CentOS 7: Analyze vulnerability discrepancies in the report between 4.7.3 and 4.8.0

[cborla]

Platform	From	To
CentOS 7	4.7.3	4.8.0-beta4

We are tasked with performing a comprehensive analysis of vulnerability discrepancies reported between versions 4.7.3 and 4.8.0 in CentOS 7. This entails scrutinizing each vulnerability identified in the report, cross-referencing them with official sources such as the National Vulnerability Database (NVD), Canonical, Red Hat Security Advisories (RHSA), and other trusted sources.

To accomplish this, we will follow a systematic approach:

1. Gathering Vulnerability List: We will compile a comprehensive list of vulnerabilities detected in versions 4.7.0 and 4.8.0. This list will be sourced from the provided report and any additional channels that may provide pertinent information. (Link)

2. Package Inventory Examination: We will thoroughly examine the package inventory associated with the aforementioned versions to ensure accuracy in vulnerability identification and tracking.

3. Verification with Official Sources: Each identified vulnerability will be meticulously compared with information available from official sources such as the NVD, Canonical, RHSA, and other relevant platforms. This step is crucial in validating the existence and severity of each vulnerability.

4. Analysis and Documentation: We will document our findings in a structured manner, presenting a detailed analysis of each vulnerability and highlighting any variances or discrepancies encountered between the provided report and official sources.

5. Compilation of Results: Based on our analysis, we will populate a comprehensive table detailing the results of our comparison. This table will serve as a reference point for understanding the status of each vulnerability and any deviations observed.

6. Recommendations: Finally, we will provide recommendations based on our findings, including potential actions to address any identified vulnerabilities and mitigate associated risks effectively.

By adhering to this methodical approach, we aim to ensure thoroughness and accuracy in our analysis of vulnerability discrepancies between versions 4.7.0 and 4.8.0. This endeavor will contribute to enhancing the overall security posture of our system and bolstering our resilience against potential threats.

[cborla]

Issue Update

The analysis is still in progress:

• Vulnerabilities in 4.8.0, not reported in 4.7.3:
  • 11 failure.
  • 7 doubtful (Under investigation).
• Vulnerabilities in 4.7.3, not reported in 4.8.0:
  • 0 failures.

Spreadsheet: link

After proceeding with the manual analysis, perform a filter using the ova provided by rhel-7-including-unpatched.oval.xml.bz2 filling in the state column with which we can get an idea of whether the vulnerability was well generated or not.

[cborla]

Issue Update

The analysis is still in progress:

• Vulnerabilities in 4.8.0, not reported in 4.7.3:
  • 4 Failure.
  • 53 Doubtful (Under investigation).
  • 887 Success.

Spreadsheet: link

[nmkoremblum]

Issue Update

The analysis is still in progress:

Vulnerabilities in 4.8.0, not reported in 4.7.3:
    4 failures.
    65 doubtful (Under investigation or undefined).
Vulnerabilities in 4.7.3, not reported in 4.8.0:
    171 failures.

Spreadsheet: link

After proceeding with the manual analysis, perform a filter using the ova provided by rhel-7-including-unpatched.oval.xml.bz2 filling in the state column with which we can get an idea of whether the vulnerability was well generated or not.

[cborla]

Issue Update

The analysis is still in progress:

• Vulnerabilities in 4.8.0, not reported in 4.7.3:

  • 5 Failure.
  • 7 Doubtful.
  • 1580 Success.

• Vulnerabilities in 4.7.3, not reported in 4.8.0:

  • 0 Failure.
  • 0 Doubtful.
  • 368 Success.

Spreadsheet: link

Conclusion

We note that version 4.8.0 reports more vulnerabilities than version 4.7.3, which is correct, but all vulnerabilities listed as success in the 4.7.3 - 4.8.0 spreadsheet should have been reported by 4.8.0. understanding that there are 368 false negatives of 4.8.0.

[sebasfalcone]

False negatives (version with epoch)

All false negatives of packages in which its version contains an epoch have the same problem as described here:

• https://github.com/wazuh/wazuh-qa/issues/5117#issuecomment-2009689486

It will be fixed here:

• https://github.com/wazuh/intelligence-platform/issues/1447

[!NOTE] These CVEs serve as an example:

• CVE-2023-2828
• CVE-2023-3341
• CVE-2021-25214
• CVE-2021-25215
• CVE-2021-25220

CC: @Damian-Mangold

[sebasfalcone]

False negative (packages with no fix)

Packages that are affected by default are not being detected as such. This issue will be further investigated here:

• https://github.com/wazuh/wazuh/issues/22639

Example (CVE-2019-19645)

This vulnerability affects:

• All of the sqlite version on RedHat 6:

         {
          "defaultStatus": "affected",
          "platforms": [
            "cpe:/a:redhat:rhel_extras:6",
            "cpe:/a:redhat:rhel_extras_hpn:6",
            "cpe:/a:redhat:rhel_extras_oracle_java:6",
            "cpe:/a:redhat:rhel_extras_sap:6",
            "cpe:/a:redhat:rhel_extras_sap_hana:6",
            "cpe:/o:redhat:enterprise_linux:6",
            "cpe:/o:redhat:enterprise_linux:6::client",
            "cpe:/o:redhat:enterprise_linux:6::computenode",
            "cpe:/o:redhat:enterprise_linux:6::server",
            "cpe:/o:redhat:enterprise_linux:6::workstation",
            "cpe:/o:redhat:rhel_eus:6.0"
          ],
          "product": "sqlite",
          "vendor": "redhat"
        }

• All of the sqlite versions on RedHat 7:

        {
          "defaultStatus": "affected",
          "platforms": [
            "cpe:/a:redhat:rhel_extras:7",
            "cpe:/a:redhat:rhel_extras_oracle_java:7",
            "cpe:/a:redhat:rhel_extras_rt:7",
            "cpe:/a:redhat:rhel_extras_sap:7",
            "cpe:/a:redhat:rhel_extras_sap_hana:7",
            "cpe:/o:redhat:enterprise_linux:7",
            "cpe:/o:redhat:enterprise_linux:7::client",
            "cpe:/o:redhat:enterprise_linux:7::computenode",
            "cpe:/o:redhat:enterprise_linux:7::container",
            "cpe:/o:redhat:enterprise_linux:7::containers",
            "cpe:/o:redhat:enterprise_linux:7::server",
            "cpe:/o:redhat:enterprise_linux:7::workstation"
          ],
          "product": "sqlite",
          "vendor": "redhat"
        },

  • None of the sqlite versions on RedHat 8:

       {
        "defaultStatus": "unaffected",
        "platforms": [
          "cpe:/a:redhat:enterprise_linux:8",
          "cpe:/a:redhat:enterprise_linux:8::appstream",
          "cpe:/a:redhat:enterprise_linux:8::crb",
          "cpe:/a:redhat:enterprise_linux:8::highavailability",
          "cpe:/a:redhat:enterprise_linux:8::nfv",
          "cpe:/a:redhat:enterprise_linux:8::realtime",
          "cpe:/a:redhat:enterprise_linux:8::resilientstorage",
          "cpe:/a:redhat:enterprise_linux:8::sap",
          "cpe:/a:redhat:enterprise_linux:8::sap_hana",
          "cpe:/a:redhat:enterprise_linux:8::supplementary",
          "cpe:/o:redhat:enterprise_linux:8",
          "cpe:/o:redhat:enterprise_linux:8::baseos"
        ],
        "product": "sqlite",
        "vendor": "redhat"
      }