CVE-2022-3602 false positive on openssl 3.0.9-1 #1727
Labels
Comments
|
Debian 12 does not provide openssl=1.1.1n-0+deb11u5 or libssl1.1, how was it installed? root@f97d28f44e74:~# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
root@f97d28f44e74:~# apt list -a openssl
Listing... Done
openssl/stable,now 3.0.9-1 amd64 [installed]
root@f97d28f44e74:~# apt-cache depends openssl
openssl
Depends: libc6
Depends: libssl3
Suggests: ca-certificates
root@f97d28f44e74:~# apt search ^libssl
Sorting... Done
Full Text Search... Done
libssl-dev/stable 3.0.9-1 amd64
Secure Sockets Layer toolkit - development files
libssl-doc/stable 3.0.9-1 all
Secure Sockets Layer toolkit - development documentation
libssl-ocaml/stable 0.5.13-1 amd64
OCaml bindings for OpenSSL (runtime)
libssl-ocaml-dev/stable 0.5.13-1 amd64
OCaml bindings for OpenSSL
libssl-utils-clojure/stable 3.5.0-2 all
library for SSL certificate management on the JVM
libssl3/stable,now 3.0.9-1 amd64 [installed,automatic]
Secure Sockets Layer toolkit - shared libraries |
|
As you checked, CVE-2022-3602 has been fixed in version 3.0.7-1 of openssl provided in Debian 12. However, if your machine has an openssl version lower than 3.0.7-1, such as 1.1.1n-0+deb11u5, then CVE-2022-3602 should be detected. |
|
For example, if libssl1.1, which is not provided in Debian 12, remains, openssl=1.1.1n-0+deb11u5 will be added as an src package, resulting in a case like this. root@f97d28f44e74:~# dpkg-query -W -f="\${binary:Package},\${db:Status-Abbrev},\${Version},\${source:Package},\${source:Version}\n" | grep openssl
libssl1.1:amd64,ii ,1.1.1n-0+deb11u5,openssl,1.1.1n-0+deb11u5
libssl3:amd64,ii ,3.0.9-1,openssl,3.0.9-1
openssl,ii ,3.0.9-1,openssl,3.0.9-1However, it's difficult to find out if a certain version of a package is available in a certain release of Debian, so the only possible solution for now is to uninstall libssl1.1. |
|
In such cases, we have confirmed that there is a bug where the current "packages": {
...
"openssl": {
"name": "openssl",
"version": "3.0.9-1",
"release": "",
"newVersion": "",
"newRelease": "",
"arch": "",
"repository": ""
},
"libssl1.1": {
"name": "libssl1.1",
"version": "1.1.1n-0+deb11u5",
"release": "",
"newVersion": "",
"newRelease": "",
"arch": "",
"repository": ""
},
"libssl3": {
"name": "libssl3",
"version": "3.0.9-1",
"release": "",
"newVersion": "",
"newRelease": "",
"arch": "",
"repository": ""
},
...
},
"SrcPackages": {
...
"openssl": {
"name": "openssl",
"version": "1.1.1n-0+deb11u5",
"arch": "",
"binaryNames": [
"libssl1.1",
"libssl3",
"openssl"
]
},
...
} |
|
hi @MaineK00n |
|
In Debian Security Tracker, CVE-2022-3602 is defined as follows. "openssl": {
"CVE-2022-3602": {
"releases": {
"bookworm": {
"status": "resolved",
"repositories": {
"bookworm": "3.0.9-1"
},
"fixed_version": "3.0.7-1",
"urgency": "not yet assigned"
},
"bullseye": {
"status": "resolved",
"repositories": {
"bullseye": "1.1.1n-0+deb11u4",
"bullseye-security": "1.1.1n-0+deb11u5"
},
"fixed_version": "0",
"urgency": "unimportant"
},
"buster": {
"status": "resolved",
"repositories": {
"buster": "1.1.1n-0+deb10u3",
"buster-security": "1.1.1n-0+deb10u6"
},
"fixed_version": "0",
"urgency": "unimportant"
},
"sid": {
"status": "resolved",
"repositories": {
"sid": "3.0.10-1"
},
"fixed_version": "3.0.7-1",
"urgency": "not yet assigned"
},
"trixie": {
"status": "resolved",
"repositories": {
"trixie": "3.0.10-1"
},
"fixed_version": "3.0.7-1",
"urgency": "not yet assigned"
}
}
}
} |
|
For example, if it can be determined that libssl1.1 is from Debian 11 (bullseye), it may be possible to apply the detection conditions of bullseye. |
|
Similar to the behavior of Vuls this time, Trivy also detects CVE-2022-3602 due to libssl1.1.
FROM debian:12
RUN apt-get update && apt-get install -y wget
RUN wget https://snapshot.debian.org/archive/debian-security/20230531T144851Z/pool/updates/main/o/openssl/libssl1.1_1.1.1n-0%2Bdeb11u5_amd64.deb
RUN dpkg -i ./libssl1.1_1.1.1n-0+deb11u5_amd64.deb
$ docker build -t test-cve-2022-3602 -f ./Dockerfile .
$ trivy image test-cve-2022-3602
test-cve-2022-3602 (debian 12.1)
Total: 91 (UNKNOWN: 0, LOW: 56, MEDIUM: 19, HIGH: 13, CRITICAL: 3)
┌──────────────────┬──────────────────┬──────────┬──────────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────────────┼──────────────────┼──────────┼──────────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ apt │ CVE-2011-3374 │ LOW │ affected │ 2.6.1 │ │ It was found that apt-key in apt, all versions, do not │
│ │ │ │ │ │ │ correctly... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2011-3374 │
├──────────────────┼──────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ bsdutils │ CVE-2022-0563 │ │ │ 1:2.38.1-5+b1 │ │ partial disclosure of arbitrary files in chfn and chsh when │
│ │ │ │ │ │ │ compiled with... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-0563 │
├──────────────────┼──────────────────┤ ├──────────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ coreutils │ CVE-2016-2781 │ │ will_not_fix │ 9.1-1 │ │ coreutils: Non-privileged session can escape to the parent │
│ │ │ │ │ │ │ session in chroot │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2016-2781 │
│ ├──────────────────┤ ├──────────────┤ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2017-18018 │ │ affected │ │ │ coreutils: race condition vulnerability in chown and chgrp │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2017-18018 │
├──────────────────┼──────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ gcc-12-base │ CVE-2022-27943 │ │ │ 12.2.0-14 │ │ libiberty/rust-demangle.c in GNU GCC 11.2 allows stack │
│ │ │ │ │ │ │ exhaustion in demangle_const │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-27943 │
├──────────────────┼──────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ gpgv │ CVE-2022-3219 │ │ │ 2.2.40-1.1 │ │ denial of service issue (resource consumption) using │
│ │ │ │ │ │ │ compressed packets │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-3219 │
├──────────────────┼──────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libapt-pkg6.0 │ CVE-2011-3374 │ │ │ 2.6.1 │ │ It was found that apt-key in apt, all versions, do not │
│ │ │ │ │ │ │ correctly... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2011-3374 │
├──────────────────┼──────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libblkid1 │ CVE-2022-0563 │ │ │ 2.38.1-5+b1 │ │ partial disclosure of arbitrary files in chfn and chsh when │
│ │ │ │ │ │ │ compiled with... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-0563 │
├──────────────────┼──────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libc-bin │ CVE-2010-4756 │ │ │ 2.36-9+deb12u1 │ │ glibc: glob implementation can cause excessive CPU and │
│ │ │ │ │ │ │ memory consumption due to... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2010-4756 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2018-20796 │ │ │ │ │ glibc: uncontrolled recursion in function │
│ │ │ │ │ │ │ check_dst_limits_calc_pos_1 in posix/regexec.c │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-20796 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2019-1010022 │ │ │ │ │ glibc: stack guard protection bypass │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1010022 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2019-1010023 │ │ │ │ │ glibc: running ldd on malicious ELF leads to code execution │
│ │ │ │ │ │ │ because of... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1010023 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2019-1010024 │ │ │ │ │ glibc: ASLR bypass using cache of thread stack and heap │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1010024 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2019-1010025 │ │ │ │ │ glibc: information disclosure of heap addresses of │
│ │ │ │ │ │ │ pthread_created thread │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1010025 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2019-9192 │ │ │ │ │ glibc: uncontrolled recursion in function │
│ │ │ │ │ │ │ check_dst_limits_calc_pos_1 in posix/regexec.c │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-9192 │
├──────────────────┼──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ libc6 │ CVE-2010-4756 │ │ │ │ │ glibc: glob implementation can cause excessive CPU and │
│ │ │ │ │ │ │ memory consumption due to... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2010-4756 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2018-20796 │ │ │ │ │ glibc: uncontrolled recursion in function │
│ │ │ │ │ │ │ check_dst_limits_calc_pos_1 in posix/regexec.c │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-20796 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2019-1010022 │ │ │ │ │ glibc: stack guard protection bypass │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1010022 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2019-1010023 │ │ │ │ │ glibc: running ldd on malicious ELF leads to code execution │
│ │ │ │ │ │ │ because of... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1010023 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2019-1010024 │ │ │ │ │ glibc: ASLR bypass using cache of thread stack and heap │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1010024 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2019-1010025 │ │ │ │ │ glibc: information disclosure of heap addresses of │
│ │ │ │ │ │ │ pthread_created thread │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1010025 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2019-9192 │ │ │ │ │ glibc: uncontrolled recursion in function │
│ │ │ │ │ │ │ check_dst_limits_calc_pos_1 in posix/regexec.c │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-9192 │
├──────────────────┼──────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libgcc-s1 │ CVE-2022-27943 │ │ │ 12.2.0-14 │ │ libiberty/rust-demangle.c in GNU GCC 11.2 allows stack │
│ │ │ │ │ │ │ exhaustion in demangle_const │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-27943 │
├──────────────────┼──────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libgcrypt20 │ CVE-2018-6829 │ │ │ 1.10.1-3 │ │ libgcrypt: ElGamal implementation doesn't have semantic │
│ │ │ │ │ │ │ security due to incorrectly encoded plaintexts... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-6829 │
├──────────────────┼──────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libgnutls30 │ CVE-2011-3389 │ │ │ 3.7.9-2 │ │ HTTPS: block-wise chosen-plaintext attack against SSL/TLS │
│ │ │ │ │ │ │ (BEAST) │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2011-3389 │
├──────────────────┼──────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libmount1 │ CVE-2022-0563 │ │ │ 2.38.1-5+b1 │ │ partial disclosure of arbitrary files in chfn and chsh when │
│ │ │ │ │ │ │ compiled with... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-0563 │
├──────────────────┤ │ │ │ ├───────────────┤ │
│ libsmartcols1 │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
├──────────────────┼──────────────────┼──────────┼──────────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libssl1.1 │ CVE-2022-1292 │ CRITICAL │ fixed │ 1.1.1n-0+deb11u5 │ 1.1.1o-1 │ c_rehash script allows command injection │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1292 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-2068 │ │ │ │ 3.0.4-1 │ the c_rehash script allows command injection │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-2068 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-2274 │ │ │ │ 3.0.4-2 │ openssl: AVX-512-specific heap buffer overflow │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-2274 │
│ ├──────────────────┼──────────┤ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-0778 │ HIGH │ │ │ 1.1.1n-1 │ Infinite loop in BN_mod_sqrt() reachable when parsing │
│ │ │ │ │ │ │ certificates │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-0778 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-3358 │ │ │ │ 3.0.7-1 │ Using a Custom Cipher with NID_undef may lead to NULL │
│ │ │ │ │ │ │ encryption │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-3358 │
│ ├──────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-3602 │ │ │ │ │ X.509 Email Address Buffer Overflow │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-3602 │
│ ├──────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-3786 │ │ │ │ │ X.509 Email Address Variable Length Buffer Overflow │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-3786 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-3996 │ │ │ │ 3.0.7-2 │ openssl: double locking leads to denial of service │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-3996 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-4450 │ │ │ │ 3.0.8-1 │ double free after calling PEM_read_bio_ex │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-4450 │
│ ├──────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0215 │ │ │ │ │ use-after-free following BIO_new_NDEF │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0215 │
│ ├──────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0216 │ │ │ │ │ invalid pointer dereference in d2i_PKCS7 functions │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0216 │
│ ├──────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0217 │ │ │ │ │ NULL dereference validating DSA public key │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0217 │
│ ├──────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0286 │ │ │ │ │ X.400 address type confusion in X.509 GeneralName │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0286 │
│ ├──────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0401 │ │ │ │ │ NULL dereference during PKCS7 data verification │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0401 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0464 │ │ │ │ 3.0.9-1 │ Denial of service by excessive resource usage in verifying │
│ │ │ │ │ │ │ X509 policy constraints... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0464 │
│ ├──────────────────┼──────────┤ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-2097 │ MEDIUM │ │ │ 3.0.5-1 │ AES OCB fails to encrypt some bytes │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-2097 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-4203 │ │ │ │ 3.0.8-1 │ read buffer overflow in X.509 certificate verification │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-4203 │
│ ├──────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-4304 │ │ │ │ │ timing attack in RSA Decryption implementation │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-4304 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0465 │ │ │ │ 3.0.9-1 │ Invalid certificate policies in leaf certificates are │
│ │ │ │ │ │ │ silently ignored │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0465 │
│ ├──────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0466 │ │ │ │ │ Certificate policy check not enabled │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0466 │
│ ├──────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-1255 │ │ │ │ │ Input buffer over-read in AES-XTS implementation on 64 bit │
│ │ │ │ │ │ │ ARM │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-1255 │
│ ├──────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-2650 │ │ │ │ │ Possible DoS translating ASN.1 object identifiers │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-2650 │
│ ├──────────────────┤ ├──────────────┤ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-2975 │ │ fix_deferred │ │ │ AES-SIV cipher implementation contains a bug that causes it │
│ │ │ │ │ │ │ to ignore empty... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-2975 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-3446 │ │ │ │ │ Excessive time spent checking DH keys and parameters │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-3446 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-3817 │ │ │ │ │ Excessive time spent checking DH q parameter value │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-3817 │
│ ├──────────────────┼──────────┼──────────────┤ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2007-6755 │ LOW │ affected │ │ │ Dual_EC_DRBG: weak pseudo random number generator │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2007-6755 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2010-0928 │ │ │ │ │ openssl: RSA authentication weakness │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2010-0928 │
├──────────────────┼──────────────────┼──────────┼──────────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libssl3 │ CVE-2023-2975 │ MEDIUM │ fix_deferred │ 3.0.9-1 │ │ AES-SIV cipher implementation contains a bug that causes it │
│ │ │ │ │ │ │ to ignore empty... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-2975 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-3446 │ │ │ │ │ Excessive time spent checking DH keys and parameters │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-3446 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-3817 │ │ │ │ │ Excessive time spent checking DH q parameter value │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-3817 │
│ ├──────────────────┼──────────┼──────────────┤ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2007-6755 │ LOW │ affected │ │ │ Dual_EC_DRBG: weak pseudo random number generator │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2007-6755 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2010-0928 │ │ │ │ │ openssl: RSA authentication weakness │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2010-0928 │
├──────────────────┼──────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libstdc++6 │ CVE-2022-27943 │ │ │ 12.2.0-14 │ │ libiberty/rust-demangle.c in GNU GCC 11.2 allows stack │
│ │ │ │ │ │ │ exhaustion in demangle_const │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-27943 │
├──────────────────┼──────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libsystemd0 │ CVE-2013-4392 │ │ │ 252.12-1~deb12u1 │ │ TOCTOU race condition when updating file permissions and │
│ │ │ │ │ │ │ SELinux security contexts │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2013-4392 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-31437 │ │ │ │ │ An issue was discovered in systemd 253. An attacker can │
│ │ │ │ │ │ │ modify a... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-31437 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-31438 │ │ │ │ │ An issue was discovered in systemd 253. An attacker can │
│ │ │ │ │ │ │ truncate a... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-31438 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-31439 │ │ │ │ │ An issue was discovered in systemd 253. An attacker can │
│ │ │ │ │ │ │ modify the... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-31439 │
├──────────────────┼──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ libudev1 │ CVE-2013-4392 │ │ │ │ │ TOCTOU race condition when updating file permissions and │
│ │ │ │ │ │ │ SELinux security contexts │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2013-4392 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-31437 │ │ │ │ │ An issue was discovered in systemd 253. An attacker can │
│ │ │ │ │ │ │ modify a... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-31437 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-31438 │ │ │ │ │ An issue was discovered in systemd 253. An attacker can │
│ │ │ │ │ │ │ truncate a... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-31438 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-31439 │ │ │ │ │ An issue was discovered in systemd 253. An attacker can │
│ │ │ │ │ │ │ modify the... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-31439 │
├──────────────────┼──────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libuuid1 │ CVE-2022-0563 │ │ │ 2.38.1-5+b1 │ │ partial disclosure of arbitrary files in chfn and chsh when │
│ │ │ │ │ │ │ compiled with... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-0563 │
├──────────────────┼──────────────────┼──────────┤ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ login │ CVE-2023-4641 │ MEDIUM │ │ 1:4.13+dfsg1-1+b1 │ │ possible password leak during passwd(1) change │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-4641 │
│ ├──────────────────┼──────────┤ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2007-5686 │ LOW │ │ │ │ initscripts in rPath Linux 1 sets insecure permissions for │
│ │ │ │ │ │ │ the /var/lo ...... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2007-5686 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2019-19882 │ │ │ │ │ shadow-utils: local users can obtain root access because │
│ │ │ │ │ │ │ setuid programs are misconfigured... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-19882 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-29383 │ │ │ │ │ Improper input validation in shadow-utils package utility │
│ │ │ │ │ │ │ chfn │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-29383 │
├──────────────────┼──────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ mount │ CVE-2022-0563 │ │ │ 2.38.1-5+b1 │ │ partial disclosure of arbitrary files in chfn and chsh when │
│ │ │ │ │ │ │ compiled with... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-0563 │
├──────────────────┼──────────────────┼──────────┼──────────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ openssl │ CVE-2023-2975 │ MEDIUM │ fix_deferred │ 3.0.9-1 │ │ AES-SIV cipher implementation contains a bug that causes it │
│ │ │ │ │ │ │ to ignore empty... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-2975 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-3446 │ │ │ │ │ Excessive time spent checking DH keys and parameters │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-3446 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-3817 │ │ │ │ │ Excessive time spent checking DH q parameter value │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-3817 │
│ ├──────────────────┼──────────┼──────────────┤ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2007-6755 │ LOW │ affected │ │ │ Dual_EC_DRBG: weak pseudo random number generator │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2007-6755 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2010-0928 │ │ │ │ │ openssl: RSA authentication weakness │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2010-0928 │
├──────────────────┼──────────────────┼──────────┤ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ passwd │ CVE-2023-4641 │ MEDIUM │ │ 1:4.13+dfsg1-1+b1 │ │ possible password leak during passwd(1) change │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-4641 │
│ ├──────────────────┼──────────┤ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2007-5686 │ LOW │ │ │ │ initscripts in rPath Linux 1 sets insecure permissions for │
│ │ │ │ │ │ │ the /var/lo ...... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2007-5686 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2019-19882 │ │ │ │ │ shadow-utils: local users can obtain root access because │
│ │ │ │ │ │ │ setuid programs are misconfigured... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-19882 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-29383 │ │ │ │ │ Improper input validation in shadow-utils package utility │
│ │ │ │ │ │ │ chfn │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-29383 │
├──────────────────┼──────────────────┼──────────┤ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ perl-base │ CVE-2023-31484 │ HIGH │ │ 5.36.0-7 │ │ CPAN.pm before 2.35 does not verify TLS certificates when │
│ │ │ │ │ │ │ downloading distributions over... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-31484 │
│ ├──────────────────┼──────────┤ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2011-4116 │ LOW │ │ │ │ perl: File::Temp insecure temporary file handling │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2011-4116 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2023-31486 │ │ │ │ │ insecure TLS cert default │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-31486 │
├──────────────────┼──────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ tar │ CVE-2005-2541 │ │ │ 1.34+dfsg-1.2 │ │ tar: does not properly warn the user when extracting setuid │
│ │ │ │ │ │ │ or setgid... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2005-2541 │
│ ├──────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-48303 │ │ │ │ │ heap buffer overflow at from_header() in list.c via │
│ │ │ │ │ │ │ specially crafted checksum │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-48303 │
├──────────────────┼──────────────────┤ │ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ util-linux │ CVE-2022-0563 │ │ │ 2.38.1-5+b1 │ │ partial disclosure of arbitrary files in chfn and chsh when │
│ │ │ │ │ │ │ compiled with... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-0563 │
├──────────────────┤ │ │ │ ├───────────────┤ │
│ util-linux-extra │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
├──────────────────┼──────────────────┼──────────┤ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ wget │ CVE-2021-31879 │ MEDIUM │ │ 1.21.3-1+b2 │ │ authorization header disclosure on redirect │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-31879 │
└──────────────────┴──────────────────┴──────────┴──────────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
And, in the results detected by Vuls, the reason that affectedPackages includes libssl3 and openssl in addition to libssl1.1 is due to #1727 (comment), and is expected to be fixed in the future. "affectedPackages": [
{
"name": "libssl1.1",
"fixedIn": "3.0.7-1"
},
{
"name": "libssl3",
"fixedIn": "3.0.7-1"
},
{
"name": "openssl",
"fixedIn": "3.0.7-1"
}
] |
|
these are different results.. it is ok to report it on 1.1.1 but not on 3.0.9 |
|
The datasource used by debian is written for the source package. However, due to a problem with the data structure of binary packages and source packages in Vuls(#1727 (comment)), when CVE-2022-3602 is detected, only binary package: libssl1.1 should be in affectedPackages, but binary package: libssl3 and openssl are also added. In conclusion, there is no problem in detecting CVE-2022-3602, but the problem is that the packages that led to the detection of CVE-2022-3602 include unrelated binary package: libssl3 and openssl. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What did you do? (required. The issue will be closed when not provided.)
I ran scan and report on debian 12.1 which has openssl 3.0.9-1 installed
What did you expect to happen?
I expected not to see CVE-2022-3602 on openssl
What happened instead?
I see that we report CVE-2022-3602 with fixed version 3.0.7-1
"CVE-2022-3602": { "cveID": "CVE-2022-3602", "confidences": [ { "score": 100, "detectionMethod": "DebianSecurityTrackerMatch" } ], "affectedPackages": [ { "name": "libssl1.1", "fixedIn": "3.0.7-1" }, { "name": "libssl3", "fixedIn": "3.0.7-1" }, { "name": "openssl", "fixedIn": "3.0.7-1" } ], "cveContents": { "debian_security_tracker": [ { "type": "debian_security_tracker", "cveID": "CVE-2022-3602", "title": "", "summary": "A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6).", "cvss2Score": 0, "cvss2Vector": "", "cvss2Severity": "not yet assigned", "cvss3Score": 0, "cvss3Vector": "", "cvss3Severity": "not yet assigned", "sourceLink": "https://security-tracker.debian.org/tracker/CVE-2022-3602", "published": "0001-01-01T00:00:00Z", "lastModified": "0001-01-01T00:00:00Z", "optional": { "attack range": "local" } } ] }, "alertDict": { "cisa": null, "jpcert": null, "uscert": null } },config.toml
[servers]
[servers.localhost]
host = "localhost"
port = "local"
scanMode = ["fast", "offline"]
[gost]
sqlite3Path = "/vuls_dbs/gost_debian.sqlite3"
vuls version
0.23.2
i investigated it a little bit and I think it is related to source packages
openssl installed version is 3.0.9-1 and we show CVE-2022-3602 with fixed version 3.0.7-1 which is clearly a false positive… the reason I think is the openssl entry in SrcPackages which has version 1.1.1n-0+deb11u5
The text was updated successfully, but these errors were encountered: