 'CVE-2021-25329'. Condition: 'greater than or equal 7.0.0 and less than or equal 7.0.107' 2022/08/05 19:40:48 wazuh-modulesd:vulnerability-detector[9059] wm_vuln_detector_nvd.c:2335 at wm_vuldet_process_agent_nvd_vulnerabilities(): DEBUG: (5468): The 'Apache Tomcat 7.0 Tomcat72 (remove only)' package (7.0.103) from agent '001' is vulnerable to 'CVE-2021-24122'. Condition: 'greater than or equal 7.0.0 and less than or equal 7.0.106' 2022/08/05 19:40:48 wazuh-modulesd:vulnerability-detector[9059] wm_vuln_detector_nvd.c:2335 at wm_vuldet_process_agent_nvd_vulnerabilities(): DEBUG: (5468): The 'Apache Tomcat 7.0 Tomcat72 (remove only)' package (7.0.103) from agent '001' is vulnerable to 'CVE-2020-9484'. Condition: 'greater than or equal 7.0.0 and less than 7.0.108' 2022/08/05 19:40:48 wazuh-modulesd:vulnerability-detector[9059] wm_vuln_detector_nvd.c:2335 at wm_vuldet_process_agent_nvd_vulnerabilities(): DEBUG: (5468): The 'Apache Tomcat 7.0 Tomcat72 (remove only)' package (7.0.103) from agent '001' is vulnerable to 'CVE-2020-13935'. Condition: 'greater than or equal 7.0.27 and less than or equal 7.0.104' 2022/08/05 19:40:48 wazuh-modulesd:vulnerability-detector[9059] wm_vuln_detector_nvd.c:2335 at wm_vuldet_process_agent_nvd_vulnerabilities(): DEBUG: (5468): The 'Apache Tomcat 7.0 Tomcat72 (remove only)' package (7.0.103) from agent '001' is vulnerable to 'CVE-2012-5568'. Condition: 'greater than or equal 7.0.0 and less than or equal 7.0.105' 2022/08/05 19:40:48 wazuh-modulesd:vulnerability-detector[9059] wm_vuln_detector_nvd.c:1846 at wm_vuldet_win_nvd_vulnerabilities(): DEBUG: (5470): It took '0' seconds to 'report' vulnerabilities in agent '001' ``` - Check alerts generated ``` {"timestamp":"2022-08-05T19:40:48.146+0000","rule":{"level":10,"description":"CVE-2020-13935 affects Apache Tomcat 7.0 Tomcat72 (remove only)","id":"23505","firedtimes":3,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"WIN-JLGVA4CR4VI","ip":"FE80:0000:0000:0000:B1E6:42AF:E199:1398"},"manager":{"name":"c3"},"id":"1659728448.7696509","decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"Apache Tomcat 7.0 Tomcat72 (remove only)","version":"7.0.103","architecture":"x64","condition":"greater than or equal 7.0.27 and less than or equal 7.0.104"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"7.500000"}},"cve":"CVE-2020-13935","title":"CVE-2020-13935 affects Apache Tomcat 7.0 Tomcat72 (remove only)","rationale":"The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.","severity":"High","published":"2020-07-14","updated":"2022-05-12","cwe_reference":"CWE-835","status":"Active","type":"PACKAGE","references":["https://lists.apache.org/thread.html/rd48c72bd3255bda87564d4da3791517c074d94f8a701f93b85752651%40%3Cannounce.tomcat.apache.org%3E","https://www.debian.org/security/2020/dsa-4727","https://lists.debian.org/debian-lts-announce/2020/07/msg00017.html","https://security.netapp.com/advisory/ntap-20200724-0003/","http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00084.html","http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00088.html","https://usn.ubuntu.com/4448-1/","https://kc.mcafee.com/corporate/index?page=content&id=SB10332","https://www.oracle.com/security-alerts/cpuoct2020.html","https://usn.ubuntu.com/4596-1/","https://lists.apache.org/thread.html/r4e5d3c09f4dd2923191e972408b40fb8b42dbff0bc7904d44b651e50@%3Cusers.tomcat.apache.org%3E","https://www.oracle.com/security-alerts/cpujan2021.html","https://www.oracle.com/security-alerts/cpuApr2021.html","https://www.oracle.com//security-alerts/cpujul2021.html","https://www.oracle.com/security-alerts/cpuoct2021.html","https://www.oracle.com/security-alerts/cpujan2022.html","https://www.oracle.com/security-alerts/cpuapr2022.html","https://nvd.nist.gov/vuln/detail/CVE-2020-13935"],"assigner":"security@apache.org","cve_version":"4.0"}},"location":"vulnerability-detector"} {"timestamp":"2022-08-05T19:40:48.158+0000","rule":{"level":7,"description":"CVE-2012-5568 affects Apache Tomcat 7.0 Tomcat72 (remove only)","id":"23504","firedtimes":3,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"WIN-JLGVA4CR4VI","ip":"FE80:0000:0000:0000:B1E6:42AF:E199:1398"},"manager":{"name":"c3"},"id":"1659728448.7702246","decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"Apache Tomcat 7.0 Tomcat72 (remove only)","version":"7.0.103","architecture":"x64","condition":"greater than or equal 7.0.0 and less than or equal 7.0.105"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"}},"cve":"CVE-2012-5568","title":"CVE-2012-5568 affects Apache Tomcat 7.0 Tomcat72 (remove only)","rationale":"Apache Tomcat through 7.0.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris.","severity":"Medium","published":"2012-11-30","updated":"2021-01-11","cwe_reference":"NVD-CWE-noinfo","status":"Active","type":"PACKAGE","references":["http://openwall.com/lists/oss-security/2012/11/26/2","http://captainholly.wordpress.com/2009/06/19/slowloris-vs-tomcat/","http://tomcat.10.n6.nabble.com/How-does-Tomcat-handle-a-slow-HTTP-DoS-tc2147776.html","http://tomcat.10.n6.nabble.com/How-does-Tomcat-handle-a-slow-HTTP-DoS-tc2147779.html","https://bugzilla.redhat.com/show_bug.cgi?id=880011","http://lists.opensuse.org/opensuse-updates/2012-12/msg00089.html","http://lists.opensuse.org/opensuse-updates/2012-12/msg00090.html","http://www.securityfocus.com/bid/56686","http://lists.opensuse.org/opensuse-updates/2013-01/msg00037.html","https://exchange.xforce.ibmcloud.com/vulnerabilities/80317","https://nvd.nist.gov/vuln/detail/CVE-2012-5568"],"assigner":"secalert@redhat.com","cve_version":"4.0"}},"location":"vulnerability-detector"} ```

Check that a package with no version and no vendor is correctly indexed :green_circle:

- Create custom CPE translation ```json { "target": "windows", "source": { "vendor": [], "product": [ "^MOCK PACKAGE.*" ], "version": [ "^MOCK PACKAGE ([0-9]+\\.*[0-9]*\\.*[0-9]*-*[0-9]*)" ] }, "translation": { "vendor": [ "MOCK_VENDOR" ], "product": [ "MOCK_PACKAGE" ], "version": [] }, "action": [ "replace_product", "set_version_if_product_matches", "replace_vendor" ] } ``` - Insert custom package (With no vendor and no version) ``` INSERT into sys_programs(scan_id, scan_time, format, name, architecture, location, triaged, checksum, item_id) VALUES ("1655979708", "2022/08/09 12:15:52", "win", "MOCK PACKAGE 8.9-22 (MOCKED PACKAGE)", "x86_64", "C:\Program Files\Apache\Tomcat\", 0, "legacy", "e19cab0360ed7a0ca629ace0888bcee89a321500"); ``` - Check agent's database in the manager for the package ``` SELECT * FROM sys_programs where name like '%MOCK%'; scan_id|scan_time|format|name|priority|section|size|vendor|install_time|version|architecture|multiarch|source|description|location|triaged|cpe|msu_name|checksum|item_id 1655979708|2022/08/09 12:15:52|win|MOCK PACKAGE 8.9-22 (MOCKED PACKAGE)|||||||x86_64||||C:\Program Files\Apache\Tomcat\|0|||legacy|e19cab0360ed7a0ca629ace0888bcee89a321500 ``` - Wait for Vulnerability Detector scan and check it is indexed ``` 2022/08/09 17:28:18 wazuh-modulesd:vulnerability-detector[9298] wm_vuln_detector_nvd.c:3195 at wm_vuldet_add_dic_cpe(): DEBUG: (5446): The CPE 'a:MOCK_VENDOR:MOCK_PACKAGE:8.9-22::::::x64:' from the agent '001' was indexed ```

Check that with no version in package or CPE translation a Debug message is shown:green_circle:

- Create custom CPE translation ```json { "target": "windows", "source": { "vendor": [], "product": [ "^MOCK PACKAGE.*" ], "version": [] }, "translation": { "vendor": [ "MOCK_VENDOR" ], "product": [ "MOCK_PACKAGE" ], "version": [] }, "action": [ "replace_product", "replace_vendor" ] } ``` - Insert custom package (With no vendor and no version) ``` INSERT into sys_programs(scan_id, scan_time, format, name, architecture, location, triaged, checksum, item_id) VALUES ("1655979708", "2022/08/09 12:15:52", "win", "MOCK PACKAGE 8.9-22 (MOCKED PACKAGE)", "x86_64", "C:\Program Files\Apache\Tomcat\", 0, "legacy", "e19cab0360ed7a0ca629ace0888bcee89a321500"); ``` - Check agent's database in the manager for the package ``` SELECT * FROM sys_programs where name like '%MOCK%'; scan_id|scan_time|format|name|priority|section|size|vendor|install_time|version|architecture|multiarch|source|description|location|triaged|cpe|msu_name|checksum|item_id 1655979708|2022/08/09 12:15:52|win|MOCK PACKAGE 8.9-22 (MOCKED PACKAGE)|||||||x86_64||||C:\Program Files\Apache\Tomcat\|0|||legacy|e19cab0360ed7a0ca629ace0888bcee89a321500 ``` - Wait for Vulnerability scan and check for expected message ``` 2022/08/09 18:14:49 wazuh-modulesd:vulnerability-detector[13679] wm_vuln_detector_nvd.c:3198 at wm_vuldet_add_dic_cpe(): DEBUG: (5593): Couldn't get the version of the CPE for the MOCK_PACKAGE package. ```

Fresh install

Run vulnerability detector with old package (no vendor or version) :green_circle:

- Install dev branch package. - Install Tomcat package on Windows agent ![imagen](https://user-images.githubusercontent.com/14501079/183945112-49de5b9d-6ee9-4470-890c-874b84fcb27d.png) - Wait for syscollector on Agent - Check agent's database in the manager for the package ``` SELECT * FROM sys_programs where name like '%apache%'; 0|2022/08/10 15:35:28|win|Apache Tomcat 7.0 Tomcat7 (remove only)|||0||||x86_64|||||0|||a6edbf9d208476487d8260fa197a79d236318d41|e2067b0a1eb18c1cb55de6fab5b192e8044556e9 ``` - Wait for Vulnerability Detector scan ``` 2022/08/10 15:46:12 wazuh-modulesd:vulnerability-detector[3245] wm_vuln_detector.c:2712 at wm_vuldet_check_agent_vulnerabilities(): DEBUG: (5439): A partial scan will be run on agent '001' 2022/08/10 15:46:12 wazuh-modulesd:vulnerability-detector[3245] wm_vuln_detector.c:5421 at wm_vuldet_collect_agent_software(): DEBUG: (5437): Collecting agent '001' software. 2022/08/10 15:46:12 wazuh-modulesd:vulnerability-detector[3245] wm_vuln_detector_nvd.c:3195 at wm_vuldet_add_dic_cpe(): DEBUG: (5446): The CPE 'a:apache:tomcat:7.0::::::x64:' from the agent '001' was indexed. 2022/08/10 15:46:12 wazuh-modulesd:vulnerability-detector[3245] wm_vuln_detector.c:2731 at wm_vuldet_check_agent_vulnerabilities(): INFO: (5450): Analyzing agent '001' vulnerabilities. 2022/08/10 15:46:12 wazuh-modulesd:vulnerability-detector[3245] wm_vuln_detector_nvd.c:1822 at wm_vuldet_win_nvd_vulnerabilities(): DEBUG: (5451): Analyzing NVD vulnerabilities for agent '001' 2022/08/10 15:46:12 wazuh-modulesd:vulnerability-detector[3245] wm_vuln_detector_nvd.c:1834 at wm_vuldet_win_nvd_vulnerabilities(): DEBUG: (5470): It took '0' seconds to 'find NVD' vulnerabilities in agent '001' 2022/08/10 15:46:12 wazuh-modulesd:vulnerability-detector[3245] wm_vuln_detector_nvd.c:1836 at wm_vuldet_win_nvd_vulnerabilities(): DEBUG: (5466): Sending vulnerabilities report for agent '001' 2022/08/10 15:46:12 wazuh-modulesd:vulnerability-detector[3245] wm_vuln_detector_nvd.c:2335 at wm_vuldet_process_agent_nvd_vulnerabilities(): DEBUG: (5468): The 'Apache Tomcat 7.0 Tomcat7 (remove only)' package (0) from agent '001' is vulnerable to 'CVE-2016-9775'. Condition: 'Version match' 2022/08/10 15:46:12 wazuh-modulesd:vulnerability-detector[3245] wm_vuln_detector_nvd.c:2335 at wm_vuldet_process_agent_nvd_vulnerabilities(): DEBUG: (5468): The 'Apache Tomcat 7.0 Tomcat7 (remove only)' package (0) from agent '001' is vulnerable to 'CVE-2016-9774'. Condition: 'Version match' 2022/08/10 15:46:12 wazuh-modulesd:vulnerability-detector[3245] wm_vuln_detector_nvd.c:2335 at wm_vuldet_process_agent_nvd_vulnerabilities(): DEBUG: (5468): The 'Apache Tomcat 7.0 Tomcat7 (remove only)' package (0) from agent '001' is vulnerable to 'CVE-2016-5388'. Condition: 'greater than or equal 7.0 and less than or equal 7.0.70' 2022/08/10 15:46:12 wazuh-modulesd:vulnerability-detector[3245] wm_vuln_detector_nvd.c:2335 at wm_vuldet_process_agent_nvd_vulnerabilities(): DEBUG: (5468): The 'Apache Tomcat 7.0 Tomcat7 (remove only)' package (0) from agent '001' is vulnerable to 'CVE-2013-4444'. Condition: 'less than or equal 7.0.39' 2022/08/10 15:46:12 wazuh-modulesd:vulnerability-detector[3245] wm_vuln_detector_nvd.c:2335 at wm_vuldet_process_agent_nvd_vulnerabilities(): DEBUG: (5468): The 'Apache Tomcat 7.0 Tomcat7 (remove only)' package (0) from agent '001' is vulnerable to 'CVE-2013-2185'. Condition: 'less than or equal 7.0.39' ``` - Check alerts generated ``` {"timestamp":"2022-08-10T15:43:10.964+0000","rule":{"level":10,"description":"CVE-2016-9774 affects Apache Tomcat 7.0 Tomcat7 (remove only)","id":"23505","firedtimes":34,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:6924:5C71:F0FD:0336"},"manager":{"name":"ip-172-31-10-193.ec2.internal"},"id":"1660146190.1790899","decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"Apache Tomcat 7.0 Tomcat7 (remove only)","version":"0","architecture":"x64","condition":"Version match"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2016-9774","title":"CVE-2016-9774 affects Apache Tomcat 7.0 Tomcat7 (remove only)","rationale":"The postinst script in the tomcat6 package before 6.0.45+dfsg-1~deb7u4 on Debian wheezy, before 6.0.35-1ubuntu3.9 on Ubuntu 12.04 LTS and on Ubuntu 14.04 LTS; the tomcat7 package before 7.0.28-4+deb7u8 on Debian wheezy, before 7.0.56-3+deb8u6 on Debian jessie, before 7.0.52-1ubuntu0.8 on Ubuntu 14.04 LTS, and on Ubuntu 12.04 LTS, 16.04 LTS, and 16.10; and the tomcat8 package before 8.0.14-1+deb8u5 on Debian jessie, before 8.0.32-1ubuntu1.3 on Ubuntu 16.04 LTS, before 8.0.37-1ubuntu0.1 on Ubuntu 16.10, and before 8.0.38-2ubuntu1 on Ubuntu 17.04 might allow local users with access to the tomcat account to obtain sensitive information or gain root privileges via a symlink attack on the Catalina localhost directory.","severity":"High","published":"2017-03-23","updated":"2018-08-02","cwe_reference":"CWE-59","status":"Active","type":"PACKAGE","references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845393","http://www.ubuntu.com/usn/USN-3177-2","http://www.ubuntu.com/usn/USN-3177-1","http://www.securityfocus.com/bid/94643","http://www.openwall.com/lists/oss-security/2016/12/02/5","http://www.openwall.com/lists/oss-security/2016/12/02/10","http://www.debian.org/security/2016/dsa-3739","http://www.debian.org/security/2016/dsa-3738","https://security.netapp.com/advisory/ntap-20180731-0002/","https://nvd.nist.gov/vuln/detail/CVE-2016-9774"],"assigner":"secalert@redhat.com","cve_version":"4.0"}},"location":"vulnerability-detector"} {"timestamp":"2022-08-10T15:43:10.979+0000","rule":{"level":10,"description":"CVE-2016-5388 affects Apache Tomcat 7.0 Tomcat7 (remove only)","id":"23505","firedtimes":35,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:6924:5C71:F0FD:0336"},"manager":{"name":"ip-172-31-10-193.ec2.internal"},"id":"1660146190.1796017","decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"Apache Tomcat 7.0 Tomcat7 (remove only)","version":"0","architecture":"x64","condition":"greater than or equal 7.0 and less than or equal 7.0.70"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"5.100000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"high","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"8.100000"}},"cve":"CVE-2016-5388","title":"CVE-2016-5388 affects Apache Tomcat 7.0 Tomcat7 (remove only)","rationale":"Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an \"httpoxy\" issue. NOTE: the vendor states \"A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388\"; in other words, this is not a CVE ID for a vulnerability.","severity":"High","published":"2016-07-19","updated":"2020-08-14","cwe_reference":"CWE-284","status":"Active","type":"PACKAGE","references":["http://www.kb.cert.org/vuls/id/797896","https://httpoxy.org/","https://www.apache.org/security/asf-httpoxy-response.txt","http://www.securitytracker.com/id/1036331","http://rhn.redhat.com/errata/RHSA-2016-2045.html","http://rhn.redhat.com/errata/RHSA-2016-2046.html","http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html","https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149","https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759","http://www.securityfocus.com/bid/91818","https://access.redhat.com/errata/RHSA-2016:1635","http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html","http://rhn.redhat.com/errata/RHSA-2016-1624.html","https://access.redhat.com/errata/RHSA-2016:1636","https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722","http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html","https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us","https://tomcat.apache.org/tomcat-7.0-doc/changelog.html","https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html","https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E","https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1@%3Cissues.activemq.apache.org%3E","https://lists.apache.org/thread.html/6b414817c2b0bf351138911c8c922ec5dd577ebc0b9a7f42d705752d@%3Cissues.activemq.apache.org%3E","https://lists.apache.org/thread.html/rc6b2147532416cc736e68a32678d3947b7053c3085cf43a9874fd102@%3Cusers.tomcat.apache.org%3E","https://lists.apache.org/thread.html/r2853582063cfd9e7fbae1e029ae004e6a83482ae9b70a698996353dd@%3Cusers.tomcat.apache.org%3E","https://lists.apache.org/thread.html/rf21b368769ae70de4dee840a3228721ae442f1d51ad8742003aefe39@%3Cusers.tomcat.apache.org%3E","https://nvd.nist.gov/vuln/detail/CVE-2016-5388"],"assigner":"secalert@redhat.com","cve_version":"4.0"}},"location":"vulnerability-detector"} {"timestamp":"2022-08-10T15:43:10.995+0000","rule":{"level":7,"description":"CVE-2013-4444 affects Apache Tomcat 7.0 Tomcat7 (remove only)","id":"23504","firedtimes":13,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:6924:5C71:F0FD:0336"},"manager":{"name":"ip-172-31-10-193.ec2.internal"},"id":"1660146190.1804027","decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"Apache Tomcat 7.0 Tomcat7 (remove only)","version":"0","architecture":"x64","condition":"less than or equal 7.0.39"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2013-4444","title":"CVE-2013-4444 affects Apache Tomcat 7.0 Tomcat7 (remove only)","rationale":"Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file.","severity":"Medium","published":"2014-09-12","updated":"2021-01-07","cwe_reference":"CWE-94","status":"Active","type":"PACKAGE","references":["http://archives.neohapsis.com/archives/bugtraq/2014-09/0075.html","http://tomcat.apache.org/security-7.html","http://openwall.com/lists/oss-security/2014/10/24/12","http://marc.info/?l=bugtraq&m=144498216801440&w=2","http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html","http://www.securityfocus.com/bid/69728","http://www.debian.org/security/2016/dsa-3447","https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04851013","http://www.securitytracker.com/id/1030834","http://seclists.org/fulldisclosure/2021/Jan/23","https://nvd.nist.gov/vuln/detail/CVE-2013-4444"],"assigner":"secalert@redhat.com","cve_version":"4.0"}},"location":"vulnerability-detector"} ```

Run vulnerability detector with new package :green_circle:

- Install Tomcat package on Windows agent ![imagen](https://user-images.githubusercontent.com/14501079/183953646-16b09f0f-eb0d-4a9f-a171-6e8642838643.png) - Wait for syscollector on Agent - Check agent's database in the manager for the package ``` scan_id|scan_time|format|name|priority|section|size|vendor|install_time|version|architecture|multiarch|source|description|location|triaged|cpe|msu_name|checksum|item_id 0|2022/08/05 19:40:08|win|Apache Tomcat 7.0 Tomcat72 (remove only)|||0|The Apache Software Foundation||7.0.103|x86_64|||||1|||bdeef860661a7f5b5f8f4113c37a2dd0ea902a3e|68385a2c7db756658f3186f0ae5dea79f202f928 ``` - Wait for Vulnerability Detector scan ``` 2022/08/10 15:55:12 wazuh-modulesd:vulnerability-detector[3245] wm_vuln_detector.c:5421 at wm_vuldet_collect_agent_software(): DEBUG: (5437): Collecting agent '001' software. 2022/08/10 15:55:12 wazuh-modulesd:vulnerability-detector[3245] wm_vuln_detector_nvd.c:3195 at wm_vuldet_add_dic_cpe(): DEBUG: (5446): The CPE 'a:apache:tomcat:7.0.103::::::x64:' from the agent '001' was indexed. 2022/08/10 15:55:12 wazuh-modulesd:vulnerability-detector[3245] wm_vuln_detector.c:2731 at wm_vuldet_check_agent_vulnerabilities(): INFO: (5450): Analyzing agent '001' vulnerabilities. 2022/08/10 15:55:12 wazuh-modulesd:vulnerability-detector[3245] wm_vuln_detector_nvd.c:1822 at wm_vuldet_win_nvd_vulnerabilities(): DEBUG: (5451): Analyzing NVD vulnerabilities for agent '001' 2022/08/10 15:55:12 wazuh-modulesd:vulnerability-detector[3245] wm_vuln_detector_nvd.c:1834 at wm_vuldet_win_nvd_vulnerabilities(): DEBUG: (5470): It took '0' seconds to 'find NVD' vulnerabilities in agent '001' 2022/08/10 15:55:12 wazuh-modulesd:vulnerability-detector[3245] wm_vuln_detector_nvd.c:1836 at wm_vuldet_win_nvd_vulnerabilities(): DEBUG: (5466): Sending vulnerabilities report for agent '001' 2022/08/10 15:55:12 wazuh-modulesd:vulnerability-detector[3245] wm_vuln_detector_nvd.c:2335 at wm_vuldet_process_agent_nvd_vulnerabilities(): DEBUG: (5468): The 'Apache Tomcat 7.0 Tomcat72 (remove only)' package (7.0.103) from agent '001' is vulnerable to 'CVE-2021-30640'. Condition: 'greater than or equal 7.0.0 and less than 7.0.109' 2022/08/10 15:55:12 wazuh-modulesd:vulnerability-detector[3245] wm_vuln_detector_nvd.c:2335 at wm_vuldet_process_agent_nvd_vulnerabilities(): DEBUG: (5468): The 'Apache Tomcat 7.0 Tomcat72 (remove only)' package (7.0.103) from agent '001' is vulnerable to 'CVE-2021-25329'. Condition: 'greater than or equal 7.0.0 and less than or equal 7.0.107' 2022/08/10 15:55:12 wazuh-modulesd:vulnerability-detector[3245] wm_vuln_detector_nvd.c:2335 at wm_vuldet_process_agent_nvd_vulnerabilities(): DEBUG: (5468): The 'Apache Tomcat 7.0 Tomcat72 (remove only)' package (7.0.103) from agent '001' is vulnerable to 'CVE-2021-24122'. Condition: 'greater than or equal 7.0.0 and less than or equal 7.0.106' 2022/08/10 15:55:12 wazuh-modulesd:vulnerability-detector[3245] wm_vuln_detector_nvd.c:2335 at wm_vuldet_process_agent_nvd_vulnerabilities(): DEBUG: (5468): The 'Apache Tomcat 7.0 Tomcat72 (remove only)' package (7.0.103) from agent '001' is vulnerable to 'CVE-2020-9484'. Condition: 'greater than or equal 7.0.0 and less than 7.0.108' 2022/08/10 15:55:12 wazuh-modulesd:vulnerability-detector[3245] wm_vuln_detector_nvd.c:2335 at wm_vuldet_process_agent_nvd_vulnerabilities(): DEBUG: (5468): The 'Apache Tomcat 7.0 Tomcat72 (remove only)' package (7.0.103) from agent '001' is vulnerable to 'CVE-2020-13935'. Condition: 'greater than or equal 7.0.27 and less than or equal 7.0.104' 2022/08/10 15:55:12 wazuh-modulesd:vulnerability-detector[3245] wm_vuln_detector_nvd.c:2335 at wm_vuldet_process_agent_nvd_vulnerabilities(): DEBUG: (5468): The 'Apache Tomcat 7.0 Tomcat72 (remove only)' package (7.0.103) from agent '001' is vulnerable to 'CVE-2012-5568'. Condition: 'greater than or equal 7.0.0 and less than or equal 7.0.105' 2022/08/10 15:55:12 wazuh-modulesd:vulnerability-detector[3245] wm_vuln_detector_nvd.c:1846 at wm_vuldet_win_nvd_vulnerabilities(): DEBUG: (5470): It took '0' seconds to 'report' vulnerabilities in agent '001' ``` - Check alerts generated ``` {"timestamp":"2022-08-10T15:55:12.646+0000","rule":{"level":10,"description":"CVE-2020-13935 affects Apache Tomcat 7.0 Tomcat72 (remove only)","id":"23505","firedtimes":3,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:6924:5C71:F0FD:0336"},"manager":{"name":"ip-172-31-10-193.ec2.internal"},"id":"1660146912.1861671","decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"Apache Tomcat 7.0 Tomcat72 (remove only)","version":"7.0.103","architecture":"x64","condition":"greater than or equal 7.0.27 and less than or equal 7.0.104"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"7.500000"}},"cve":"CVE-2020-13935","title":"CVE-2020-13935 affects Apache Tomcat 7.0 Tomcat72 (remove only)","rationale":"The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.","severity":"High","published":"2020-07-14","updated":"2022-05-12","cwe_reference":"CWE-835","status":"Active","type":"PACKAGE","references":["https://lists.apache.org/thread.html/rd48c72bd3255bda87564d4da3791517c074d94f8a701f93b85752651%40%3Cannounce.tomcat.apache.org%3E","https://www.debian.org/security/2020/dsa-4727","https://lists.debian.org/debian-lts-announce/2020/07/msg00017.html","https://security.netapp.com/advisory/ntap-20200724-0003/","http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00084.html","http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00088.html","https://usn.ubuntu.com/4448-1/","https://kc.mcafee.com/corporate/index?page=content&id=SB10332","https://www.oracle.com/security-alerts/cpuoct2020.html","https://usn.ubuntu.com/4596-1/","https://lists.apache.org/thread.html/r4e5d3c09f4dd2923191e972408b40fb8b42dbff0bc7904d44b651e50@%3Cusers.tomcat.apache.org%3E","https://www.oracle.com/security-alerts/cpujan2021.html","https://www.oracle.com/security-alerts/cpuApr2021.html","https://www.oracle.com//security-alerts/cpujul2021.html","https://www.oracle.com/security-alerts/cpuoct2021.html","https://www.oracle.com/security-alerts/cpujan2022.html","https://www.oracle.com/security-alerts/cpuapr2022.html","https://nvd.nist.gov/vuln/detail/CVE-2020-13935"],"assigner":"security@apache.org","cve_version":"4.0"}},"location":"vulnerability-detector"} {"timestamp":"2022-08-10T15:55:12.659+0000","rule":{"level":7,"description":"CVE-2012-5568 affects Apache Tomcat 7.0 Tomcat72 (remove only)","id":"23504","firedtimes":3,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:6924:5C71:F0FD:0336"},"manager":{"name":"ip-172-31-10-193.ec2.internal"},"id":"1660146912.1867408","decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"Apache Tomcat 7.0 Tomcat72 (remove only)","version":"7.0.103","architecture":"x64","condition":"greater than or equal 7.0.0 and less than or equal 7.0.105"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"}},"cve":"CVE-2012-5568","title":"CVE-2012-5568 affects Apache Tomcat 7.0 Tomcat72 (remove only)","rationale":"Apache Tomcat through 7.0.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris.","severity":"Medium","published":"2012-11-30","updated":"2021-01-11","cwe_reference":"NVD-CWE-noinfo","status":"Active","type":"PACKAGE","references":["http://openwall.com/lists/oss-security/2012/11/26/2","http://captainholly.wordpress.com/2009/06/19/slowloris-vs-tomcat/","http://tomcat.10.n6.nabble.com/How-does-Tomcat-handle-a-slow-HTTP-DoS-tc2147776.html","http://tomcat.10.n6.nabble.com/How-does-Tomcat-handle-a-slow-HTTP-DoS-tc2147779.html","https://bugzilla.redhat.com/show_bug.cgi?id=880011","http://lists.opensuse.org/opensuse-updates/2012-12/msg00089.html","http://lists.opensuse.org/opensuse-updates/2012-12/msg00090.html","http://www.securityfocus.com/bid/56686","http://lists.opensuse.org/opensuse-updates/2013-01/msg00037.html","https://exchange.xforce.ibmcloud.com/vulnerabilities/80317","https://nvd.nist.gov/vuln/detail/CVE-2012-5568"],"assigner":"secalert@redhat.com","cve_version":"4.0"}},"location":"vulnerability-detector"} ```

Check that a package with no version and no vendor is correctly indexed :green_circle:

- Create custom CPE translation ```json { "target": "windows", "source": { "vendor": [], "product": [ "^MOCK PACKAGE.*" ], "version": [ "^MOCK PACKAGE ([0-9]+\\.*[0-9]*\\.*[0-9]*-*[0-9]*)" ] }, "translation": { "vendor": [ "MOCK_VENDOR" ], "product": [ "MOCK_PACKAGE" ], "version": [] }, "action": [ "replace_product", "set_version_if_product_matches", "replace_vendor" ] } ``` - Insert custom package (With no vendor and no version) ``` INSERT into sys_programs(scan_id, scan_time, format, name, architecture, location, triaged, checksum, item_id) VALUES ("1655979708", "2022/08/09 12:15:52", "win", "MOCK PACKAGE 8.9-22 (MOCKED PACKAGE)", "x86_64", "C:\Program Files\Apache\Tomcat\", 0, "legacy", "e19cab0360ed7a0ca629ace0888bcee89a321500"); ``` - Check agent's database in the manager for the package ``` SELECT * FROM sys_programs where name like '%MOCK%'; scan_id|scan_time|format|name|priority|section|size|vendor|install_time|version|architecture|multiarch|source|description|location|triaged|cpe|msu_name|checksum|item_id 1655979708|2022/08/09 12:15:52|win|MOCK PACKAGE 8.9-22 (MOCKED PACKAGE)|||||||x86_64||||C:\Program Files\Apache\Tomcat\V15\|0|||legacy|e19cab0360ed7a0ca629ace0888bcee89a321500 ``` - Wait for Vulnerability Detector scan and check it is indexed ``` 2022/08/10 16:01:38 wazuh-modulesd:vulnerability-detector[3773] wm_vuln_detector_nvd.c:3195 at wm_vuldet_add_dic_cpe(): DEBUG: (5446): The CPE 'a:MOCK_VENDOR:MOCK_PACKAGE:8.9-22::::::x64:' from the agent '001' was indexed. 2022/08/10 16:01:38 wazuh-modulesd:vulnerability-detector[3773] wm_vuln_detector.c:2731 at wm_vuldet_check_agent_vulnerabilities(): INFO: (5450): Analyzing agent '001' vulnerabilities. 2022/08/10 16:01:38 wazuh-modulesd:vulnerability-detector[3773] wm_vuln_detector_nvd.c:1822 at wm_vuldet_win_nvd_vulnerabilities(): DEBUG: (5451): Analyzing NVD vulnerabilities for agent '001' ```

Check that with no version in package or CPE translation a Debug message is shown:green_circle:

- Create custom CPE translation ```json { "target": "windows", "source": { "vendor": [], "product": [ "^MOCK PACKAGE.*" ], "version": [] }, "translation": { "vendor": [ "MOCK_VENDOR" ], "product": [ "MOCK_PACKAGE" ], "version": [] }, "action": [ "replace_product", "replace_vendor" ] } ``` - Insert custom package (With no vendor and no version) ``` INSERT into sys_programs(scan_id, scan_time, format, name, architecture, location, triaged, checksum, item_id) VALUES ("1655979708", "2022/08/09 12:15:52", "win", "MOCK PACKAGE 8.9-22 (MOCKED PACKAGE)", "x86_64", "C:\Program Files\Apache\Tomcat\", 0, "legacy", "e19cab0360ed7a0ca629ace0888bcee89a321500"); ``` - Check agent's database in the manager for the package ``` SELECT * FROM sys_programs where name like '%MOCK%'; scan_id|scan_time|format|name|priority|section|size|vendor|install_time|version|architecture|multiarch|source|description|location|triaged|cpe|msu_name|checksum|item_id 1655979708|2022/08/09 12:15:52|win|MOCK PACKAGE 8.9-22 (MOCKED PACKAGE)|||||||x86_64||||C:\Program Files\Apache\Tomcat\|0|||legacy|e19cab0360ed7a0ca629ace0888bcee89a321500 ``` - Wait for Vulnerability scan and check for expected message ``` 2022/08/10 16:09:52 wazuh-modulesd:vulnerability-detector[4743] wm_vuln_detector.c:2712 at wm_vuldet_check_agent_vulnerabilities(): DEBUG: (5439): A partial scan will be run on agent '001' 2022/08/10 16:09:52 wazuh-modulesd:vulnerability-detector[4743] wm_vuln_detector.c:5421 at wm_vuldet_collect_agent_software(): DEBUG: (5437): Collecting agent '001' software. 2022/08/10 16:09:52 wazuh-modulesd:vulnerability-detector[4743] wm_vuln_detector_nvd.c:3198 at wm_vuldet_add_dic_cpe(): DEBUG: (5593): Couldn't get the version of the CPE for the MOCK_PACKAGE package. ```

jmv74211 commented 2 years ago

🟢 Everything seems to be working properly

wazuh / wazuh-qa

Manual testing - Fix CPE Helper to find vulnerabilities in unversioned packages #3147

Description

Proposed checks

Configuration and considerations

Review data

Testing environment

Tested packages

Conclusion

Status

Task Results on 4.5 branch

Task Results on dev branch

Upgrade install

Fresh install