CVE-2022-25845 no result #2334
Assignees
Labels
kind/bug
Categorizes issue or PR as related to a bug.
Comments
{
"SchemaVersion": 2,
"ArtifactName": "cachecloud:test",
"ArtifactType": "container_image",
"Metadata": {
"OS": {
"Family": "oracle",
"Name": "8.5"
},
"ImageID": "sha256:20bfdbe35a363bc8e5a2dc2a01fce56469442fb9c5918f24d21fc41694c7157d",
"DiffIDs": [
"sha256:d2db75568ee66eaf993c0287d9d570a94ead0b249cdb311d21ff14cd80fd03e4",
"sha256:4ad9fe00c58db98f55193bf0568a5505fed3105cb1a1632861f7963328818822",
"sha256:0ceae139f802ce4ef9b2d96be7b833d81add5f91fbf99edd829d16ef9216b95e",
"sha256:5fed4285216cd86a1373a94902d7bce5ac8fa7cb7addd64d63d7597b5d2d8bcd"
],
"RepoTags": [
"cachecloud:test"
],
"ImageConfig": {
"architecture": "amd64",
"container": "af6b59d06184229a7786f80971372801ea920ebb96190f9c41c343b6572ed666",
"created": "2022-04-02T02:58:42.51056599Z",
"docker_version": "18.09.1",
"history": [
{
"created": "2022-03-29T18:35:47Z",
"created_by": "/bin/sh -c #(nop) ADD file:eaa532cad071c531a759e73fd0fd381f440f180ab45b05a74314f10b0374df67 in / "
},
{
"created": "2022-03-29T18:35:47Z",
"created_by": "/bin/sh -c #(nop) CMD [\"/bin/bash\"]",
"empty_layer": true
},
{
"created": "2022-03-29T23:06:25Z",
"created_by": "/bin/sh -c set -eux; \tmicrodnf install \t\tgzip \t\ttar \t\t\t\tbinutils \t\tfreetype fontconfig \t; \tmicrodnf clean all"
},
{
"created": "2022-03-29T23:09:09Z",
"created_by": "/bin/sh -c #(nop) ENV JAVA_HOME=/usr/java/openjdk-17",
"empty_layer": true
},
{
"created": "2022-03-29T23:09:09Z",
"created_by": "/bin/sh -c #(nop) ENV PATH=/usr/java/openjdk-17/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"empty_layer": true
},
{
"created": "2022-03-29T23:09:09Z",
"created_by": "/bin/sh -c #(nop) ENV LANG=C.UTF-8",
"empty_layer": true
},
{
"created": "2022-03-29T23:09:09Z",
"created_by": "/bin/sh -c #(nop) ENV JAVA_VERSION=17.0.2",
"empty_layer": true
},
{
"created": "2022-03-29T23:09:19Z",
"created_by": "/bin/sh -c set -eux; \t\tarch=\"$(objdump=\"$(command -v objdump)\" \u0026\u0026 objdump --file-headers \"$objdump\" | awk -F '[:,]+[[:space:]]+' '$1 == \"architecture\" { print $2 }')\"; \tcase \"$arch\" in \t\t'i386:x86-64') \t\t\tdownloadUrl='https://download.java.net/java/GA/jdk17.0.2/dfd4a8d0985749f896bed50d7138ee7f/8/GPL/openjdk-17.0.2_linux-x64_bin.tar.gz'; \t\t\tdownloadSha256='0022753d0cceecacdd3a795dd4cea2bd7ffdf9dc06e22ffd1be98411742fbb44'; \t\t\t;; \t\t'aarch64') \t\t\tdownloadUrl='https://download.java.net/java/GA/jdk17.0.2/dfd4a8d0985749f896bed50d7138ee7f/8/GPL/openjdk-17.0.2_linux-aarch64_bin.tar.gz'; \t\t\tdownloadSha256='13bfd976acf8803f862e82c7113fb0e9311ca5458b1decaef8a09ffd91119fa4'; \t\t\t;; \t\t*) echo \u003e\u00262 \"error: unsupported architecture: '$arch'\"; exit 1 ;; \tesac; \t\tcurl -fL -o openjdk.tgz \"$downloadUrl\"; \techo \"$downloadSha256 *openjdk.tgz\" | sha256sum --strict --check -; \t\tmkdir -p \"$JAVA_HOME\"; \ttar --extract \t\t--file openjdk.tgz \t\t--directory \"$JAVA_HOME\" \t\t--strip-components 1 \t\t--no-same-owner \t; \trm openjdk.tgz*; \t\trm -rf \"$JAVA_HOME/lib/security/cacerts\"; \tln -sT /etc/pki/ca-trust/extracted/java/cacerts \"$JAVA_HOME/lib/security/cacerts\"; \t\tln -sfT \"$JAVA_HOME\" /usr/java/default; \tln -sfT \"$JAVA_HOME\" /usr/java/latest; \tfor bin in \"$JAVA_HOME/bin/\"*; do \t\tbase=\"$(basename \"$bin\")\"; \t\t[ ! -e \"/usr/bin/$base\" ]; \t\talternatives --install \"/usr/bin/$base\" \"$base\" \"$bin\" 20000; \tdone; \t\tjava -Xshare:dump; \t\tfileEncoding=\"$(echo 'System.out.println(System.getProperty(\"file.encoding\"))' | jshell -s -)\"; [ \"$fileEncoding\" = 'UTF-8' ]; rm -rf ~/.java; \tjavac --version; \tjava --version"
},
{
"created": "2022-03-29T23:09:19Z",
"created_by": "/bin/sh -c #(nop) CMD [\"jshell\"]",
"empty_layer": true
},
{
"created": "2022-04-02T02:58:42Z",
"created_by": "/bin/sh -c #(nop) ADD file:3f70ed77805edcf37d6913d6a1902115199bb57d14100446760ac23d0cf383b9 in /maven/ "
},
{
"created": "2022-04-02T02:58:42Z",
"created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\" \"-c\" \"java -jar -Dspring.profiles.active=online /maven/cachecloud-web.war\"]",
"empty_layer": true
}
],
"os": "linux",
"rootfs": {
"type": "layers",
"diff_ids": [
"sha256:d2db75568ee66eaf993c0287d9d570a94ead0b249cdb311d21ff14cd80fd03e4",
"sha256:4ad9fe00c58db98f55193bf0568a5505fed3105cb1a1632861f7963328818822",
"sha256:0ceae139f802ce4ef9b2d96be7b833d81add5f91fbf99edd829d16ef9216b95e",
"sha256:5fed4285216cd86a1373a94902d7bce5ac8fa7cb7addd64d63d7597b5d2d8bcd"
]
},
"config": {
"Cmd": [
"/bin/sh",
"-c",
"java -jar -Dspring.profiles.active=online /maven/cachecloud-web.war"
],
"Env": [
"PATH=/usr/java/openjdk-17/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"JAVA_HOME=/usr/java/openjdk-17",
"LANG=C.UTF-8",
"JAVA_VERSION=17.0.2"
],
"Image": "sha256:1316c62fdf5168370932a4bb7a3637a3b71c0c4f95824a8571158b3d68e0fb92",
"ArgsEscaped": true
}
}
}
}
|
|
|
|
Hello @xiaoxiong581 At the moment GitLab Database doesn't contain this vulnerabilities. After adding/updating CVE-2022-25845 will be added to vuln-list repository within 6 hours. After that Regards, Dmitriy |
Thanks for your reply, i'll try it after update trivy-db. |
|
So that I understand that you understood me correctly: |
|
@DmitriyLewen I find affetced version not null, but when i update trivy db, it also cann't scan this vulnerability Version: 0.25.0
Vulnerability DB:
Version: 2
UpdatedAt: 2022-06-19 18:06:12.415554184 +0000 UTC
NextUpdate: 2022-06-20 00:06:12.415553784 +0000 UTC
DownloadedAt: 2022-06-19 23:49:39.683268832 +0000 UTC
|
|
Hello @xiaoxiong581 Trivy-db has been updated 3 days ago. test scan infoTest Dockerfile: Trivy scan result: ➜ 2334 trivy image issue2334
2022-06-20T09:43:15.647+0600 INFO Vulnerability scanning is enabled
2022-06-20T09:43:15.647+0600 INFO Secret scanning is enabled
2022-06-20T09:43:15.647+0600 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-06-20T09:43:15.647+0600 INFO Please see also https://aquasecurity.github.io/trivy/v0.29.0/docs/secret/scanning/#recommendation for faster secret detection
2022-06-20T09:43:15.650+0600 INFO Detected OS: oracle
2022-06-20T09:43:15.650+0600 INFO Detecting Oracle Linux vulnerabilities...
2022-06-20T09:43:15.652+0600 INFO Number of language-specific files: 1
2022-06-20T09:43:15.652+0600 INFO Detecting jar vulnerabilities...
issue2334 (oracle 8.5)
Total: 16 (UNKNOWN: 0, LOW: 2, MEDIUM: 12, HIGH: 2, CRITICAL: 0)
┌──────────────────┬────────────────┬──────────┬───────────────────┬──────────────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├──────────────────┼────────────────┼──────────┼───────────────────┼──────────────────────────┼─────────────────────────────────────────────────────────────┤
│ bind-export-libs │ CVE-2021-25219 │ MEDIUM │ 32:9.11.26-6.el8 │ 32:9.11.36-3.el8 │ bind: Lame cache can be abused to severely degrade resolver │
│ │ │ │ │ │ performance │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25219 │
├──────────────────┼────────────────┼──────────┼───────────────────┼──────────────────────────┼─────────────────────────────────────────────────────────────┤
│ gnutls │ CVE-2021-20231 │ MEDIUM │ 3.6.16-4.el8 │ 10:3.6.16-4.0.1.el8_fips │ gnutls: Use after free in client key_share extension │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-20231 │
├──────────────────┼────────────────┼──────────┼───────────────────┼──────────────────────────┼─────────────────────────────────────────────────────────────┤
│ gnutls │ CVE-2021-20232 │ MEDIUM │ 3.6.16-4.el8 │ 10:3.6.16-4.0.1.el8_fips │ gnutls: Use after free in client_send_params in │
│ │ │ │ │ │ lib/ext/pre_shared_key.c │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-20232 │
│ ├────────────────┤ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2021-3580 │ │ │ │ nettle: Remote crash in RSA decryption via manipulated │
│ │ │ │ │ │ ciphertext │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-3580 │
├──────────────────┼────────────────┤ ├───────────────────┼──────────────────────────┼─────────────────────────────────────────────────────────────┤
│ libgcrypt │ CVE-2021-33560 │ │ 1.8.5-6.el8 │ 10:1.8.5-6.el8_fips │ libgcrypt: mishandles ElGamal encryption because it lacks │
│ │ │ │ │ │ exponent blinding to address a... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-33560 │
├──────────────────┼────────────────┼──────────┼───────────────────┼──────────────────────────┼─────────────────────────────────────────────────────────────┤
│ libssh │ CVE-2021-3634 │ LOW │ 0.9.4-3.el8 │ 0.9.6-3.el8 │ libssh: possible heap-based buffer overflow when rekeying │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-3634 │
├──────────────────┤ │ │ │ │ │
│ libssh-config │ │ │ │ │ │
│ │ │ │ │ │ │
├──────────────────┼────────────────┼──────────┼───────────────────┼──────────────────────────┼─────────────────────────────────────────────────────────────┤
│ openssh │ CVE-2021-41617 │ MEDIUM │ 8.0p1-10.el8 │ 8.0p1-13.el8 │ openssh: privilege escalation when AuthorizedKeysCommand or │
│ │ │ │ │ │ AuthorizedPrincipalsCommand are configured │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-41617 │
├──────────────────┤ │ │ │ │ │
│ openssh-clients │ │ │ │ │ │
│ │ │ │ │ │ │
│ │ │ │ │ │ │
├──────────────────┤ │ │ │ │ │
│ openssh-server │ │ │ │ │ │
│ │ │ │ │ │ │
│ │ │ │ │ │ │
├──────────────────┼────────────────┤ ├───────────────────┼──────────────────────────┼─────────────────────────────────────────────────────────────┤
│ platform-python │ CVE-2021-3737 │ │ 3.6.8-41.0.1.el8 │ 3.6.8-45.0.1.el8 │ python: urllib: HTTP client possible infinite loop on a 100 │
│ │ │ │ │ │ Continue response... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-3737 │
│ ├────────────────┤ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2021-4189 │ │ │ │ python: ftplib should not use the host from the PASV │
│ │ │ │ │ │ response │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-4189 │
├──────────────────┼────────────────┤ │ │ ├─────────────────────────────────────────────────────────────┤
│ python3-libs │ CVE-2021-3737 │ │ │ │ python: urllib: HTTP client possible infinite loop on a 100 │
│ │ │ │ │ │ Continue response... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-3737 │
│ ├────────────────┤ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2021-4189 │ │ │ │ python: ftplib should not use the host from the PASV │
│ │ │ │ │ │ response │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-4189 │
├──────────────────┼────────────────┼──────────┼───────────────────┼──────────────────────────┼─────────────────────────────────────────────────────────────┤
│ rsyslog │ CVE-2022-24903 │ HIGH │ 8.2102.0-5.el8 │ 8.2102.0-7.el8_6.1 │ rsyslog: Heap-based overflow in TCP syslog server │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-24903 │
├──────────────────┼────────────────┤ ├───────────────────┼──────────────────────────┼─────────────────────────────────────────────────────────────┤
│ xz-libs │ CVE-2022-1271 │ │ 5.2.4-3.el8 │ 5.2.4-4.el8_6 │ gzip: arbitrary-file-write vulnerability │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1271 │
└──────────────────┴────────────────┴──────────┴───────────────────┴──────────────────────────┴─────────────────────────────────────────────────────────────┘
2022-06-20T09:43:15.659+0600 INFO Table result includes only package filenames. Use '--format json' option to get the full path to the package file.
Java (jar)
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
┌────────────────────────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├────────────────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────┤
│ com.alibaba:fastjson (fastjson-1.2.70.jar) │ CVE-2022-25845 │ HIGH │ 1.2.70 │ 1.2.83 │ Unsafe deserialization in com.alibaba:fastjson │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-25845 │
└────────────────────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────┘
Your result doesn't contain language-specific files ( |
Fastjson jar is in a war package of the registry, it cann't be scanned in this scenario, but if the jar package is placed in a separate directory, it is ok. Does it not support scanning for vulnerabilities contained in war packages? |
|
I packaged Trivy finds vulnerabilities for both files. Can you send your file to investigate your case? |
Dockerfile FROM openjdk:17.0-jdk-oracle
ADD cachecloud-open-web.war /maven/
CMD java -jar -Dspring.profiles.active=online /maven/cachecloud-open-web.warfile should unzip to war |
|
I checked your war file. ➜ trivy -d rootfs cachecloud-open-web.war
...
2022-06-20T17:42:16.292+0600 DEBUG Parsing Java artifacts... {"file": "cachecloud-open-web.war"}
2022-06-20T17:42:16.292+0600 DEBUG Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-06-20T17:42:28.566+0600 DEBUG OS is not detected.
2022-06-20T17:42:28.566+0600 DEBUG Detected OS: unknown
2022-06-20T17:42:28.566+0600 INFO Number of language-specific files: 0I unpacked your file and repacked the resulting files: ➜ ls -hl
-rw-rw-r-- 1 dmitriy dmitriy 5,2M июн 20 2022 cachecloud-open-web.war
➜ jar -xf cachecloud-open-web.war
➜ ls -hl
итого 5,2M
-rw-rw-r-- 1 dmitriy dmitriy 5,2M июн 20 2022 cachecloud-open-web.war
-rw-rw-r-- 1 dmitriy dmitriy 741 апр 2 10:21 daily.jsp
-rw-rw-r-- 1 dmitriy dmitriy 769 апр 2 10:21 error.jsp
-rw-rw-r-- 1 dmitriy dmitriy 155 апр 2 10:21 index.jsp
drwxrwxr-x 3 dmitriy dmitriy 4,0K апр 2 10:48 META-INF
drwxrwxr-x 3 dmitriy dmitriy 4,0K апр 2 10:48 org
-rw-rw-r-- 1 dmitriy dmitriy 161 апр 2 10:21 test.jsp
drwxrwxr-x 8 dmitriy dmitriy 4,0K апр 2 10:48 WEB-INF
➜ rm cachecloud-open-web.war
➜ jar -cf new.war *
➜ trivy rootfs new.war
2022-06-20T17:37:24.062+0600 INFO Vulnerability scanning is enabled
2022-06-20T17:37:24.063+0600 INFO Secret scanning is enabled
2022-06-20T17:37:24.063+0600 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-06-20T17:37:24.063+0600 INFO Please see also https://aquasecurity.github.io/trivy/v0.29.0/docs/secret/scanning/#recommendation for faster secret detection
2022-06-20T17:37:25.215+0600 INFO Number of language-specific files: 1
2022-06-20T17:37:25.215+0600 INFO Detecting jar vulnerabilities...
2022-06-20T17:37:25.216+0600 INFO Table result includes only package filenames. Use '--format json' option to get the full path to the package file.
Java (jar)
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
┌────────────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────┤
│ com.alibaba:fastjson (new.war) │ CVE-2022-25845 │ HIGH │ 1.2.70 │ 1.2.83 │ Unsafe deserialization in com.alibaba:fastjson │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-25845 │
└────────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────┘Possible there is bug when packing your war file? |
using mvn to package, like: <packaging>war</packaging>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
<version>3.2.2</version>
</plugin>
<resource>
<directory>src/main/resources</directory>
<includes>
<include>**/*</include>
</includes>
</resource>
<resource>
<directory>src/main/resources</directory>
<filtering>true</filtering>
<excludes>
<exclude>cert/*</exclude>
</excludes>
</resource>
</resources>I package again not modify war, but it also error |
|
Thank a lot for your help and time! I found why you have this problem. I checked your archive with |
ok, i'll check it if next trivy version fix it , this issue you can close it now or release a fixed version later. |
|
Perhaps I confused you. |
ok |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
What did you expect to happen?
CVE-2022-25845 vulnerability can scan
What happened instead?
no result
Output of run with
-debug:trivy image --skip-db-update --offline-scan --vuln-type library -f json -o result.json cachecloud:test
Output of
trivy -v:Additional details (base image name, container registry info...):
find a registry which contains fastjson jar under 1.2.83 version
![Uploading 20220616103305.png…]()
The text was updated successfully, but these errors were encountered: