Closed cborla closed 5 months ago
After Filtering all input files and importing them on the google sheet I've started checking each vulnerability-id (sorting them by the most repeated and afterwards by vulnerability score. The procces itself turned mechanical after a few minutes. To avoid that procces we have filtered the respective ova DB and then with a match function inside google sheet we where able to match the resolution state. This result still lacks on some details, CVE's not found and several cases with different resolution state depending on the module, this will be tackle on a new iteration. All the results are still WIP in the sheet. c.c. @cborla @nbertoldo
After changes in the script we've found a way of filtering with the components itself, but the result only matches in less than a 50% of the cases. The column was added. I start the day with a simple filtering on the already manually analyzed cases vs the first script attempt. I have pending the 4.7.3 - 4.8.0 cases, those are above 300. Still WIP
Delaying the ETA to March 27th.
Vulnerabilities in 4.8.0, not reported in 4.7.3:
Vulnerabilities in 4.8.0
, not reported in 4.7.3
:
4
Failure.56
Doubtful.502
Success.Vulnerabilities in 4.7.3
, not reported in 4.8.0
:
29
Failure.0
Doubtful.312
Success.Spreadsheet: link
We note that version 4.8.0 reports more vulnerabilities than version 4.7.3, which is correct, but all vulnerabilities listed as success in the 4.7.3 - 4.8.0 spreadsheet should have been reported by 4.8.0. understanding that there are 312 false negatives of 4.8.0.
This is a false positive in 4.7.3, the installed version of curl is 7.76.1-26.el9
, al the vulnerability is described as:
{
"defaultStatus": "unaffected",
"platforms": [
"cpe:/a:redhat:enterprise_linux:9",
"cpe:/a:redhat:enterprise_linux:9::appstream",
"cpe:/a:redhat:enterprise_linux:9::crb",
"cpe:/a:redhat:enterprise_linux:9::highavailability",
"cpe:/a:redhat:enterprise_linux:9::nfv",
"cpe:/a:redhat:enterprise_linux:9::realtime",
"cpe:/a:redhat:enterprise_linux:9::resilientstorage",
"cpe:/a:redhat:enterprise_linux:9::sap",
"cpe:/a:redhat:enterprise_linux:9::sap_hana",
"cpe:/a:redhat:enterprise_linux:9::supplementary",
"cpe:/o:redhat:enterprise_linux:9",
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"product": "curl",
"vendor": "redhat",
"versions": [
{
"lessThan": "7.76.1-26.el9_3.3",
"status": "affected",
"version": "0",
"versionType": "rpm"
}
]
}
The installed version is not vulnerable
Same scenario
Same scenario
Same scenario
CC: @cborla
Same scenario as in:
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario as in:
Same scenario
Same scenario
We performed an investigation of the RedHat feed:
The final treatment for the different states of RedHat vulnerabilities is:
In conclusion, this is a true positive
Sames scenario
Sames scenario
Sames scenario
Sames scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
Same scenario
CC: @cborla
The feed changed when the tests were performed.
March 14:
{
"defaultStatus": "affected",
"platforms": [
"cpe:/a:redhat:enterprise_linux:9",
"cpe:/a:redhat:enterprise_linux:9::appstream",
"cpe:/a:redhat:enterprise_linux:9::crb",
"cpe:/a:redhat:enterprise_linux:9::highavailability",
"cpe:/a:redhat:enterprise_linux:9::nfv",
"cpe:/a:redhat:enterprise_linux:9::realtime",
"cpe:/a:redhat:enterprise_linux:9::resilientstorage",
"cpe:/a:redhat:enterprise_linux:9::sap",
"cpe:/a:redhat:enterprise_linux:9::sap_hana",
"cpe:/a:redhat:enterprise_linux:9::supplementary",
"cpe:/o:redhat:enterprise_linux:9",
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"product": "kernel-core",
"vendor": "redhat"
}
March 19:
{
"defaultStatus": "unaffected",
"platforms": [
"cpe:/a:redhat:enterprise_linux:9",
"cpe:/a:redhat:enterprise_linux:9::appstream",
"cpe:/a:redhat:enterprise_linux:9::crb",
"cpe:/a:redhat:enterprise_linux:9::highavailability",
"cpe:/a:redhat:enterprise_linux:9::nfv",
"cpe:/a:redhat:enterprise_linux:9::realtime",
"cpe:/a:redhat:enterprise_linux:9::resilientstorage",
"cpe:/a:redhat:enterprise_linux:9::sap",
"cpe:/a:redhat:enterprise_linux:9::sap_hana",
"cpe:/a:redhat:enterprise_linux:9::supplementary",
"cpe:/o:redhat:enterprise_linux:9",
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"product": "kernel-core",
"vendor": "redhat"
}
[!NOTE] This problem is now fixed
We are tasked with performing a comprehensive analysis of vulnerability discrepancies reported between versions 4.7.3 and 4.8.0 in RHEL 9. This entails scrutinizing each vulnerability identified in the report, cross-referencing them with official sources such as the National Vulnerability Database (NVD), Canonical, Red Hat Security Advisories (RHSA), and other trusted sources.
To accomplish this, we will follow a systematic approach:
Gathering Vulnerability List: We will compile a comprehensive list of vulnerabilities detected in versions 4.7.0 and 4.8.0. This list will be sourced from the provided report and any additional channels that may provide pertinent information. (Link)
Package Inventory Examination: We will thoroughly examine the package inventory associated with the aforementioned versions to ensure accuracy in vulnerability identification and tracking.
Verification with Official Sources: Each identified vulnerability will be meticulously compared with information available from official sources such as the NVD, Canonical, RHSA, and other relevant platforms. This step is crucial in validating the existence and severity of each vulnerability.
Analysis and Documentation: We will document our findings in a structured manner, presenting a detailed analysis of each vulnerability and highlighting any variances or discrepancies encountered between the provided report and official sources.
Compilation of Results: Based on our analysis, we will populate a comprehensive table detailing the results of our comparison. This table will serve as a reference point for understanding the status of each vulnerability and any deviations observed.
Recommendations: Finally, we will provide recommendations based on our findings, including potential actions to address any identified vulnerabilities and mitigate associated risks effectively.
By adhering to this methodical approach, we aim to ensure thoroughness and accuracy in our analysis of vulnerability discrepancies between versions 4.7.0 and 4.8.0. This endeavor will contribute to enhancing the overall security posture of our system and bolstering our resilience against potential threats.