-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability Detector - False positive: Grafana - CVE-2023-4822 #24952
Comments
RCAWhy this is a false positive?If we take a look at the CVE for each vendor:
{
"defaultStatus": "unaffected",
"platforms": [
"cpe:/a:redhat:enterprise_linux:8",
"cpe:/a:redhat:enterprise_linux:8::appstream",
"cpe:/a:redhat:enterprise_linux:8::crb",
"cpe:/a:redhat:enterprise_linux:8::highavailability",
"cpe:/a:redhat:enterprise_linux:8::nfv",
"cpe:/a:redhat:enterprise_linux:8::realtime",
"cpe:/a:redhat:enterprise_linux:8::resilientstorage",
"cpe:/a:redhat:enterprise_linux:8::sap",
"cpe:/a:redhat:enterprise_linux:8::sap_hana",
"cpe:/a:redhat:enterprise_linux:8::supplementary",
"cpe:/o:redhat:enterprise_linux:8",
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"product": "grafana",
"vendor": "redhat"
}
{
"defaultStatus": "unknown",
"platforms": [
"bionic",
"trusty",
"xenial"
],
"product": "grafana",
"vendor": "canonical"
}
{
"cpes": [
"cpe:2.3:a:grafana:grafana-enterprise:*:*:*:*:enterprise:*:*:*"
],
"defaultStatus": "unaffected",
"product": "grafana-enterprise",
"vendor": "contact@grafana.com",
"versions": [
{
"lessThan": "10.0.7",
"status": "affected",
"version": "10.0.0",
"versionType": "custom"
},
{
"lessThan": "10.1.3",
"status": "affected",
"version": "10.1.0",
"versionType": "custom"
},
{
"lessThan": "9.4.16",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "9.5.11",
"status": "affected",
"version": "9.5.0",
"versionType": "custom"
}
]
} Both Ubuntu and RedHat identify Grafana as not vulnerable Why is matching?If we follow the analysis performed here: We see that the checks are against version The reason why the NVD is selected as the corresponding CNA is because the vendor for Why is matchingSeems like this sanitization didn't impact the content yet: ./rocks_db_query_testtool -d ~/Documents/work/development/wazuh-master/src/queue/vd/feed/ -c nvd -f /home/sebas/Documents/work/development/wazuh-master/src/wazuh_modules/vu
lnerability_scanner/schemas/vulnerabilityCandidate.fbs -k grafana_CVE-2023-4822 grafana_CVE-2023-4822 ==> {
"candidates": [
{
"cveId": "CVE-2023-4822",
"defaultStatus": "unaffected",
"versions": [
{
"version": "10.0.0",
"lessThan": "10.0.7",
"versionType": "custom"
},
{
"version": "10.1.0",
"lessThan": "10.1.3",
"versionType": "custom"
},
{
"version": "8.0.0",
"lessThan": "9.4.16",
"versionType": "custom"
},
{
"version": "9.5.0",
"lessThan": "9.5.11",
"versionType": "custom"
}
],
"vendor": "grafana"
}
]
} I asked the team to see if CTI contains or not the sanitization (because I don't have this access) Main issueOn the other hand, the NVD is wrongly used in this scenario, I will attempt to propose a solution |
UpdateI updated the content via offsets. The old Grafana CVE disappeared from the NVD as expected ./rocks_db_query_testtool -d ~/Documents/work/development/wazuh-master/src/queue/vd/feed/ -c nvd -f /home/sebas/Documents/work/development/wazuh-master/src/wazuh_modules/vulnerability_scanner/schemas/vulnerabilityCandidate.fbs -k grafana-enterise_CVE-2023-4822
Unable to find resource. ./rocks_db_query_testtool -d ~/Documents/work/development/wazuh-master/src/queue/vd/feed/ -c nvd -f /home/sebas/Documents/work/development/wazuh-master/src/wazuh_modules/vulnerability_scanner/schemas/vulnerabilityCandidate.fbs -k grafana-enterprise_CVE-2023-4822 grafana-enterprise_CVE-2023-4822 ==> {
"candidates": [
{
"cveId": "CVE-2023-4822",
"defaultStatus": "unaffected",
"versions": [
{
"version": "10.0.0",
"lessThan": "10.0.7",
"versionType": "custom"
},
{
"version": "10.1.0",
"lessThan": "10.1.3",
"versionType": "custom"
},
{
"version": "8.0.0",
"lessThan": "9.4.16",
"versionType": "custom"
},
{
"version": "9.5.0",
"lessThan": "9.5.11",
"versionType": "custom"
}
],
"vendor": "contact@grafana.com"
}
]
} And if we re-run the false positive efficacy tests, they now are passing: ================================================================== 2 passed, 23 skipped in 124.13s (0:02:04) ================================================================== |
ConclusionThis immediate issue will be solved once the content is updated To fix this behaviour we need to re-think the way we determine the CNA for a given package |
Proposed solutionThe proposed solution can be found here |
Analysis understood, this does not mean that we will address it with what is proposed in: #25096 |
Description
Currently, we are identifying Grafana as vulnerable to the CVE-2023-4822 in Ubuntu and RedHat systems
DoD
The text was updated successfully, but these errors were encountered: