Closed sebasfalcone closed 3 weeks ago
If we take a look at the CVE for each vendor:
RedHat 8
{
"defaultStatus": "unaffected",
"platforms": [
"cpe:/a:redhat:enterprise_linux:8",
"cpe:/a:redhat:enterprise_linux:8::appstream",
"cpe:/a:redhat:enterprise_linux:8::crb",
"cpe:/a:redhat:enterprise_linux:8::highavailability",
"cpe:/a:redhat:enterprise_linux:8::nfv",
"cpe:/a:redhat:enterprise_linux:8::realtime",
"cpe:/a:redhat:enterprise_linux:8::resilientstorage",
"cpe:/a:redhat:enterprise_linux:8::sap",
"cpe:/a:redhat:enterprise_linux:8::sap_hana",
"cpe:/a:redhat:enterprise_linux:8::supplementary",
"cpe:/o:redhat:enterprise_linux:8",
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"product": "grafana",
"vendor": "redhat"
}
Ubuntu
{
"defaultStatus": "unknown",
"platforms": [
"bionic",
"trusty",
"xenial"
],
"product": "grafana",
"vendor": "canonical"
}
NVD
{
"cpes": [
"cpe:2.3:a:grafana:grafana-enterprise:*:*:*:*:enterprise:*:*:*"
],
"defaultStatus": "unaffected",
"product": "grafana-enterprise",
"vendor": "contact@grafana.com",
"versions": [
{
"lessThan": "10.0.7",
"status": "affected",
"version": "10.0.0",
"versionType": "custom"
},
{
"lessThan": "10.1.3",
"status": "affected",
"version": "10.1.0",
"versionType": "custom"
},
{
"lessThan": "9.4.16",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "9.5.11",
"status": "affected",
"version": "9.5.0",
"versionType": "custom"
}
]
}
Both Ubuntu and RedHat identify Grafana as not vulnerable
If we follow the analysis performed here:
We see that the checks are against version 9.4.16
, one of the versions described by the NVD
The reason why the NVD is selected as the corresponding CNA is because the vendor for Grafana
packages is contact@grafana.com
, the getCNA logic identifies no feed for this information but the NVD
Seems like this sanitization didn't impact the content yet:
./rocks_db_query_testtool -d ~/Documents/work/development/wazuh-master/src/queue/vd/feed/ -c nvd -f /home/sebas/Documents/work/development/wazuh-master/src/wazuh_modules/vu
lnerability_scanner/schemas/vulnerabilityCandidate.fbs -k grafana_CVE-2023-4822
grafana_CVE-2023-4822 ==> {
"candidates": [
{
"cveId": "CVE-2023-4822",
"defaultStatus": "unaffected",
"versions": [
{
"version": "10.0.0",
"lessThan": "10.0.7",
"versionType": "custom"
},
{
"version": "10.1.0",
"lessThan": "10.1.3",
"versionType": "custom"
},
{
"version": "8.0.0",
"lessThan": "9.4.16",
"versionType": "custom"
},
{
"version": "9.5.0",
"lessThan": "9.5.11",
"versionType": "custom"
}
],
"vendor": "grafana"
}
]
}
I asked the team to see if CTI contains or not the sanitization (because I don't have this access)
On the other hand, the NVD is wrongly used in this scenario, I will attempt to propose a solution
I updated the content via offsets. The old Grafana CVE disappeared from the NVD as expected
./rocks_db_query_testtool -d ~/Documents/work/development/wazuh-master/src/queue/vd/feed/ -c nvd -f /home/sebas/Documents/work/development/wazuh-master/src/wazuh_modules/vulnerability_scanner/schemas/vulnerabilityCandidate.fbs -k grafana-enterise_CVE-2023-4822
Unable to find resource.
./rocks_db_query_testtool -d ~/Documents/work/development/wazuh-master/src/queue/vd/feed/ -c nvd -f /home/sebas/Documents/work/development/wazuh-master/src/wazuh_modules/vulnerability_scanner/schemas/vulnerabilityCandidate.fbs -k grafana-enterprise_CVE-2023-4822
grafana-enterprise_CVE-2023-4822 ==> {
"candidates": [
{
"cveId": "CVE-2023-4822",
"defaultStatus": "unaffected",
"versions": [
{
"version": "10.0.0",
"lessThan": "10.0.7",
"versionType": "custom"
},
{
"version": "10.1.0",
"lessThan": "10.1.3",
"versionType": "custom"
},
{
"version": "8.0.0",
"lessThan": "9.4.16",
"versionType": "custom"
},
{
"version": "9.5.0",
"lessThan": "9.5.11",
"versionType": "custom"
}
],
"vendor": "contact@grafana.com"
}
]
}
And if we re-run the false positive efficacy tests, they now are passing:
================================================================== 2 passed, 23 skipped in 124.13s (0:02:04) ==================================================================
This immediate issue will be solved once the content is updated
To fix this behaviour we need to re-think the way we determine the CNA for a given package
The proposed solution can be found here
Analysis understood, this does not mean that we will address it with what is proposed in: https://github.com/wazuh/wazuh/issues/25096
Description
Currently, we are identifying Grafana as vulnerable to the CVE-2023-4822 in Ubuntu and RedHat systems
DoD