New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False positive in xz-util vulnerability scan (CVE-2024-3094, CVE-2022-1271) #22992
Comments
Hi @sakib789, Thank you for reporting this but I was unable to reproduce it. What's the output from this query?
How did you install the xz-utils package? It would be great if you could reproduce this behavior and share the logs you get. For that, put the line You will need also to remove and re-install the package so the scan triggers again. Beyond that, you are correct and you shouldn't get that vulnerability. |
Hi @MiguelazoDS , Sorry for the late response due to the weekend. I have downloaded it following this method.
This is the output from the database query Let me know if you need any further information. |
Thank you @sakib789! We should consider this case during the refactoring of the module, I'll talk to the team about this. |
CVE-2024-3094 will be solved in 4.8.0 The feed for Ubuntu is informed as: {
"defaultStatus": "unaffected",
"platforms": [
"bionic",
"focal",
"jammy",
"mantic",
"trusty",
"xenial"
],
"product": "xz-utils",
"vendor": "canonical"
} So this vulnerability won't be pressent |
CVE-2022-1271 has similar information for all vendors (except for the NVD which informs different packages) Entry for focal: {
"defaultStatus": "unaffected",
"platforms": [
"focal"
],
"product": "xz-utils",
"vendor": "canonical",
"versions": [
{
"lessThan": "5.2.4-1ubuntu1.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
} |
ConclusionThis vulnerability will be correctly detected in Ubuntu systems |
Hi Team,
While working on this community, I've observed that the Wazuh Vulnerability scan has flagged xz-utils version 5.2.4-1 as vulnerable on Ubuntu 20.04.6 LTS, citing CVE_2022-1271 and CVE_2024-3094
However, according to both the National Vulnerability Database (NVD) and Canonical Ubuntu, the officially recognized vulnerable versions are 5.6.0 and 5.6.1.
Sources:
CVE-2024-3094
CVE-2022-1271
Ubuntu Security Advisory
My investigation suggests that versions lower than the aforementioned ones are not susceptible to these vulnerabilities.
I kindly request a thorough review of this matter.
The text was updated successfully, but these errors were encountered: