RHEL 9: Analyze vulnerability discrepancies in the report between 4.7.3 and 4.8.0

[cborla]

Platform	From	To
RHEL 9	4.7.3	4.8.0-beta4

We are tasked with performing a comprehensive analysis of vulnerability discrepancies reported between versions 4.7.3 and 4.8.0 in RHEL 9. This entails scrutinizing each vulnerability identified in the report, cross-referencing them with official sources such as the National Vulnerability Database (NVD), Canonical, Red Hat Security Advisories (RHSA), and other trusted sources.

To accomplish this, we will follow a systematic approach:

1. Gathering Vulnerability List: We will compile a comprehensive list of vulnerabilities detected in versions 4.7.0 and 4.8.0. This list will be sourced from the provided report and any additional channels that may provide pertinent information. (Link)

2. Package Inventory Examination: We will thoroughly examine the package inventory associated with the aforementioned versions to ensure accuracy in vulnerability identification and tracking.

3. Verification with Official Sources: Each identified vulnerability will be meticulously compared with information available from official sources such as the NVD, Canonical, RHSA, and other relevant platforms. This step is crucial in validating the existence and severity of each vulnerability.

4. Analysis and Documentation: We will document our findings in a structured manner, presenting a detailed analysis of each vulnerability and highlighting any variances or discrepancies encountered between the provided report and official sources.

5. Compilation of Results: Based on our analysis, we will populate a comprehensive table detailing the results of our comparison. This table will serve as a reference point for understanding the status of each vulnerability and any deviations observed.

6. Recommendations: Finally, we will provide recommendations based on our findings, including potential actions to address any identified vulnerabilities and mitigate associated risks effectively.

By adhering to this methodical approach, we aim to ensure thoroughness and accuracy in our analysis of vulnerability discrepancies between versions 4.7.0 and 4.8.0. This endeavor will contribute to enhancing the overall security posture of our system and bolstering our resilience against potential threats.

[LucioDonda]

After Filtering all input files and importing them on the google sheet I've started checking each vulnerability-id (sorting them by the most repeated and afterwards by vulnerability score. The procces itself turned mechanical after a few minutes. To avoid that procces we have filtered the respective ova DB and then with a match function inside google sheet we where able to match the resolution state. This result still lacks on some details, CVE's not found and several cases with different resolution state depending on the module, this will be tackle on a new iteration. All the results are still WIP in the sheet. c.c. @cborla @nbertoldo

[LucioDonda]

After changes in the script we've found a way of filtering with the components itself, but the result only matches in less than a 50% of the cases. The column was added. I start the day with a simple filtering on the already manually analyzed cases vs the first script attempt. I have pending the 4.7.3 - 4.8.0 cases, those are above 300. Still WIP

[vikman90]

Delaying the ETA to March 27th.

[nmkoremblum]

Vulnerabilities in 4.8.0, not reported in 4.7.3:

• 4 Failure.
• 56 Doubtful.
• 502 Success.

[nbertoldo]

Issue Update

• Vulnerabilities in 4.8.0, not reported in 4.7.3:

  • 4 Failure.
  • 56 Doubtful.
  • 502 Success.

• Vulnerabilities in 4.7.3, not reported in 4.8.0:

  • 29 Failure.
  • 0 Doubtful.
  • 312 Success.

Spreadsheet: link

Conclusion

We note that version 4.8.0 reports more vulnerabilities than version 4.7.3, which is correct, but all vulnerabilities listed as success in the 4.7.3 - 4.8.0 spreadsheet should have been reported by 4.8.0. understanding that there are 312 false negatives of 4.8.0.

[sebasfalcone]

CVE-2023-46218 (succesfull)

This is a false positive in 4.7.3, the installed version of curl is 7.76.1-26.el9, al the vulnerability is described as:

          {
            "defaultStatus": "unaffected",
            "platforms": [
              "cpe:/a:redhat:enterprise_linux:9",
              "cpe:/a:redhat:enterprise_linux:9::appstream",
              "cpe:/a:redhat:enterprise_linux:9::crb",
              "cpe:/a:redhat:enterprise_linux:9::highavailability",
              "cpe:/a:redhat:enterprise_linux:9::nfv",
              "cpe:/a:redhat:enterprise_linux:9::realtime",
              "cpe:/a:redhat:enterprise_linux:9::resilientstorage",
              "cpe:/a:redhat:enterprise_linux:9::sap",
              "cpe:/a:redhat:enterprise_linux:9::sap_hana",
              "cpe:/a:redhat:enterprise_linux:9::supplementary",
              "cpe:/o:redhat:enterprise_linux:9",
              "cpe:/o:redhat:enterprise_linux:9::baseos"
            ],
            "product": "curl",
            "vendor": "redhat",
            "versions": [
              {
                "lessThan": "7.76.1-26.el9_3.3",
                "status": "affected",
                "version": "0",
                "versionType": "rpm"
              }
            ]
          }

The installed version is not vulnerable

CVE-2024-0553 (successful)

Same scenario

CVE-2024-0567 (successful)

Same scenario

CVE-2023-5981 (successful)

Same scenario

CC: @cborla

[sebasfalcone]

CVE-2023-4001 (Success)

Same scenario as in:

• https://github.com/wazuh/wazuh-qa/issues/5119#issuecomment-2015368098

CVE-2023-4001 (Success)

Same scenario

CVE-2023-4001 (Success)

Same scenario

CVE-2023-4001 (Success)

Same scenario

CVE-2023-4001 (Success)

Same scenario

[sebasfalcone]

CVE-2021-47130 (Success)

Same scenario as in:

• https://github.com/wazuh/wazuh-qa/issues/5119#issuecomment-2015407543

CVE-2021-47131 (Success)

Same scenario

CVE-2021-47132 (Success)

Same scenario

[sebasfalcone]

CVE-2024-25740 (Doubtful)

We performed an investigation of the RedHat feed:

• https://github.com/wazuh/intelligence-platform/issues/1307#top

The final treatment for the different states of RedHat vulnerabilities is:

In conclusion, this is a true positive

CVE-2024-24857 (Doubtful)

Sames scenario

CVE-2024-23850 (Doubtful)

Sames scenario

CVE-2024-23848 (Doubtful)

Sames scenario

CVE-2024-23196 (Doubtful)

Sames scenario

CVE-2024-24858 (Doubtful)

Same scenario

CVE-2024-22099 (Doubtful)

Same scenario

CVE-2024-23307 (Doubtful)

Same scenario

CVE-2022-2785 (Doubtful)

Same scenario

CVE-2024-25739 (Doubtful)

Same scenario

CVE-2024-25740 (Doubtful)

Same scenario

CVE-2024-24857 (Doubtful)

Same scenario

CVE-2024-23850 (Doubtful)

Same scenario

CVE-2024-23848 (Doubtful)

Same scenario

CVE-2024-23196 (Doubtful)

Same scenario

CVE-2024-0340 (Doubtful)

Same scenario

CVE-2024-24855 (Doubtful)

Same scenario

CVE-2024-24858 (Doubtful)

Same scenario

CVE-2024-22099 (Doubtful)

Same scenario

CVE-2024-23849 (Doubtful)

Same scenario

CVE-2024-23307 (Doubtful)

Same scenario

CVE-2022-2785 (Doubtful)

Same scenario

CVE-2024-25740 (Doubtful)

Same scenario

CVE-2024-25739 (Doubtful)

Same scenario

CVE-2024-24858 (Doubtful)

Same scenario

CVE-2024-24855 (Doubtful)

Same scenario

CVE-2024-23850 (Doubtful)

Same scenario

CVE-2024-23848 (Doubtful)

Same scenario

CVE-2024-23307 (Doubtful)

Same scenario

CVE-2024-0340 (Doubtful)

Same scenario

CVE-2024-23196 (Doubtful)

Same scenario

CVE-2024-23849 (Doubtful)

Same scenario

CVE-2022-2785 (Doubtful)

Same scenario

CVE-2024-25740 (Doubtful)

Same scenario

CVE-2024-24857 (Doubtful)

Same scenario

CVE-2024-23850 (Doubtful)

Same scenario

CVE-2024-23848 (Doubtful)

Same scenario

CVE-2024-23196 (Doubtful)

Same scenario

CVE-2024-0340 (Doubtful)

Same scenario

CVE-2024-24855 (Doubtful)

Same scenario

CVE-2024-24858 (Doubtful)

Same scenario

CVE-2024-22099 (Doubtful)

Same scenario

CVE-2024-22099 (Doubtful)

Same scenario

CVE-2024-23849 (Doubtful)

Same scenario

CVE-2024-23307 (Doubtful)

Same scenario

CVE-2024-25739 (Doubtful)

Same scenario

CVE-2023-4738 (Doubtful)

Same scenario

CVE-2023-4735 (Doubtful)

Same scenario

CC: @cborla

[sebasfalcone]

False positives (non-vulnerable packages)

CVE-2024-21803 (Failure)

The feed changed when the tests were performed.

March 14:

          {
            "defaultStatus": "affected",
            "platforms": [
              "cpe:/a:redhat:enterprise_linux:9",
              "cpe:/a:redhat:enterprise_linux:9::appstream",
              "cpe:/a:redhat:enterprise_linux:9::crb",
              "cpe:/a:redhat:enterprise_linux:9::highavailability",
              "cpe:/a:redhat:enterprise_linux:9::nfv",
              "cpe:/a:redhat:enterprise_linux:9::realtime",
              "cpe:/a:redhat:enterprise_linux:9::resilientstorage",
              "cpe:/a:redhat:enterprise_linux:9::sap",
              "cpe:/a:redhat:enterprise_linux:9::sap_hana",
              "cpe:/a:redhat:enterprise_linux:9::supplementary",
              "cpe:/o:redhat:enterprise_linux:9",
              "cpe:/o:redhat:enterprise_linux:9::baseos"
            ],
            "product": "kernel-core",
            "vendor": "redhat"
          }

March 19:

          {
            "defaultStatus": "unaffected",
            "platforms": [
              "cpe:/a:redhat:enterprise_linux:9",
              "cpe:/a:redhat:enterprise_linux:9::appstream",
              "cpe:/a:redhat:enterprise_linux:9::crb",
              "cpe:/a:redhat:enterprise_linux:9::highavailability",
              "cpe:/a:redhat:enterprise_linux:9::nfv",
              "cpe:/a:redhat:enterprise_linux:9::realtime",
              "cpe:/a:redhat:enterprise_linux:9::resilientstorage",
              "cpe:/a:redhat:enterprise_linux:9::sap",
              "cpe:/a:redhat:enterprise_linux:9::sap_hana",
              "cpe:/a:redhat:enterprise_linux:9::supplementary",
              "cpe:/o:redhat:enterprise_linux:9",
              "cpe:/o:redhat:enterprise_linux:9::baseos"
            ],
            "product": "kernel-core",
            "vendor": "redhat"
          }

[!NOTE] This problem is now fixed