Comments (10)
Debian 12 does not provide openssl=1.1.1n-0+deb11u5 or libssl1.1, how was it installed?
root@f97d28f44e74:~# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
root@f97d28f44e74:~# apt list -a openssl
Listing... Done
openssl/stable,now 3.0.9-1 amd64 [installed]
root@f97d28f44e74:~# apt-cache depends openssl
openssl
Depends: libc6
Depends: libssl3
Suggests: ca-certificates
root@f97d28f44e74:~# apt search ^libssl
Sorting... Done
Full Text Search... Done
libssl-dev/stable 3.0.9-1 amd64
Secure Sockets Layer toolkit - development files
libssl-doc/stable 3.0.9-1 all
Secure Sockets Layer toolkit - development documentation
libssl-ocaml/stable 0.5.13-1 amd64
OCaml bindings for OpenSSL (runtime)
libssl-ocaml-dev/stable 0.5.13-1 amd64
OCaml bindings for OpenSSL
libssl-utils-clojure/stable 3.5.0-2 all
library for SSL certificate management on the JVM
libssl3/stable,now 3.0.9-1 amd64 [installed,automatic]
Secure Sockets Layer toolkit - shared libraries
from vuls.
As you checked, CVE-2022-3602 has been fixed in version 3.0.7-1 of openssl provided in Debian 12. However, if your machine has an openssl version lower than 3.0.7-1, such as 1.1.1n-0+deb11u5, then CVE-2022-3602 should be detected.
from vuls.
For example, if libssl1.1, which is not provided in Debian 12, remains, openssl=1.1.1n-0+deb11u5 will be added as an src package, resulting in a case like this.
root@f97d28f44e74:~# dpkg-query -W -f="\${binary:Package},\${db:Status-Abbrev},\${Version},\${source:Package},\${source:Version}\n" | grep openssl
libssl1.1:amd64,ii ,1.1.1n-0+deb11u5,openssl,1.1.1n-0+deb11u5
libssl3:amd64,ii ,3.0.9-1,openssl,3.0.9-1
openssl,ii ,3.0.9-1,openssl,3.0.9-1
However, it's difficult to find out if a certain version of a package is available in a certain release of Debian, so the only possible solution for now is to uninstall libssl1.1.
from vuls.
In such cases, we have confirmed that there is a bug where the current SrcPackages
are not handled properly because they have a map of the src package name. (openssl=3.0.9-1 should also be present as a src package.)
However, even if this bug is fixed, CVE-2022-3602 will still be detected.
"packages": {
...
"openssl": {
"name": "openssl",
"version": "3.0.9-1",
"release": "",
"newVersion": "",
"newRelease": "",
"arch": "",
"repository": ""
},
"libssl1.1": {
"name": "libssl1.1",
"version": "1.1.1n-0+deb11u5",
"release": "",
"newVersion": "",
"newRelease": "",
"arch": "",
"repository": ""
},
"libssl3": {
"name": "libssl3",
"version": "3.0.9-1",
"release": "",
"newVersion": "",
"newRelease": "",
"arch": "",
"repository": ""
},
...
},
"SrcPackages": {
...
"openssl": {
"name": "openssl",
"version": "1.1.1n-0+deb11u5",
"arch": "",
"binaryNames": [
"libssl1.1",
"libssl3",
"openssl"
]
},
...
}
from vuls.
hi @MaineK00n
it is common to install different libssl version, because some applications uses the 1.1.1 and others use the 3 version
but the vulnerable openssl pacakge is not installed, why we report it? moreover the 1.1.1n-0+deb11u5 version is patched. so I guess either way we should not report the CVE
from vuls.
In Debian Security Tracker, CVE-2022-3602 is defined as follows.
Since you are using Debian 12 (bookworm), the detection condition for CVE-2022-3602 is that the openssl version of the source package is lower than 3.0.7-1.
Therefore, in your environment where libssl1.1 is installed, openssl=1.1.1n-0+deb11u5 satisfies this detection condition and is reported.
"openssl": {
"CVE-2022-3602": {
"releases": {
"bookworm": {
"status": "resolved",
"repositories": {
"bookworm": "3.0.9-1"
},
"fixed_version": "3.0.7-1",
"urgency": "not yet assigned"
},
"bullseye": {
"status": "resolved",
"repositories": {
"bullseye": "1.1.1n-0+deb11u4",
"bullseye-security": "1.1.1n-0+deb11u5"
},
"fixed_version": "0",
"urgency": "unimportant"
},
"buster": {
"status": "resolved",
"repositories": {
"buster": "1.1.1n-0+deb10u3",
"buster-security": "1.1.1n-0+deb10u6"
},
"fixed_version": "0",
"urgency": "unimportant"
},
"sid": {
"status": "resolved",
"repositories": {
"sid": "3.0.10-1"
},
"fixed_version": "3.0.7-1",
"urgency": "not yet assigned"
},
"trixie": {
"status": "resolved",
"repositories": {
"trixie": "3.0.10-1"
},
"fixed_version": "3.0.7-1",
"urgency": "not yet assigned"
}
}
}
}
https://security-tracker.debian.org/tracker/data/json
from vuls.
For example, if it can be determined that libssl1.1 is from Debian 11 (bullseye), it may be possible to apply the detection conditions of bullseye.
However, there is currently no established method to determine from which repository a package was installed.
from vuls.
Similar to the behavior of Vuls this time, Trivy also detects CVE-2022-3602 due to libssl1.1.
Therefore, this behavior seems to be common.
- Dockerfile
FROM debian:12
RUN apt-get update && apt-get install -y wget
RUN wget https://snapshot.debian.org/archive/debian-security/20230531T144851Z/pool/updates/main/o/openssl/libssl1.1_1.1.1n-0%2Bdeb11u5_amd64.deb
RUN dpkg -i ./libssl1.1_1.1.1n-0+deb11u5_amd64.deb
$ docker build -t test-cve-2022-3602 -f ./Dockerfile .
$ trivy image test-cve-2022-3602
test-cve-2022-3602 (debian 12.1)
Total: 91 (UNKNOWN: 0, LOW: 56, MEDIUM: 19, HIGH: 13, CRITICAL: 3)
┌──────────────────┬──────────────────┬──────────┬──────────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────────────┼──────────────────┼──────────┼──────────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ apt │ CVE-2011-3374 │ LOW │ affected │ 2.6.1 │ │ It was found that apt-key in apt, all versions, do not │
│ │ │ │ │ │ │ correctly... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2011-3374 │
├──────────────────┼──────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ bsdutils │ CVE-2022-0563 │ │ │ 1:2.38.1-5+b1 │ │ partial disclosure of arbitrary files in chfn and chsh when │
│ │ │ │ │ │ │ compiled with... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-0563 │
├──────────────────┼──────────────────┤ ├──────────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ coreutils │ CVE-2016-2781 │ │ will_not_fix │ 9.1-1 │ │ coreutils: Non-privileged session can escape to the parent │
│ │ │ │ │ │ │ session in chroot │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2016-2781 │
│ ├──────────────────┤ ├──────────────┤ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2017-18018 │ │ affected │ │ │ coreutils: race condition vulnerability in chown and chgrp │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2017-18018 │
├──────────────────┼──────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ gcc-12-base │ CVE-2022-27943 │ │ │ 12.2.0-14 │ │ libiberty/rust-demangle.c in GNU GCC 11.2 allows stack │
│ │ │ │ │ │ │ exhaustion in demangle_const │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-27943 │
├──────────────────┼──────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ gpgv │ CVE-2022-3219 │ │ │ 2.2.40-1.1 │ │ denial of service issue (resource consumption) using │
│ │ │ │ │ │ │ compressed packets │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-3219 │
├──────────────────┼──────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libapt-pkg6.0 │ CVE-2011-3374 │ │ │ 2.6.1 │ │ It was found that apt-key in apt, all versions, do not │
│ │ │ │ │ │ │ correctly... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2011-3374 │
├──────────────────┼──────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libblkid1 │ CVE-2022-0563 │ │ │ 2.38.1-5+b1 │ │ partial disclosure of arbitrary files in chfn and chsh when │
│ │ │ │ │ │ │ compiled with... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-0563 │
├──────────────────┼──────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libc-bin │ CVE-2010-4756 │ │ │ 2.36-9+deb12u1 │ │ glibc: glob implementation can cause excessive CPU and │
│ │ │ │ │ │ │ memory consumption due to... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2010-4756 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2018-20796 │ │ │ │ │ glibc: uncontrolled recursion in function │
│ │ │ │ │ │ │ check_dst_limits_calc_pos_1 in posix/regexec.c │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-20796 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2019-1010022 │ │ │ │ │ glibc: stack guard protection bypass │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1010022 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2019-1010023 │ │ │ │ │ glibc: running ldd on malicious ELF leads to code execution │
│ │ │ │ │ │ │ because of... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1010023 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2019-1010024 │ │ │ │ │ glibc: ASLR bypass using cache of thread stack and heap │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1010024 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2019-1010025 │ │ │ │ │ glibc: information disclosure of heap addresses of │
│ │ │ │ │ │ │ pthread_created thread │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1010025 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2019-9192 │ │ │ │ │ glibc: uncontrolled recursion in function │
│ │ │ │ │ │ │ check_dst_limits_calc_pos_1 in posix/regexec.c │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-9192 │
├──────────────────┼──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ libc6 │ CVE-2010-4756 │ │ │ │ │ glibc: glob implementation can cause excessive CPU and │
│ │ │ │ │ │ │ memory consumption due to... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2010-4756 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2018-20796 │ │ │ │ │ glibc: uncontrolled recursion in function │
│ │ │ │ │ │ │ check_dst_limits_calc_pos_1 in posix/regexec.c │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-20796 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2019-1010022 │ │ │ │ │ glibc: stack guard protection bypass │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1010022 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2019-1010023 │ │ │ │ │ glibc: running ldd on malicious ELF leads to code execution │
│ │ │ │ │ │ │ because of... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1010023 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2019-1010024 │ │ │ │ │ glibc: ASLR bypass using cache of thread stack and heap │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1010024 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2019-1010025 │ │ │ │ │ glibc: information disclosure of heap addresses of │
│ │ │ │ │ │ │ pthread_created thread │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1010025 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2019-9192 │ │ │ │ │ glibc: uncontrolled recursion in function │
│ │ │ │ │ │ │ check_dst_limits_calc_pos_1 in posix/regexec.c │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-9192 │
├──────────────────┼──────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libgcc-s1 │ CVE-2022-27943 │ │ │ 12.2.0-14 │ │ libiberty/rust-demangle.c in GNU GCC 11.2 allows stack │
│ │ │ │ │ │ │ exhaustion in demangle_const │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-27943 │
├──────────────────┼──────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libgcrypt20 │ CVE-2018-6829 │ │ │ 1.10.1-3 │ │ libgcrypt: ElGamal implementation doesn't have semantic │
│ │ │ │ │ │ │ security due to incorrectly encoded plaintexts... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-6829 │
├──────────────────┼──────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libgnutls30 │ CVE-2011-3389 │ │ │ 3.7.9-2 │ │ HTTPS: block-wise chosen-plaintext attack against SSL/TLS │
│ │ │ │ │ │ │ (BEAST) │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2011-3389 │
├──────────────────┼──────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libmount1 │ CVE-2022-0563 │ │ │ 2.38.1-5+b1 │ │ partial disclosure of arbitrary files in chfn and chsh when │
│ │ │ │ │ │ │ compiled with... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-0563 │
├──────────────────┤ │ │ │ ├───────────────┤ │
│ libsmartcols1 │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
├──────────────────┼──────────────────┼──────────┼──────────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libssl1.1 │ CVE-2022-1292 │ CRITICAL │ fixed │ 1.1.1n-0+deb11u5 │ 1.1.1o-1 │ c_rehash script allows command injection │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1292 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-2068 │ │ │ │ 3.0.4-1 │ the c_rehash script allows command injection │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-2068 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-2274 │ │ │ │ 3.0.4-2 │ openssl: AVX-512-specific heap buffer overflow │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-2274 │
│ ├──────────────────┼──────────┤ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-0778 │ HIGH │ │ │ 1.1.1n-1 │ Infinite loop in BN_mod_sqrt() reachable when parsing │
│ │ │ │ │ │ │ certificates │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-0778 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-3358 │ │ │ │ 3.0.7-1 │ Using a Custom Cipher with NID_undef may lead to NULL │
│ │ │ │ │ │ │ encryption │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-3358 │
│ ├──────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-3602 │ │ │ │ │ X.509 Email Address Buffer Overflow │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-3602 │
│ ├──────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-3786 │ │ │ │ │ X.509 Email Address Variable Length Buffer Overflow │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-3786 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-3996 │ │ │ │ 3.0.7-2 │ openssl: double locking leads to denial of service │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-3996 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-4450 │ │ │ │ 3.0.8-1 │ double free after calling PEM_read_bio_ex │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-4450 │
│ ├──────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0215 │ │ │ │ │ use-after-free following BIO_new_NDEF │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0215 │
│ ├──────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0216 │ │ │ │ │ invalid pointer dereference in d2i_PKCS7 functions │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0216 │
│ ├──────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0217 │ │ │ │ │ NULL dereference validating DSA public key │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0217 │
│ ├──────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0286 │ │ │ │ │ X.400 address type confusion in X.509 GeneralName │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0286 │
│ ├──────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0401 │ │ │ │ │ NULL dereference during PKCS7 data verification │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0401 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0464 │ │ │ │ 3.0.9-1 │ Denial of service by excessive resource usage in verifying │
│ │ │ │ │ │ │ X509 policy constraints... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0464 │
│ ├──────────────────┼──────────┤ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-2097 │ MEDIUM │ │ │ 3.0.5-1 │ AES OCB fails to encrypt some bytes │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-2097 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-4203 │ │ │ │ 3.0.8-1 │ read buffer overflow in X.509 certificate verification │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-4203 │
│ ├──────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-4304 │ │ │ │ │ timing attack in RSA Decryption implementation │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-4304 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0465 │ │ │ │ 3.0.9-1 │ Invalid certificate policies in leaf certificates are │
│ │ │ │ │ │ │ silently ignored │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0465 │
│ ├──────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0466 │ │ │ │ │ Certificate policy check not enabled │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0466 │
│ ├──────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-1255 │ │ │ │ │ Input buffer over-read in AES-XTS implementation on 64 bit │
│ │ │ │ │ │ │ ARM │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-1255 │
│ ├──────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-2650 │ │ │ │ │ Possible DoS translating ASN.1 object identifiers │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-2650 │
│ ├──────────────────┤ ├──────────────┤ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-2975 │ │ fix_deferred │ │ │ AES-SIV cipher implementation contains a bug that causes it │
│ │ │ │ │ │ │ to ignore empty... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-2975 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-3446 │ │ │ │ │ Excessive time spent checking DH keys and parameters │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-3446 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-3817 │ │ │ │ │ Excessive time spent checking DH q parameter value │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-3817 │
│ ├──────────────────┼──────────┼──────────────┤ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2007-6755 │ LOW │ affected │ │ │ Dual_EC_DRBG: weak pseudo random number generator │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2007-6755 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2010-0928 │ │ │ │ │ openssl: RSA authentication weakness │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2010-0928 │
├──────────────────┼──────────────────┼──────────┼──────────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libssl3 │ CVE-2023-2975 │ MEDIUM │ fix_deferred │ 3.0.9-1 │ │ AES-SIV cipher implementation contains a bug that causes it │
│ │ │ │ │ │ │ to ignore empty... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-2975 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-3446 │ │ │ │ │ Excessive time spent checking DH keys and parameters │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-3446 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-3817 │ │ │ │ │ Excessive time spent checking DH q parameter value │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-3817 │
│ ├──────────────────┼──────────┼──────────────┤ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2007-6755 │ LOW │ affected │ │ │ Dual_EC_DRBG: weak pseudo random number generator │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2007-6755 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2010-0928 │ │ │ │ │ openssl: RSA authentication weakness │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2010-0928 │
├──────────────────┼──────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libstdc++6 │ CVE-2022-27943 │ │ │ 12.2.0-14 │ │ libiberty/rust-demangle.c in GNU GCC 11.2 allows stack │
│ │ │ │ │ │ │ exhaustion in demangle_const │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-27943 │
├──────────────────┼──────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libsystemd0 │ CVE-2013-4392 │ │ │ 252.12-1~deb12u1 │ │ TOCTOU race condition when updating file permissions and │
│ │ │ │ │ │ │ SELinux security contexts │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2013-4392 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-31437 │ │ │ │ │ An issue was discovered in systemd 253. An attacker can │
│ │ │ │ │ │ │ modify a... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-31437 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-31438 │ │ │ │ │ An issue was discovered in systemd 253. An attacker can │
│ │ │ │ │ │ │ truncate a... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-31438 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-31439 │ │ │ │ │ An issue was discovered in systemd 253. An attacker can │
│ │ │ │ │ │ │ modify the... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-31439 │
├──────────────────┼──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ libudev1 │ CVE-2013-4392 │ │ │ │ │ TOCTOU race condition when updating file permissions and │
│ │ │ │ │ │ │ SELinux security contexts │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2013-4392 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-31437 │ │ │ │ │ An issue was discovered in systemd 253. An attacker can │
│ │ │ │ │ │ │ modify a... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-31437 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-31438 │ │ │ │ │ An issue was discovered in systemd 253. An attacker can │
│ │ │ │ │ │ │ truncate a... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-31438 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-31439 │ │ │ │ │ An issue was discovered in systemd 253. An attacker can │
│ │ │ │ │ │ │ modify the... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-31439 │
├──────────────────┼──────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libuuid1 │ CVE-2022-0563 │ │ │ 2.38.1-5+b1 │ │ partial disclosure of arbitrary files in chfn and chsh when │
│ │ │ │ │ │ │ compiled with... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-0563 │
├──────────────────┼──────────────────┼──────────┤ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ login │ CVE-2023-4641 │ MEDIUM │ │ 1:4.13+dfsg1-1+b1 │ │ possible password leak during passwd(1) change │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-4641 │
│ ├──────────────────┼──────────┤ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2007-5686 │ LOW │ │ │ │ initscripts in rPath Linux 1 sets insecure permissions for │
│ │ │ │ │ │ │ the /var/lo ...... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2007-5686 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2019-19882 │ │ │ │ │ shadow-utils: local users can obtain root access because │
│ │ │ │ │ │ │ setuid programs are misconfigured... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-19882 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-29383 │ │ │ │ │ Improper input validation in shadow-utils package utility │
│ │ │ │ │ │ │ chfn │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-29383 │
├──────────────────┼──────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ mount │ CVE-2022-0563 │ │ │ 2.38.1-5+b1 │ │ partial disclosure of arbitrary files in chfn and chsh when │
│ │ │ │ │ │ │ compiled with... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-0563 │
├──────────────────┼──────────────────┼──────────┼──────────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ openssl │ CVE-2023-2975 │ MEDIUM │ fix_deferred │ 3.0.9-1 │ │ AES-SIV cipher implementation contains a bug that causes it │
│ │ │ │ │ │ │ to ignore empty... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-2975 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-3446 │ │ │ │ │ Excessive time spent checking DH keys and parameters │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-3446 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-3817 │ │ │ │ │ Excessive time spent checking DH q parameter value │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-3817 │
│ ├──────────────────┼──────────┼──────────────┤ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2007-6755 │ LOW │ affected │ │ │ Dual_EC_DRBG: weak pseudo random number generator │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2007-6755 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2010-0928 │ │ │ │ │ openssl: RSA authentication weakness │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2010-0928 │
├──────────────────┼──────────────────┼──────────┤ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ passwd │ CVE-2023-4641 │ MEDIUM │ │ 1:4.13+dfsg1-1+b1 │ │ possible password leak during passwd(1) change │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-4641 │
│ ├──────────────────┼──────────┤ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2007-5686 │ LOW │ │ │ │ initscripts in rPath Linux 1 sets insecure permissions for │
│ │ │ │ │ │ │ the /var/lo ...... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2007-5686 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2019-19882 │ │ │ │ │ shadow-utils: local users can obtain root access because │
│ │ │ │ │ │ │ setuid programs are misconfigured... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-19882 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-29383 │ │ │ │ │ Improper input validation in shadow-utils package utility │
│ │ │ │ │ │ │ chfn │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-29383 │
├──────────────────┼──────────────────┼──────────┤ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ perl-base │ CVE-2023-31484 │ HIGH │ │ 5.36.0-7 │ │ CPAN.pm before 2.35 does not verify TLS certificates when │
│ │ │ │ │ │ │ downloading distributions over... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-31484 │
│ ├──────────────────┼──────────┤ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2011-4116 │ LOW │ │ │ │ perl: File::Temp insecure temporary file handling │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2011-4116 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-31486 │ │ │ │ │ insecure TLS cert default │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-31486 │
├──────────────────┼──────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ tar │ CVE-2005-2541 │ │ │ 1.34+dfsg-1.2 │ │ tar: does not properly warn the user when extracting setuid │
│ │ │ │ │ │ │ or setgid... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2005-2541 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-48303 │ │ │ │ │ heap buffer overflow at from_header() in list.c via │
│ │ │ │ │ │ │ specially crafted checksum │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-48303 │
├──────────────────┼──────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ util-linux │ CVE-2022-0563 │ │ │ 2.38.1-5+b1 │ │ partial disclosure of arbitrary files in chfn and chsh when │
│ │ │ │ │ │ │ compiled with... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-0563 │
├──────────────────┤ │ │ │ ├───────────────┤ │
│ util-linux-extra │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
├──────────────────┼──────────────────┼──────────┤ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ wget │ CVE-2021-31879 │ MEDIUM │ │ 1.21.3-1+b2 │ │ authorization header disclosure on redirect │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-31879 │
└──────────────────┴──────────────────┴──────────┴──────────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
And, in the results detected by Vuls, the reason that affectedPackages includes libssl3 and openssl in addition to libssl1.1 is due to #1727 (comment), and is expected to be fixed in the future.
"affectedPackages": [
{
"name": "libssl1.1",
"fixedIn": "3.0.7-1"
},
{
"name": "libssl3",
"fixedIn": "3.0.7-1"
},
{
"name": "openssl",
"fixedIn": "3.0.7-1"
}
]
from vuls.
these are different results.. it is ok to report it on 1.1.1 but not on 3.0.9
from vuls.
The datasource used by debian is written for the source package.
In this situation(#1727 (comment)), binary package: libssl1.1 is treated as source package: openssl=1.1.1n-0+deb11u5, binary package: libssl3, openssl is treated as source package: openssl=3.0.9-1.
As shown here(#1727 (comment)), the detection condition for CVE-2022-3602 in Debian 12 is that the version of source package: openssl is lower than 3.0.7-1.
Therefore, it should not be detected in source package: openssl=3.0.9-1, but it should be detected in source package: openssl=1.1.1n-0+deb11u5.
However, due to a problem with the data structure of binary packages and source packages in Vuls(#1727 (comment)), when CVE-2022-3602 is detected, only binary package: libssl1.1 should be in affectedPackages, but binary package: libssl3 and openssl are also added.
We are already aware of this problem, and fixing it will take time because it would require a radical change in the data structure.
Even if the data structure has been corrected, CVE-2022-3602 will be detected if the binary package: libssl1.1 (source package: openssl=1.1.1n-0+deb11u5) is installed on the machine, as in this case.
In conclusion, there is no problem in detecting CVE-2022-3602, but the problem is that the packages that led to the detection of CVE-2022-3602 include unrelated binary package: libssl3 and openssl.
from vuls.
Related Issues (20)
- goval-dictionary : Failed to fetch redhat 8 HOT 1
- `future-vuls upload` command doesn't have `--upload` flag in v0.23.4 HOT 2
- Vulsctl - Quickest Vuls setup HOT 1
- Skip OVAL and Scan with gost alone & False Positive in ubuntu 20.04 HOT 3
- Errors when running a scan of a Windows machine from a Linux machine HOT 1
- Error on make install HOT 2
- Package for debian 12 HOT 2
- FreeBSD 14 scanning target support? HOT 1
- vuls in server mode with sqlite3 DBs (nvd + goval), no CVE in report from an http request with curl: "Skip OVAL and Scan with gost alone." ": 0 CVEs are detected with OVAL" ": 0 CVEs are detected with gost" ": total 0 CVEs detected" HOT 4
- "Operation not permitted" error while scanning installed packages in MacOS HOT 1
- Having redhat section when scanning ubuntu vm HOT 1
- Question: Heatmap Category Count HOT 2
- Windows not shown in supported OS list HOT 3
- Support for Fedora is not working HOT 1
- Remote scan from Linux to Windows fails
- Results of the scan & report seem odd HOT 3
- Issue in trivy to vuls convertor HOT 1
- How to remove password from the logs ? HOT 1
- no information in "title" field for vuls scan on ubuntu vm HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vuls.