False positive in xz-util vulnerability scan (CVE-2024-3094, CVE-2022-1271)

[sakib789]

Wazuh version	Component	Install type	Install method	Platform
4.7.3	Vulnerability Detector	-	-	Ubuntu 20.04.6 LTS

Hi Team,

While working on this community, I've observed that the Wazuh Vulnerability scan has flagged xz-utils version 5.2.4-1 as vulnerable on Ubuntu 20.04.6 LTS, citing CVE_2022-1271 and CVE_2024-3094

However, according to both the National Vulnerability Database (NVD) and Canonical Ubuntu, the officially recognized vulnerable versions are 5.6.0 and 5.6.1.

Sources:
CVE-2024-3094
CVE-2022-1271
Ubuntu Security Advisory

My investigation suggests that versions lower than the aforementioned ones are not susceptible to these vulnerabilities.

I kindly request a thorough review of this matter.

[MiguelazoDS]

Hi @sakib789,

Thank you for reporting this but I was unable to reproduce it.

What's the output from this query?

sqlite3 /var/ossec/queue/db/001.db 'select * from sys_programs where name like "%xz%"' --line

How did you install the xz-utils package?

It would be great if you could reproduce this behavior and share the logs you get. For that, put the line wazuh_modules.debug=2 in your /var/ossec/etc/local_internal_options.conf and restart your manager.

You will need also to remove and re-install the package so the scan triggers again.

Beyond that, you are correct and you shouldn't get that vulnerability.

[sakib789]

Hi @MiguelazoDS ,

Sorry for the late response due to the weekend.

I have downloaded it following this method.

wget http://archive.ubuntu.com/ubuntu/pool/main/x/xz-utils/xz-utils_5.2.4-1_amd64.deb

sudo apt install /path_to_file/xz-utils_5.2.4-1_amd64.deb

This is the output from the database query

Let me know if you need any further information.

[sakib789]

I have just noticed the vulnerability was resolved without any changes after an hour

This is the command history from my OS.

[sakib789]

It again triggered as a vulnerable while reinstalling. Check the screenshots as a reference.

[MiguelazoDS]

Thank you @sakib789! We should consider this case during the refactoring of the module, I'll talk to the team about this.

[sebasfalcone]

CVE-2024-3094 will be solved in 4.8.0

The feed for Ubuntu is informed as:

          {
            "defaultStatus": "unaffected",
            "platforms": [
              "bionic",
              "focal",
              "jammy",
              "mantic",
              "trusty",
              "xenial"
            ],
            "product": "xz-utils",
            "vendor": "canonical"
          }

So this vulnerability won't be pressent

[sebasfalcone]

CVE-2022-1271 has similar information for all vendors (except for the NVD which informs different packages)

Entry for focal:

          {
            "defaultStatus": "unaffected",
            "platforms": [
              "focal"
            ],
            "product": "xz-utils",
            "vendor": "canonical",
            "versions": [
              {
                "lessThan": "5.2.4-1ubuntu1.1",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }

[sebasfalcone]

Conclusion

This vulnerability will be correctly detected in Ubuntu systems