Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Could not load the CVE OVAL error for Canonical provider's feeds #20573

Closed
Rebits opened this issue Dec 1, 2023 · 2 comments · Fixed by #20580
Closed

Could not load the CVE OVAL error for Canonical provider's feeds #20573

Rebits opened this issue Dec 1, 2023 · 2 comments · Fixed by #20580
Assignees
@MarcelKemp
Labels
feed level/task module/vulnerability detector platform/ubuntu Ubuntu OS related type/bug Something isn't working

Comments

@Rebits
Copy link
Member

Rebits commented Dec 1, 2023
edited

Wazuh version Component Install type Install method Platform
4.7.0 Vulnerability Detector Manager Packages Any

Description

The Vulnerability Detector is failing to correctly parse Canonical provider's feeds. The manager's logs reveal the following errors:

2023/12/01 07:58:24 wazuh-modulesd:vulnerability-detector: ERROR: (5502): Could not load the CVE OVAL for 'TRUSTY'. 'XMLERR: Attribute '?' has no value.'
2023/12/01 07:58:24 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Xenial' database update.
2023/12/01 07:58:27 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_ubuntu20-04.yml'
2023/12/01 07:58:27 sca: INFO: Security Configuration Assessment scan finished. Duration: 7 seconds.
2023/12/01 07:58:27 wazuh-modulesd:vulnerability-detector: ERROR: (5502): Could not load the CVE OVAL for 'XENIAL'. 'XMLERR: Attribute '?' has no value.'
2023/12/01 07:58:27 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Bionic' database update.
2023/12/01 07:58:30 wazuh-modulesd:vulnerability-detector: ERROR: (5502): Could not load the CVE OVAL for 'BIONIC'. 'XMLERR: Attribute '?' has no value.'
2023/12/01 07:58:30 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Focal' database update.
2023/12/01 07:58:32 wazuh-modulesd:vulnerability-detector: ERROR: (5502): Could not load the CVE OVAL for 'FOCAL'. 'XMLERR: Attribute '?' has no value.'

This issue appears to be linked to recent changes in the feeds from the providers, causing failures within the last 24 hours, as evidenced by the nightly tests:

Steps to reproduce

  • Enable Vulnerability Detector and the Canonical provider in a manager:
  <vulnerability-detector>
    <enabled>yes</enabled>
    <interval>5m</interval>
    <min_full_scan_interval>6h</min_full_scan_interval>
    <run_on_start>yes</run_on_start>
....

    <!-- Ubuntu OS vulnerabilities -->
    <provider name="canonical">
      <enabled>yes</enabled>
      <os>trusty</os>
      <os>xenial</os>
      <os>bionic</os>
      <os>focal</os>
      <update_interval>1h</update_interval>
    </provider>
  • Restart the manager and observe that the feeds are not correctly parsed:
2023/12/01 08:03:36 wazuh-modulesd:vulnerability-detector: ERROR: (5502): Could not load the CVE OVAL for 'FOCAL'. 'XMLERR: Attribute '?' has no value.'
@Alphaegen
Copy link

Alphaegen commented Dec 1, 2023
edited

I've got the same problem on the same Wazuh version. I also had it on a version earlier than the one mentioned in this thread, but I don't remember which one it was as I thought updating it would fix the problem.

Dec 1, 2023 @ 01:39:51.000 wazuh-modulesd:vulnerability-detector INFO  (5400): Starting 'Ubuntu Trusty' database update.
Dec 1, 2023 @ 01:39:52.000 wazuh-modulesd:vulnerability-detector ERROR  (5502): Could not load the CVE OVAL for 'TRUSTY'. 'XMLERR: Attribute '?' has no value.'
Dec 1, 2023 @ 01:39:52.000 wazuh-modulesd:vulnerability-detector INFO  (5400): Starting 'Ubuntu Xenial' database update.
Dec 1, 2023 @ 01:39:52.000 wazuh-modulesd:vulnerability-detector ERROR  (5502): Could not load the CVE OVAL for 'XENIAL'. 'XMLERR: Attribute '?' has no value.'
Dec 1, 2023 @ 01:39:52.000 wazuh-modulesd:vulnerability-detector ERROR  (5513): CVE database could not be updated.
Dec 1, 2023 @ 01:39:53.000 wazuh-modulesd:vulnerability-detector INFO  (5400): Starting 'Ubuntu Bionic' database update.
Dec 1, 2023 @ 01:39:53.000 wazuh-modulesd:vulnerability-detector ERROR  (5502): Could not load the CVE OVAL for 'BIONIC'. 'XMLERR: Attribute '?' has no value.'
Dec 1, 2023 @ 01:39:53.000 wazuh-modulesd:vulnerability-detector INFO  (5400): Starting 'Ubuntu Focal' database update.
Dec 1, 2023 @ 01:39:54.000 wazuh-modulesd:vulnerability-detector ERROR  (5502): Could not load the CVE OVAL for 'FOCAL'. 'XMLERR: Attribute '?' has no value.'
Dec 1, 2023 @ 01:39:54.000 wazuh-modulesd:vulnerability-detector INFO  (5400): Starting 'Ubuntu Jammy' database update.
Dec 1, 2023 @ 01:39:54.000 wazuh-modulesd:vulnerability-detector ERROR  (5502): Could not load the CVE OVAL for 'JAMMY'. 'XMLERR: Attribute '?' has no value.'

@MarcelKemp MarcelKemp self-assigned this Dec 1, 2023
@MarcelKemp MarcelKemp mentioned this issue Dec 1, 2023
Closed
@MarcelKemp
Copy link
Member

MarcelKemp commented Dec 1, 2023
edited

Research

The bug is caused by Canonical adding the following line to the beginning of the OVAL, causing it to fail to parse the feed correctly:

<?xml version="1.0" ?>

Workaround

Download the OVALs to the server locally, unzip them and delete the first line (if it matches):

mkdir custom-ubuntu-ovals-fixed
cd custom-ubuntu-ovals-fixed
curl -SO https://security-metadata.canonical.com/oval/com.ubuntu.jammy.cve.oval.xml.bz2
curl -SO https://security-metadata.canonical.com/oval/com.ubuntu.focal.cve.oval.xml.bz2
curl -SO https://security-metadata.canonical.com/oval/com.ubuntu.bionic.cve.oval.xml.bz2
curl -SO https://security-metadata.canonical.com/oval/com.ubuntu.xenial.cve.oval.xml.bz2
curl -SO https://security-metadata.canonical.com/oval/com.ubuntu.trusty.cve.oval.xml.bz2
bzip2 -d com.ubuntu.*
sed -i '/<?xml version="1.0" ?>/d' com.ubuntu.*

Once the above is done, modify the Canonical provider configuration block, for its corresponding offline update:

As this is an offline update, it is necessary to manually download the feeds to keep them up to date.

    <provider name="canonical">
      <enabled>yes</enabled>
      <os path="/custom-ubuntu-ovals-fixed/com.ubuntu.trusty.cve.oval.xml">trusty</os>
      <os path="/custom-ubuntu-ovals-fixed/com.ubuntu.xenial.cve.oval.xml">xenial</os>
      <os path="/custom-ubuntu-ovals-fixed/com.ubuntu.bionic.cve.oval.xml">bionic</os>
      <os path="/custom-ubuntu-ovals-fixed/com.ubuntu.focal.cve.oval.xml">focal</os>
      <os path="/custom-ubuntu-ovals-fixed/com.ubuntu.jammy.cve.oval.xml">jammy</os>
      <update_interval>1h</update_interval>
    </provider>

Note: Modify the path, depending on where you have executed the commands.

And in the case of using ESM OVALs, apply the same steps but change the links and file names.

@MarcelKemp MarcelKemp mentioned this issue Dec 1, 2023
Merged
13 tasks
@rauldpm rauldpm mentioned this issue Dec 1, 2023
Closed
@mauromalara mauromalara mentioned this issue Dec 1, 2023
Closed
This was referenced Dec 1, 2023
Closed
Closed
@mauromalara mauromalara mentioned this issue Dec 1, 2023
Closed
@vikman90 vikman90 linked a pull request Dec 4, 2023 that will close this issue
Fix to parse Canonical OVALs and avoid XML error #20580
Merged
13 tasks
@vikman90 vikman90 closed this as completed Dec 4, 2023
@fcaffieri fcaffieri mentioned this issue Dec 4, 2023
Closed
@Rebits Rebits mentioned this issue Dec 11, 2023
Closed
@L-H-1995 L-H-1995 mentioned this issue Dec 12, 2023
Closed
This was referenced Dec 12, 2023
Closed
Closed
@pro-akim pro-akim mentioned this issue Dec 14, 2023
Closed
@rafabailon rafabailon mentioned this issue Dec 15, 2023
Closed
@pro-akim pro-akim mentioned this issue Dec 15, 2023
Closed
@rafabailon rafabailon mentioned this issue Dec 15, 2023
Closed
@santipadilla santipadilla mentioned this issue Dec 15, 2023
Closed
This was referenced Dec 15, 2023
Closed
Closed
Closed
@mauromalara mauromalara mentioned this issue Dec 15, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MarcelKemp MarcelKemp

Labels
feed level/task module/vulnerability detector platform/ubuntu Ubuntu OS related type/bug Something isn't working
Projects
No open projects
Release 4.7.1
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix to parse Canonical OVALs and avoid XML error wazuh/wazuh
4 participants
@vikman90 @Rebits @MarcelKemp @Alphaegen