This set of tools help Red Hat TAMs gather information about CVEs, Erratas, etc.
It calls https://access.redhat.com/hydra/rest/securitydata API and prints results in the terminal.
- Provides information about CVEs fulfilling search criteria. Those include CVE number, release date, severity, URL, description, mitigation strategy, affected products and released errata (aka advisory, RHSA).
- The script prints data to terminal and saves it to *.csv file. Can also be provided with preconfigured set of arguments in *.txt file.
- If --search-old-cves specified, it returns also CVEs for specified products that were released earlier, but don't yet have errata published or errata was published within specified period. This argument is 0 by default.
Arguments:
-h, --help show help
-f, --file <filename.txt> read the arguments from a file filename.txt
-o, --search-old-cves <number of months> specify how far back you want to search for unresolved CVEs
-a, --after <YYYY-MM-DD> show only CVEs release after this date
-b, --before <YYYY-MM-DD> show only CVEs released before this date
-p, --product <product name> show affected products (supports Perl compatible regular expressions)
-s, --severity <low, moderate, important, critical> show CVEs of chosen severity
-r, --remove-unaffected <yes, no> do not show packages that are not affected by the CVE
Querries Red Hat Security Data API for provided errata (aka advisory, RHSA) and gather information about CVE which it concerns. Next, it queries the API for CVEs info and prints all other erratas connected to that CVE.
Arguments: -r, --rhsa
$ python3 unresolved_cves.py --file sample_args.txt
EQUALS:
$ python3 unresolved_cves.py -a 2022-01-13 -b 2022-07-15 -p "(Fuse 7|Camel K|Quarkus|3scale)" -s critical -r yes
CVE Number: | Severity: | Public date: | URL:
CVE-2021-44228 | critical | 2021-12-10 | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-44228.json
Description:
*) Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
*) A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.
Mitigation strategy:
For Log4j versions >=2.10
set the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true
For Log4j versions >=2.7 and <=2.14.1
all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m
For Log4j versions >=2.0-beta9 and <=2.10.0
remove the JndiLookup class from the classpath. For example:
```
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
```
On OpenShift 4 and in OpenShift Logging, the above mitigation can be applied by following the steps in this article: https://access.redhat.com/solutions/6578421
On OpenShift 3.11, mitigation to the affected Elasticsearch component can be applied by following the steps in this article: https://access.redhat.com/solutions/6578441
Package state: | Fix state:
Red Hat Integration Camel Quarkus | Affected
Released errata for product: | Release date: | Advisory name:
OpenShift Logging 5.0 | 2021-12-14 | RHSA-2021:5137
OpenShift Logging 5.1 | 2021-12-14 | RHSA-2021:5128
OpenShift Logging 5.2 | 2021-12-14 | RHSA-2021:5127
OpenShift Logging 5.3 | 2021-12-14 | RHSA-2021:5129
Red Hat AMQ Streams 1 | 2021-12-14 | RHSA-2021:5133
Red Hat AMQ Streams 1 | 2021-12-14 | RHSA-2021:5138
Red Hat Data Grid 8 | 2021-12-14 | RHSA-2021:5132
Red Hat Integration | 2021-12-14 | RHSA-2021:5126
Red Hat Integration | 2021-12-14 | RHSA-2021:5130
Red Hat JBoss Enterprise Application Platform 7 | 2021-12-15 | RHSA-2021:5140
Red Hat JBoss Fuse 7 | 2021-12-14 | RHSA-2021:5134
Red Hat JBoss Fuse 7 | 2022-01-20 | RHSA-2022:0203
Red Hat OpenShift Application Runtimes 1.0 | 2021-12-14 | RHSA-2021:5093
Red Hat OpenShift Container Platform 3.11 | 2021-12-14 | RHSA-2021:5094
Red Hat OpenShift Container Platform 4.6 | 2021-12-16 | RHSA-2021:5106
Red Hat OpenShift Container Platform 4.6 | 2021-12-16 | RHSA-2021:5106
Red Hat OpenShift Container Platform 4.6 | 2021-12-16 | RHSA-2021:5141
Red Hat OpenShift Container Platform 4.7 | 2021-12-16 | RHSA-2021:5107
Red Hat OpenShift Container Platform 4.7 | 2021-12-16 | RHSA-2021:5107
Red Hat OpenShift Container Platform 4.8 | 2021-12-14 | RHSA-2021:5108
Red Hat OpenShift Container Platform 4.8 | 2021-12-15 | RHSA-2021:5148
Red Hat Process Automation 7 | 2022-01-11 | RHSA-2022:0082
Red Hat Process Automation 7 | 2022-01-26 | RHSA-2022:0296
----------------------------------------------------------------------------------------------------------------------------------------------
CVE Number: | Severity: | Public date: | URL:
CVE-2021-41269 | critical | 2021-11-17 | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-41269.json
Description:
*) cron-utils is a Java library to define, parse, validate, migrate crons as well as get human readable descriptions for them. In affected versions A template Injection was identified in cron-utils enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Versions up to 9.1.2 are susceptible to this vulnerability. Please note, that only projects using the @Cron annotation to validate untrusted Cron expressions are affected. The issue was patched and a new version was released. Please upgrade to version 9.1.6. There are no known workarounds known.
*) A flaw was found in cron-utils. This flaw allows an attacker to perform unauthenticated Remote Code Execution (RCE) via Java Expression Language (EL) injection.
Mitigation strategy:
No mitigation strategy provided so far.
Package state: | Fix state:
Red Hat build of Quarkus | Affected
Red Hat Integration Camel Quarkus | Affected
Released errata for product: | Release date: | Advisory name:
Red Hat Integration | 2022-03-22 | RHSA-2022:1013
Red Hat OpenShift Application Runtimes 1.0 | 2022-02-21 | RHSA-2022:0589
$ python3 rhsa.py -r RHSA-2022:0188
CVE-2022-0185:
Released errata for product: | Release date: | Advisory name:
Red Hat Enterprise Linux 8 | 2022-01-19 | RHSA-2022:0176
Red Hat Enterprise Linux 8 | 2022-01-19 | RHSA-2022:0188
Red Hat Enterprise Linux 8 | 2022-01-24 | RHSA-2022:0232
Red Hat Enterprise Linux 8.4 Extended Update Support | 2022-01-19 | RHSA-2022:0187
Red Hat Enterprise Linux 8.4 Extended Update Support | 2022-01-19 | RHSA-2022:0186
Red Hat Enterprise Linux 8.4 Extended Update Support | 2022-01-24 | RHSA-2022:0231
Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 | 2022-02-15 | RHSA-2022:0540
-------------------------------------------------------------------------------------------------
CVE-2021-4155:
Released errata for product: | Release date: | Advisory name:
Red Hat Enterprise Linux 6 Extended Lifecycle Support | 2022-04-19 | RHSA-2022:1417
Red Hat Enterprise Linux 7 | 2022-02-22 | RHSA-2022:0622
Red Hat Enterprise Linux 7 | 2022-02-22 | RHSA-2022:0592
Red Hat Enterprise Linux 7 | 2022-02-22 | RHSA-2022:0620
Red Hat Enterprise Linux 7.3 Advanced Update Support | 2022-02-15 | RHSA-2022:0529
Red Hat Enterprise Linux 7.4 Advanced Update Support | 2022-02-15 | RHSA-2022:0530
Red Hat Enterprise Linux 7.6 Advanced Update Support | 2022-02-15 | RHSA-2022:0531
Red Hat Enterprise Linux 7.6 Telco Extended Update Support | 2022-02-15 | RHSA-2022:0531
Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions | 2022-02-15 | RHSA-2022:0531
Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions | 2022-02-15 | RHSA-2022:0533
Red Hat Enterprise Linux 7.7 Advanced Update Support | 2022-03-01 | RHSA-2022:0712
Red Hat Enterprise Linux 7.7 Telco Extended Update Support | 2022-03-01 | RHSA-2022:0712
Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions | 2022-03-01 | RHSA-2022:0712
Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions | 2022-03-01 | RHSA-2022:0718
Red Hat Enterprise Linux 8 | 2022-01-19 | RHSA-2022:0176
Red Hat Enterprise Linux 8 | 2022-01-19 | RHSA-2022:0188
Red Hat Enterprise Linux 8 | 2022-01-24 | RHSA-2022:0232
Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions | 2022-02-01 | RHSA-2022:0335
Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions | 2022-02-01 | RHSA-2022:0344
Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions | 2022-03-17 | RHSA-2022:0958
Red Hat Enterprise Linux 8.2 Extended Update Support | 2022-02-22 | RHSA-2022:0629
Red Hat Enterprise Linux 8.2 Extended Update Support | 2022-02-22 | RHSA-2022:0590
Red Hat Enterprise Linux 8.2 Extended Update Support | 2022-02-22 | RHSA-2022:0636
Red Hat Enterprise Linux 8.4 Extended Update Support | 2022-01-19 | RHSA-2022:0187
Red Hat Enterprise Linux 8.4 Extended Update Support | 2022-01-19 | RHSA-2022:0186
Red Hat Enterprise Linux 8.4 Extended Update Support | 2022-01-24 | RHSA-2022:0231
Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 | 2022-04-07 | RHSA-2022:1263
Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 | 2022-02-15 | RHSA-2022:0540
-------------------------------------------------------------------------------------------------