-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2022-25845 no result #2334
Comments
{
"SchemaVersion": 2,
"ArtifactName": "cachecloud:test",
"ArtifactType": "container_image",
"Metadata": {
"OS": {
"Family": "oracle",
"Name": "8.5"
},
"ImageID": "sha256:20bfdbe35a363bc8e5a2dc2a01fce56469442fb9c5918f24d21fc41694c7157d",
"DiffIDs": [
"sha256:d2db75568ee66eaf993c0287d9d570a94ead0b249cdb311d21ff14cd80fd03e4",
"sha256:4ad9fe00c58db98f55193bf0568a5505fed3105cb1a1632861f7963328818822",
"sha256:0ceae139f802ce4ef9b2d96be7b833d81add5f91fbf99edd829d16ef9216b95e",
"sha256:5fed4285216cd86a1373a94902d7bce5ac8fa7cb7addd64d63d7597b5d2d8bcd"
],
"RepoTags": [
"cachecloud:test"
],
"ImageConfig": {
"architecture": "amd64",
"container": "af6b59d06184229a7786f80971372801ea920ebb96190f9c41c343b6572ed666",
"created": "2022-04-02T02:58:42.51056599Z",
"docker_version": "18.09.1",
"history": [
{
"created": "2022-03-29T18:35:47Z",
"created_by": "/bin/sh -c #(nop) ADD file:eaa532cad071c531a759e73fd0fd381f440f180ab45b05a74314f10b0374df67 in / "
},
{
"created": "2022-03-29T18:35:47Z",
"created_by": "/bin/sh -c #(nop) CMD [\"/bin/bash\"]",
"empty_layer": true
},
{
"created": "2022-03-29T23:06:25Z",
"created_by": "/bin/sh -c set -eux; \tmicrodnf install \t\tgzip \t\ttar \t\t\t\tbinutils \t\tfreetype fontconfig \t; \tmicrodnf clean all"
},
{
"created": "2022-03-29T23:09:09Z",
"created_by": "/bin/sh -c #(nop) ENV JAVA_HOME=/usr/java/openjdk-17",
"empty_layer": true
},
{
"created": "2022-03-29T23:09:09Z",
"created_by": "/bin/sh -c #(nop) ENV PATH=/usr/java/openjdk-17/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"empty_layer": true
},
{
"created": "2022-03-29T23:09:09Z",
"created_by": "/bin/sh -c #(nop) ENV LANG=C.UTF-8",
"empty_layer": true
},
{
"created": "2022-03-29T23:09:09Z",
"created_by": "/bin/sh -c #(nop) ENV JAVA_VERSION=17.0.2",
"empty_layer": true
},
{
"created": "2022-03-29T23:09:19Z",
"created_by": "/bin/sh -c set -eux; \t\tarch=\"$(objdump=\"$(command -v objdump)\" \u0026\u0026 objdump --file-headers \"$objdump\" | awk -F '[:,]+[[:space:]]+' '$1 == \"architecture\" { print $2 }')\"; \tcase \"$arch\" in \t\t'i386:x86-64') \t\t\tdownloadUrl='https://download.java.net/java/GA/jdk17.0.2/dfd4a8d0985749f896bed50d7138ee7f/8/GPL/openjdk-17.0.2_linux-x64_bin.tar.gz'; \t\t\tdownloadSha256='0022753d0cceecacdd3a795dd4cea2bd7ffdf9dc06e22ffd1be98411742fbb44'; \t\t\t;; \t\t'aarch64') \t\t\tdownloadUrl='https://download.java.net/java/GA/jdk17.0.2/dfd4a8d0985749f896bed50d7138ee7f/8/GPL/openjdk-17.0.2_linux-aarch64_bin.tar.gz'; \t\t\tdownloadSha256='13bfd976acf8803f862e82c7113fb0e9311ca5458b1decaef8a09ffd91119fa4'; \t\t\t;; \t\t*) echo \u003e\u00262 \"error: unsupported architecture: '$arch'\"; exit 1 ;; \tesac; \t\tcurl -fL -o openjdk.tgz \"$downloadUrl\"; \techo \"$downloadSha256 *openjdk.tgz\" | sha256sum --strict --check -; \t\tmkdir -p \"$JAVA_HOME\"; \ttar --extract \t\t--file openjdk.tgz \t\t--directory \"$JAVA_HOME\" \t\t--strip-components 1 \t\t--no-same-owner \t; \trm openjdk.tgz*; \t\trm -rf \"$JAVA_HOME/lib/security/cacerts\"; \tln -sT /etc/pki/ca-trust/extracted/java/cacerts \"$JAVA_HOME/lib/security/cacerts\"; \t\tln -sfT \"$JAVA_HOME\" /usr/java/default; \tln -sfT \"$JAVA_HOME\" /usr/java/latest; \tfor bin in \"$JAVA_HOME/bin/\"*; do \t\tbase=\"$(basename \"$bin\")\"; \t\t[ ! -e \"/usr/bin/$base\" ]; \t\talternatives --install \"/usr/bin/$base\" \"$base\" \"$bin\" 20000; \tdone; \t\tjava -Xshare:dump; \t\tfileEncoding=\"$(echo 'System.out.println(System.getProperty(\"file.encoding\"))' | jshell -s -)\"; [ \"$fileEncoding\" = 'UTF-8' ]; rm -rf ~/.java; \tjavac --version; \tjava --version"
},
{
"created": "2022-03-29T23:09:19Z",
"created_by": "/bin/sh -c #(nop) CMD [\"jshell\"]",
"empty_layer": true
},
{
"created": "2022-04-02T02:58:42Z",
"created_by": "/bin/sh -c #(nop) ADD file:3f70ed77805edcf37d6913d6a1902115199bb57d14100446760ac23d0cf383b9 in /maven/ "
},
{
"created": "2022-04-02T02:58:42Z",
"created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\" \"-c\" \"java -jar -Dspring.profiles.active=online /maven/cachecloud-web.war\"]",
"empty_layer": true
}
],
"os": "linux",
"rootfs": {
"type": "layers",
"diff_ids": [
"sha256:d2db75568ee66eaf993c0287d9d570a94ead0b249cdb311d21ff14cd80fd03e4",
"sha256:4ad9fe00c58db98f55193bf0568a5505fed3105cb1a1632861f7963328818822",
"sha256:0ceae139f802ce4ef9b2d96be7b833d81add5f91fbf99edd829d16ef9216b95e",
"sha256:5fed4285216cd86a1373a94902d7bce5ac8fa7cb7addd64d63d7597b5d2d8bcd"
]
},
"config": {
"Cmd": [
"/bin/sh",
"-c",
"java -jar -Dspring.profiles.active=online /maven/cachecloud-web.war"
],
"Env": [
"PATH=/usr/java/openjdk-17/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"JAVA_HOME=/usr/java/openjdk-17",
"LANG=C.UTF-8",
"JAVA_VERSION=17.0.2"
],
"Image": "sha256:1316c62fdf5168370932a4bb7a3637a3b71c0c4f95824a8571158b3d68e0fb92",
"ArgsEscaped": true
}
}
}
}
|
Hello @xiaoxiong581 At the moment GitLab Database doesn't contain this vulnerabilities. After adding/updating CVE-2022-25845 will be added to vuln-list repository within 6 hours. After that Regards, Dmitriy |
Thanks for your reply, i'll try it after update trivy-db. |
So that I understand that you understood me correctly: |
@DmitriyLewen I find affetced version not null, but when i update trivy db, it also cann't scan this vulnerability Version: 0.25.0
Vulnerability DB:
Version: 2
UpdatedAt: 2022-06-19 18:06:12.415554184 +0000 UTC
NextUpdate: 2022-06-20 00:06:12.415553784 +0000 UTC
DownloadedAt: 2022-06-19 23:49:39.683268832 +0000 UTC |
Hello @xiaoxiong581 Trivy-db has been updated 3 days ago. test scan infoTest Dockerfile:
Trivy scan result: ➜ 2334 trivy image issue2334
2022-06-20T09:43:15.647+0600 INFO Vulnerability scanning is enabled
2022-06-20T09:43:15.647+0600 INFO Secret scanning is enabled
2022-06-20T09:43:15.647+0600 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-06-20T09:43:15.647+0600 INFO Please see also https://aquasecurity.github.io/trivy/v0.29.0/docs/secret/scanning/#recommendation for faster secret detection
2022-06-20T09:43:15.650+0600 INFO Detected OS: oracle
2022-06-20T09:43:15.650+0600 INFO Detecting Oracle Linux vulnerabilities...
2022-06-20T09:43:15.652+0600 INFO Number of language-specific files: 1
2022-06-20T09:43:15.652+0600 INFO Detecting jar vulnerabilities...
issue2334 (oracle 8.5)
Total: 16 (UNKNOWN: 0, LOW: 2, MEDIUM: 12, HIGH: 2, CRITICAL: 0)
┌──────────────────┬────────────────┬──────────┬───────────────────┬──────────────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├──────────────────┼────────────────┼──────────┼───────────────────┼──────────────────────────┼─────────────────────────────────────────────────────────────┤
│ bind-export-libs │ CVE-2021-25219 │ MEDIUM │ 32:9.11.26-6.el8 │ 32:9.11.36-3.el8 │ bind: Lame cache can be abused to severely degrade resolver │
│ │ │ │ │ │ performance │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25219 │
├──────────────────┼────────────────┼──────────┼───────────────────┼──────────────────────────┼─────────────────────────────────────────────────────────────┤
│ gnutls │ CVE-2021-20231 │ MEDIUM │ 3.6.16-4.el8 │ 10:3.6.16-4.0.1.el8_fips │ gnutls: Use after free in client key_share extension │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-20231 │
├──────────────────┼────────────────┼──────────┼───────────────────┼──────────────────────────┼─────────────────────────────────────────────────────────────┤
│ gnutls │ CVE-2021-20232 │ MEDIUM │ 3.6.16-4.el8 │ 10:3.6.16-4.0.1.el8_fips │ gnutls: Use after free in client_send_params in │
│ │ │ │ │ │ lib/ext/pre_shared_key.c │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-20232 │
│ ├────────────────┤ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2021-3580 │ │ │ │ nettle: Remote crash in RSA decryption via manipulated │
│ │ │ │ │ │ ciphertext │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-3580 │
├──────────────────┼────────────────┤ ├───────────────────┼──────────────────────────┼─────────────────────────────────────────────────────────────┤
│ libgcrypt │ CVE-2021-33560 │ │ 1.8.5-6.el8 │ 10:1.8.5-6.el8_fips │ libgcrypt: mishandles ElGamal encryption because it lacks │
│ │ │ │ │ │ exponent blinding to address a... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-33560 │
├──────────────────┼────────────────┼──────────┼───────────────────┼──────────────────────────┼─────────────────────────────────────────────────────────────┤
│ libssh │ CVE-2021-3634 │ LOW │ 0.9.4-3.el8 │ 0.9.6-3.el8 │ libssh: possible heap-based buffer overflow when rekeying │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-3634 │
├──────────────────┤ │ │ │ │ │
│ libssh-config │ │ │ │ │ │
│ │ │ │ │ │ │
├──────────────────┼────────────────┼──────────┼───────────────────┼──────────────────────────┼─────────────────────────────────────────────────────────────┤
│ openssh │ CVE-2021-41617 │ MEDIUM │ 8.0p1-10.el8 │ 8.0p1-13.el8 │ openssh: privilege escalation when AuthorizedKeysCommand or │
│ │ │ │ │ │ AuthorizedPrincipalsCommand are configured │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-41617 │
├──────────────────┤ │ │ │ │ │
│ openssh-clients │ │ │ │ │ │
│ │ │ │ │ │ │
│ │ │ │ │ │ │
├──────────────────┤ │ │ │ │ │
│ openssh-server │ │ │ │ │ │
│ │ │ │ │ │ │
│ │ │ │ │ │ │
├──────────────────┼────────────────┤ ├───────────────────┼──────────────────────────┼─────────────────────────────────────────────────────────────┤
│ platform-python │ CVE-2021-3737 │ │ 3.6.8-41.0.1.el8 │ 3.6.8-45.0.1.el8 │ python: urllib: HTTP client possible infinite loop on a 100 │
│ │ │ │ │ │ Continue response... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-3737 │
│ ├────────────────┤ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2021-4189 │ │ │ │ python: ftplib should not use the host from the PASV │
│ │ │ │ │ │ response │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-4189 │
├──────────────────┼────────────────┤ │ │ ├─────────────────────────────────────────────────────────────┤
│ python3-libs │ CVE-2021-3737 │ │ │ │ python: urllib: HTTP client possible infinite loop on a 100 │
│ │ │ │ │ │ Continue response... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-3737 │
│ ├────────────────┤ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2021-4189 │ │ │ │ python: ftplib should not use the host from the PASV │
│ │ │ │ │ │ response │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-4189 │
├──────────────────┼────────────────┼──────────┼───────────────────┼──────────────────────────┼─────────────────────────────────────────────────────────────┤
│ rsyslog │ CVE-2022-24903 │ HIGH │ 8.2102.0-5.el8 │ 8.2102.0-7.el8_6.1 │ rsyslog: Heap-based overflow in TCP syslog server │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-24903 │
├──────────────────┼────────────────┤ ├───────────────────┼──────────────────────────┼─────────────────────────────────────────────────────────────┤
│ xz-libs │ CVE-2022-1271 │ │ 5.2.4-3.el8 │ 5.2.4-4.el8_6 │ gzip: arbitrary-file-write vulnerability │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1271 │
└──────────────────┴────────────────┴──────────┴───────────────────┴──────────────────────────┴─────────────────────────────────────────────────────────────┘
2022-06-20T09:43:15.659+0600 INFO Table result includes only package filenames. Use '--format json' option to get the full path to the package file.
Java (jar)
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
┌────────────────────────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├────────────────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────┤
│ com.alibaba:fastjson (fastjson-1.2.70.jar) │ CVE-2022-25845 │ HIGH │ 1.2.70 │ 1.2.83 │ Unsafe deserialization in com.alibaba:fastjson │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-25845 │
└────────────────────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────┘
Your result doesn't contain language-specific files ( |
Fastjson jar is in a war package of the registry, it cann't be scanned in this scenario, but if the jar package is placed in a separate directory, it is ok. Does it not support scanning for vulnerabilities contained in war packages? |
I packaged Trivy finds vulnerabilities for both files. Can you send your file to investigate your case? |
Dockerfile FROM openjdk:17.0-jdk-oracle
ADD cachecloud-open-web.war /maven/
CMD java -jar -Dspring.profiles.active=online /maven/cachecloud-open-web.war file should unzip to war |
I checked your war file. ➜ trivy -d rootfs cachecloud-open-web.war
...
2022-06-20T17:42:16.292+0600 DEBUG Parsing Java artifacts... {"file": "cachecloud-open-web.war"}
2022-06-20T17:42:16.292+0600 DEBUG Analysis error: jar/war/ear/par parse error: zip error: zip: not a valid zip file
2022-06-20T17:42:28.566+0600 DEBUG OS is not detected.
2022-06-20T17:42:28.566+0600 DEBUG Detected OS: unknown
2022-06-20T17:42:28.566+0600 INFO Number of language-specific files: 0 I unpacked your file and repacked the resulting files: ➜ ls -hl
-rw-rw-r-- 1 dmitriy dmitriy 5,2M июн 20 2022 cachecloud-open-web.war
➜ jar -xf cachecloud-open-web.war
➜ ls -hl
итого 5,2M
-rw-rw-r-- 1 dmitriy dmitriy 5,2M июн 20 2022 cachecloud-open-web.war
-rw-rw-r-- 1 dmitriy dmitriy 741 апр 2 10:21 daily.jsp
-rw-rw-r-- 1 dmitriy dmitriy 769 апр 2 10:21 error.jsp
-rw-rw-r-- 1 dmitriy dmitriy 155 апр 2 10:21 index.jsp
drwxrwxr-x 3 dmitriy dmitriy 4,0K апр 2 10:48 META-INF
drwxrwxr-x 3 dmitriy dmitriy 4,0K апр 2 10:48 org
-rw-rw-r-- 1 dmitriy dmitriy 161 апр 2 10:21 test.jsp
drwxrwxr-x 8 dmitriy dmitriy 4,0K апр 2 10:48 WEB-INF
➜ rm cachecloud-open-web.war
➜ jar -cf new.war *
➜ trivy rootfs new.war
2022-06-20T17:37:24.062+0600 INFO Vulnerability scanning is enabled
2022-06-20T17:37:24.063+0600 INFO Secret scanning is enabled
2022-06-20T17:37:24.063+0600 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-06-20T17:37:24.063+0600 INFO Please see also https://aquasecurity.github.io/trivy/v0.29.0/docs/secret/scanning/#recommendation for faster secret detection
2022-06-20T17:37:25.215+0600 INFO Number of language-specific files: 1
2022-06-20T17:37:25.215+0600 INFO Detecting jar vulnerabilities...
2022-06-20T17:37:25.216+0600 INFO Table result includes only package filenames. Use '--format json' option to get the full path to the package file.
Java (jar)
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
┌────────────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────┤
│ com.alibaba:fastjson (new.war) │ CVE-2022-25845 │ HIGH │ 1.2.70 │ 1.2.83 │ Unsafe deserialization in com.alibaba:fastjson │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-25845 │
└────────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────┘ Possible there is bug when packing your war file? |
using mvn to package, like: <packaging>war</packaging>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
<version>3.2.2</version>
</plugin>
<resource>
<directory>src/main/resources</directory>
<includes>
<include>**/*</include>
</includes>
</resource>
<resource>
<directory>src/main/resources</directory>
<filtering>true</filtering>
<excludes>
<exclude>cert/*</exclude>
</excludes>
</resource>
</resources> |
Thank a lot for your help and time! I found why you have this problem. I checked your archive with |
ok, i'll check it if next trivy version fix it , this issue you can close it now or release a fixed version later. |
Perhaps I confused you. |
ok |
Description
What did you expect to happen?
CVE-2022-25845 vulnerability can scan
What happened instead?
no result
Output of run with
-debug
:trivy image --skip-db-update --offline-scan --vuln-type library -f json -o result.json cachecloud:test
![image](https://user-images.githubusercontent.com/19368482/173978481-c35666c8-6634-4725-aabe-01577179b1f8.png)
Output of
trivy -v
:Additional details (base image name, container registry info...):
find a registry which contains fastjson jar under 1.2.83 version
![Uploading 20220616103305.png…]()
The text was updated successfully, but these errors were encountered: