diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 607af84f..f1058184 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -23,8 +23,8 @@ on: workflow_dispatch: env: - TRIVY_VERSION: 0.44.0 - BUILDKIT_VERSION: 0.12.0 + TRIVY_VERSION: 0.56.2 + BUILDKIT_VERSION: 0.16.0 jobs: unit-test: @@ -41,7 +41,7 @@ jobs: uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: - go-version: "1.22" + go-version: "1.23" check-latest: true - name: Add containerd-snapshotter to docker daemon run: | @@ -74,7 +74,7 @@ jobs: - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: - go-version: "1.22" + go-version: "1.23" check-latest: true - name: Build copa shell: bash @@ -112,7 +112,7 @@ jobs: uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: - go-version: "1.22" + go-version: "1.23" check-latest: true - name: Install required tools shell: bash @@ -154,7 +154,7 @@ jobs: uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: - go-version: "1.22" + go-version: "1.23" check-latest: true - name: Install required tools shell: bash @@ -192,7 +192,7 @@ jobs: uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: - go-version: "1.22" + go-version: "1.23" check-latest: true - name: Install scanner-plugin-template shell: bash diff --git a/.github/workflows/check-deps.yml b/.github/workflows/check-deps.yml index 73cfdda1..82a5318d 100644 --- a/.github/workflows/check-deps.yml +++ b/.github/workflows/check-deps.yml @@ -21,7 +21,7 @@ jobs: uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: - go-version: "1.22" + go-version: "1.23" check-latest: true - name: Check go.mod shell: bash diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 975b9768..f1f9181e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -53,7 +53,7 @@ jobs: - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: - go-version: "1.22" + go-version: "1.23" check-latest: true # Initializes the CodeQL tools for scanning. diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 1c8e8971..b7a99653 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -31,6 +31,6 @@ jobs: steps: - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: - go-version: "1.22" + go-version: "1.23" check-latest: true - uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4 diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index a1d08112..f401b90e 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -31,10 +31,10 @@ jobs: - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: - go-version: "1.22" + go-version: "1.23" check-latest: true - name: lint uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1 with: - version: v1.54.1 + version: v1.61.0 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3a00c080..9c62b98b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -26,7 +26,7 @@ jobs: - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: - go-version: "1.22" + go-version: "1.23" check-latest: true - uses: anchore/sbom-action/download-syft@8d0a6505bf28ced3e85154d13dc6af83299e13f1 # v0.17.4 diff --git a/.golangci.yml b/.golangci.yml index 2030f044..10300da0 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -14,7 +14,7 @@ linters: disable-all: true enable: - errcheck - - exportloopref + - copyloopvar - forcetypeassert - gocritic - goconst diff --git a/integration/fixtures/test-images.json b/integration/fixtures/test-images.json index e2640189..09ce213f 100644 --- a/integration/fixtures/test-images.json +++ b/integration/fixtures/test-images.json @@ -95,7 +95,7 @@ "tag": "2.0.20240112", "digest": "sha256:60323975ec3aabe1840920a65237950a54c5fef6ffc811a5d26bb6bd130f1cc3", "distro": "Mariner", - "description": "Valid rpm DB, no dnf, yum & rpm present", + "description": "Valid rpm DB, tdnf, yum & rpm present", "ignoreErrors": false }, { @@ -103,7 +103,7 @@ "tag": "2.0.20240112-arm64", "digest": "sha256:c85680df0ddccfd5bf0cd60ff7d0c07b0ea783bcee9ce5dc748b68c0d36e280a", "distro": "Mariner", - "description": "Valid rpm DB, no dnf, yum & rpm present, arm64 cross-arch", + "description": "Valid rpm DB, tdnf, yum & rpm present, arm64 cross-arch", "ignoreErrors": false }, { @@ -111,7 +111,31 @@ "tag": "2.0.20220527", "digest": "sha256:f550c5428df17b145851ad75983aca6d613ad4b51ca7983b2a83e67d0ac91a5d", "distro": "Mariner Distroless", - "description": "Custom rpmmanifest files, no yum/dnf/microdnf/rpm", + "description": "Custom rpmmanifest files, no yum/tdnf/dnf/microdnf/rpm", + "ignoreErrors": false + }, + { + "image": "mcr.microsoft.com/azurelinux/base/core", + "tag": "3.0.20240727", + "digest": "sha256:02004412d6133fba772fd88dd45ea99b61258722bfc796c156937df4a5d75c6c", + "distro": "Azure Linux", + "description": "Valid rpm DB, tdnf & rpm present, no dnf or yum", + "ignoreErrors": false + }, + { + "image": "mcr.microsoft.com/azurelinux/base/core", + "tag": "3.0.20240727-arm64", + "digest": "sha256:5975d2ba45e7d256d4eb4e2b3df3aefbaddf25f14fa300fa126fb93b9f082d33", + "distro": "Azure Linux", + "description": "Valid rpm DB, tdnf & rpm present, no dnf or yum, arm64 cross-arch", + "ignoreErrors": false + }, + { + "image": "mcr.microsoft.com/azurelinux/distroless/base", + "tag": "3.0.20240727", + "digest": "sha256:50c24841324cdb36a268bb1288dd6f8bd5bcf19055c24f6aaa750a740a8be62d", + "distro": "Azure Linux Distroless", + "description": "Custom rpmmanifest files, no yum/tdnf/dnf/microdnf/rpm", "ignoreErrors": false }, { diff --git a/integration/patch_test.go b/integration/patch_test.go index 973b81e3..d1431910 100644 --- a/integration/patch_test.go +++ b/integration/patch_test.go @@ -47,13 +47,15 @@ func TestPatch(t *testing.T) { require.NoError(t, err) for _, img := range images { - img := img // Oracle tends to throw false positives with Trivy // See https://github.com/aquasecurity/trivy/issues/1967#issuecomment-1092987400 if !reportFile && !strings.Contains(img.Image, "oracle") { img.IgnoreErrors = false } + // download the trivy db before running the tests + downloadDB(t) + t.Run(img.Description, func(t *testing.T) { t.Parallel() @@ -81,6 +83,7 @@ func TestPatch(t *testing.T) { scanner(). withIgnoreFile(ignoreFile). withOutput(scanResults). + withSkipDBUpdate(). // Do not set a non-zero exit code because we are expecting vulnerabilities. scan(t, ref, img.IgnoreErrors) } @@ -109,6 +112,7 @@ func TestPatch(t *testing.T) { t.Log("scanning patched image") scanner(). withIgnoreFile(ignoreFile). + withSkipDBUpdate(). // here we want a non-zero exit code because we are expecting no vulnerabilities. withExitCode(1). scan(t, patchedRef, img.IgnoreErrors) @@ -232,11 +236,26 @@ type scannerCmd struct { exitCode int } +func downloadDB(t *testing.T) { + args := []string{ + "trivy", + "image", + "--download-db-only", + "--db-repository=ghcr.io/aquasecurity/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db", + } + cmd := exec.Command(args[0], args[1:]...) //#nosec G204 + cmd.Env = append(cmd.Env, os.Environ()...) + cmd.Env = append(cmd.Env, dockerDINDAddress.env()...) + out, err := cmd.CombinedOutput() + require.NoError(t, err, string(out)) +} + func (s *scannerCmd) scan(t *testing.T, ref string, ignoreErrors bool) { args := []string{ "trivy", "image", - "--vuln-type=os", + "--quiet", + "--pkg-types=os", "--ignore-unfixed", "--scanners=vuln", } diff --git a/mariner.json b/mariner.json deleted file mode 100644 index 9e310b68..00000000 --- a/mariner.json +++ /dev/null @@ -1,2936 +0,0 @@ -{ - "SchemaVersion": 2, - "ArtifactName": "mcr.microsoft.com/cbl-mariner/distroless/base:2.0.20220527", - "ArtifactType": "container_image", - "Metadata": { - "OS": { - "Family": "cbl-mariner", - "Name": "2.0.20220527" - }, - "ImageID": "sha256:2aeded7c94c8b5d29f734dae5a9300f4f728b7d69a918be0d155d9ea1b57fb02", - "DiffIDs": [ - "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - ], - "RepoTags": [ - "mcr.microsoft.com/cbl-mariner/distroless/base:2.0.20220527" - ], - "RepoDigests": [ - "mcr.microsoft.com/cbl-mariner/distroless/base@sha256:f550c5428df17b145851ad75983aca6d613ad4b51ca7983b2a83e67d0ac91a5d" - ], - "ImageConfig": { - "architecture": "arm64", - "created": "2022-06-03T22:00:44.099543764Z", - "docker_version": "20.10.8", - "history": [ - { - "created": "2022-06-03T22:00:44Z", - "comment": "Imported from -" - } - ], - "os": "linux", - "rootfs": { - "type": "layers", - "diff_ids": [ - "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - ] - }, - "config": {} - } - }, - "Results": [ - { - "Target": "mcr.microsoft.com/cbl-mariner/distroless/base:2.0.20220527 (cbl-mariner 2.0.20220527)", - "Class": "os-pkgs", - "Type": "cbl-mariner", - "Vulnerabilities": [ - { - "VulnerabilityID": "CVE-2021-3998", - "PkgName": "glibc", - "InstalledVersion": "2.35-2.cm2", - "FixedVersion": "2.35-7.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3998", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "glibc: Unexpected return value from realpath() could leak data based on the application", - "Description": "A flaw was found in glibc. The realpath() function can mistakenly return an unexpected value, potentially leading to information leakage and disclosure of sensitive data.", - "Severity": "HIGH", - "CweIDs": [ - "CWE-125", - "CWE-252" - ], - "CVSS": { - "nvd": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "V3Score": 7.5 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "V3Score": 7.5 - } - }, - "References": [ - "https://access.redhat.com/security/cve/CVE-2021-3998", - "https://bugzilla.redhat.com/show_bug.cgi?id=2024633", - "https://nvd.nist.gov/vuln/detail/CVE-2021-3998", - "https://security-tracker.debian.org/tracker/CVE-2021-3998", - "https://security.netapp.com/advisory/ntap-20221020-0003/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=28770", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Bh=84d2d0fe20bdf94feed82b21b4d7d136db471f03", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Bh=ee8d5e33adb284601c00c94687bc907e10aec9bb", - "https://ubuntu.com/security/notices/USN-5310-1", - "https://www.cve.org/CVERecord?id=CVE-2021-3998", - "https://www.openwall.com/lists/oss-security/2022/01/24/4" - ], - "PublishedDate": "2022-08-24T16:15:09.01Z", - "LastModifiedDate": "2023-02-12T23:43:07.203Z" - }, - { - "VulnerabilityID": "CVE-2023-4911", - "PkgName": "glibc", - "InstalledVersion": "2.35-2.cm2", - "FixedVersion": "2.35-5.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-4911", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "glibc: buffer overflow in ld.so leading to privilege escalation", - "Description": "A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.", - "Severity": "HIGH", - "CweIDs": [ - "CWE-787", - "CWE-122" - ], - "CVSS": { - "nvd": { - "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "V3Score": 7.8 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "V3Score": 7.8 - } - }, - "References": [ - "http://packetstormsecurity.com/files/174986/glibc-ld.so-Local-Privilege-Escalation.html", - "http://packetstormsecurity.com/files/176288/Glibc-Tunables-Privilege-Escalation.html", - "http://seclists.org/fulldisclosure/2023/Oct/11", - "http://www.openwall.com/lists/oss-security/2023/10/03/2", - "http://www.openwall.com/lists/oss-security/2023/10/03/3", - "http://www.openwall.com/lists/oss-security/2023/10/05/1", - "http://www.openwall.com/lists/oss-security/2023/10/13/11", - "http://www.openwall.com/lists/oss-security/2023/10/14/3", - "http://www.openwall.com/lists/oss-security/2023/10/14/5", - "http://www.openwall.com/lists/oss-security/2023/10/14/6", - "https://access.redhat.com/errata/RHSA-2023:5453", - "https://access.redhat.com/errata/RHSA-2023:5454", - "https://access.redhat.com/errata/RHSA-2023:5455", - "https://access.redhat.com/errata/RHSA-2023:5476", - "https://access.redhat.com/errata/RHSA-2024:0033", - "https://access.redhat.com/security/cve/CVE-2023-4911", - "https://bugzilla.redhat.com/2234712", - "https://bugzilla.redhat.com/2237782", - "https://bugzilla.redhat.com/2237798", - "https://bugzilla.redhat.com/2238352", - "https://bugzilla.redhat.com/show_bug.cgi?id=2234712", - "https://bugzilla.redhat.com/show_bug.cgi?id=2237782", - "https://bugzilla.redhat.com/show_bug.cgi?id=2237798", - "https://bugzilla.redhat.com/show_bug.cgi?id=2238352", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4527", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4806", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4813", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4911", - "https://errata.almalinux.org/9/ALSA-2023-5453.html", - "https://errata.rockylinux.org/RLSA-2023:5455", - "https://linux.oracle.com/cve/CVE-2023-4911.html", - "https://linux.oracle.com/errata/ELSA-2023-5455.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4DBUQRRPB47TC3NJOUIBVWUGFHBJAFDL/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFG4P76UHHZEWQ26FWBXG76N2QLKKPZA/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAQWHTSVOCOZ5K6KPIWKRT3JX4RTZUR/", - "https://nvd.nist.gov/vuln/detail/CVE-2023-4911", - "https://security.gentoo.org/glsa/202310-03", - "https://security.netapp.com/advisory/ntap-20231013-0006/", - "https://ubuntu.com/security/notices/USN-6409-1", - "https://www.cve.org/CVERecord?id=CVE-2023-4911", - "https://www.debian.org/security/2023/dsa-5514", - "https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt", - "https://www.qualys.com/cve-2023-4911/" - ], - "PublishedDate": "2023-10-03T18:15:10.463Z", - "LastModifiedDate": "2024-02-22T20:18:58.02Z" - }, - { - "VulnerabilityID": "CVE-2023-5156", - "PkgName": "glibc", - "InstalledVersion": "2.35-2.cm2", - "FixedVersion": "2.35-6.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-5156", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "glibc: DoS due to memory leak in getaddrinfo.c", - "Description": "A flaw was found in the GNU C Library. A recent fix for CVE-2023-4806 introduced the potential for a memory leak, which may result in an application crash.", - "Severity": "HIGH", - "CweIDs": [ - "CWE-401" - ], - "CVSS": { - "nvd": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 7.5 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 7.5 - } - }, - "References": [ - "http://www.openwall.com/lists/oss-security/2023/10/03/4", - "http://www.openwall.com/lists/oss-security/2023/10/03/5", - "http://www.openwall.com/lists/oss-security/2023/10/03/6", - "http://www.openwall.com/lists/oss-security/2023/10/03/8", - "https://access.redhat.com/security/cve/CVE-2023-5156", - "https://bugzilla.redhat.com/show_bug.cgi?id=2240541", - "https://nvd.nist.gov/vuln/detail/CVE-2023-5156", - "https://security.gentoo.org/glsa/202402-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=30884", - "https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=ec6b95c3303c700eb89eebeda2d7264cc184a796", - "https://sourceware.org/pipermail/libc-alpha/2023-September/151691.html", - "https://ubuntu.com/security/notices/USN-6541-1", - "https://ubuntu.com/security/notices/USN-6541-2", - "https://www.cve.org/CVERecord?id=CVE-2023-5156" - ], - "PublishedDate": "2023-09-25T16:15:15.613Z", - "LastModifiedDate": "2024-02-23T16:01:18.39Z" - }, - { - "VulnerabilityID": "CVE-2024-33599", - "PkgName": "glibc", - "InstalledVersion": "2.35-2.cm2", - "FixedVersion": "2.35-7.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-33599", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "glibc: stack-based buffer overflow in netgroup cache", - "Description": "nscd: Stack-based buffer overflow in netgroup cache\n\nIf the Name Service Cache Daemon's (nscd) fixed size cache is exhausted\nby client requests then a subsequent client request for netgroup data\nmay result in a stack-based buffer overflow. This flaw was introduced\nin glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n", - "Severity": "HIGH", - "CweIDs": [ - "CWE-121" - ], - "CVSS": { - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H", - "V3Score": 7.6 - } - }, - "References": [ - "https://access.redhat.com/errata/RHSA-2024:3339", - "https://access.redhat.com/security/cve/CVE-2024-33599", - "https://bugzilla.redhat.com/2273404", - "https://bugzilla.redhat.com/2277202", - "https://bugzilla.redhat.com/2277204", - "https://bugzilla.redhat.com/2277205", - "https://bugzilla.redhat.com/2277206", - "https://bugzilla.redhat.com/show_bug.cgi?id=2277202", - "https://bugzilla.redhat.com/show_bug.cgi?id=2277204", - "https://bugzilla.redhat.com/show_bug.cgi?id=2277205", - "https://bugzilla.redhat.com/show_bug.cgi?id=2277206", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33599", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33600", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33601", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33602", - "https://errata.almalinux.org/9/ALSA-2024-3339.html", - "https://errata.rockylinux.org/RLSA-2024:3344", - "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/", - "https://linux.oracle.com/cve/CVE-2024-33599.html", - "https://linux.oracle.com/errata/ELSA-2024-3588.html", - "https://nvd.nist.gov/vuln/detail/CVE-2024-33599", - "https://security.netapp.com/advisory/ntap-20240524-0011/", - "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0005", - "https://ubuntu.com/security/notices/USN-6804-1", - "https://www.cve.org/CVERecord?id=CVE-2024-33599", - "https://www.openwall.com/lists/oss-security/2024/04/24/2" - ], - "PublishedDate": "2024-05-06T20:15:11.437Z", - "LastModifiedDate": "2024-06-10T17:16:27.94Z" - }, - { - "VulnerabilityID": "CVE-2024-33600", - "PkgName": "glibc", - "InstalledVersion": "2.35-2.cm2", - "FixedVersion": "2.35-7.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-33600", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "glibc: null pointer dereferences after failed netgroup cache insertion", - "Description": "nscd: Null pointer crashes after notfound response\n\nIf the Name Service Cache Daemon's (nscd) cache fails to add a not-found\nnetgroup response to the cache, the client request can result in a null\npointer dereference. This flaw was introduced in glibc 2.15 when the\ncache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", - "Severity": "HIGH", - "CweIDs": [ - "CWE-476" - ], - "CVSS": { - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "V3Score": 5.3 - } - }, - "References": [ - "https://access.redhat.com/errata/RHSA-2024:3339", - "https://access.redhat.com/security/cve/CVE-2024-33600", - "https://bugzilla.redhat.com/2273404", - "https://bugzilla.redhat.com/2277202", - "https://bugzilla.redhat.com/2277204", - "https://bugzilla.redhat.com/2277205", - "https://bugzilla.redhat.com/2277206", - "https://bugzilla.redhat.com/show_bug.cgi?id=2277202", - "https://bugzilla.redhat.com/show_bug.cgi?id=2277204", - "https://bugzilla.redhat.com/show_bug.cgi?id=2277205", - "https://bugzilla.redhat.com/show_bug.cgi?id=2277206", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33599", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33600", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33601", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33602", - "https://errata.almalinux.org/9/ALSA-2024-3339.html", - "https://errata.rockylinux.org/RLSA-2024:3344", - "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/", - "https://linux.oracle.com/cve/CVE-2024-33600.html", - "https://linux.oracle.com/errata/ELSA-2024-3588.html", - "https://nvd.nist.gov/vuln/detail/CVE-2024-33600", - "https://security.netapp.com/advisory/ntap-20240524-0013/", - "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0006", - "https://ubuntu.com/security/notices/USN-6804-1", - "https://www.cve.org/CVERecord?id=CVE-2024-33600", - "https://www.openwall.com/lists/oss-security/2024/04/24/2" - ], - "PublishedDate": "2024-05-06T20:15:11.523Z", - "LastModifiedDate": "2024-06-10T17:16:28.037Z" - }, - { - "VulnerabilityID": "CVE-2023-4806", - "PkgName": "glibc", - "InstalledVersion": "2.35-2.cm2", - "FixedVersion": "2.35-6.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-4806", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "glibc: potential use-after-free in getaddrinfo()", - "Description": "A flaw was found in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the _nss_*_gethostbyname2_r and _nss_*_getcanonname_r hooks without implementing the _nss_*_gethostbyname3_r hook. The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags.", - "Severity": "MEDIUM", - "CweIDs": [ - "CWE-416" - ], - "CVSS": { - "nvd": { - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 5.9 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 5.9 - } - }, - "References": [ - "http://www.openwall.com/lists/oss-security/2023/10/03/4", - "http://www.openwall.com/lists/oss-security/2023/10/03/5", - "http://www.openwall.com/lists/oss-security/2023/10/03/6", - "http://www.openwall.com/lists/oss-security/2023/10/03/8", - "https://access.redhat.com/errata/RHSA-2023:5453", - "https://access.redhat.com/errata/RHSA-2023:5455", - "https://access.redhat.com/errata/RHSA-2023:7409", - "https://access.redhat.com/security/cve/CVE-2023-4806", - "https://bugzilla.redhat.com/2234712", - "https://bugzilla.redhat.com/2237782", - "https://bugzilla.redhat.com/2237798", - "https://bugzilla.redhat.com/2238352", - "https://bugzilla.redhat.com/show_bug.cgi?id=2234712", - "https://bugzilla.redhat.com/show_bug.cgi?id=2237782", - "https://bugzilla.redhat.com/show_bug.cgi?id=2237798", - "https://bugzilla.redhat.com/show_bug.cgi?id=2238352", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4527", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4806", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4813", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4911", - "https://errata.almalinux.org/9/ALSA-2023-5453.html", - "https://errata.rockylinux.org/RLSA-2023:5455", - "https://linux.oracle.com/cve/CVE-2023-4806.html", - "https://linux.oracle.com/errata/ELSA-2023-5455.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4DBUQRRPB47TC3NJOUIBVWUGFHBJAFDL/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFG4P76UHHZEWQ26FWBXG76N2QLKKPZA/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAQWHTSVOCOZ5K6KPIWKRT3JX4RTZUR/", - "https://nvd.nist.gov/vuln/detail/CVE-2023-4806", - "https://security.gentoo.org/glsa/202310-03", - "https://security.netapp.com/advisory/ntap-20240125-0008/", - "https://ubuntu.com/security/notices/USN-6541-1", - "https://ubuntu.com/security/notices/USN-6541-2", - "https://www.cve.org/CVERecord?id=CVE-2023-4806" - ], - "PublishedDate": "2023-09-18T17:15:55.813Z", - "LastModifiedDate": "2024-01-25T14:15:26.36Z" - }, - { - "VulnerabilityID": "CVE-2024-33601", - "PkgName": "glibc", - "InstalledVersion": "2.35-2.cm2", - "FixedVersion": "2.35-7.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-33601", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "glibc: netgroup cache may terminate daemon on memory allocation failure", - "Description": "nscd: netgroup cache may terminate daemon on memory allocation failure\n\nThe Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or\nxrealloc and these functions may terminate the process due to a memory\nallocation failure resulting in a denial of service to the clients. The\nflaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", - "Severity": "MEDIUM", - "CweIDs": [ - "CWE-617" - ], - "CVSS": { - "redhat": { - "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "V3Score": 4 - } - }, - "References": [ - "https://access.redhat.com/errata/RHSA-2024:3339", - "https://access.redhat.com/security/cve/CVE-2024-33601", - "https://bugzilla.redhat.com/2273404", - "https://bugzilla.redhat.com/2277202", - "https://bugzilla.redhat.com/2277204", - "https://bugzilla.redhat.com/2277205", - "https://bugzilla.redhat.com/2277206", - "https://bugzilla.redhat.com/show_bug.cgi?id=2277202", - "https://bugzilla.redhat.com/show_bug.cgi?id=2277204", - "https://bugzilla.redhat.com/show_bug.cgi?id=2277205", - "https://bugzilla.redhat.com/show_bug.cgi?id=2277206", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33599", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33600", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33601", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33602", - "https://errata.almalinux.org/9/ALSA-2024-3339.html", - "https://errata.rockylinux.org/RLSA-2024:3344", - "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/", - "https://linux.oracle.com/cve/CVE-2024-33601.html", - "https://linux.oracle.com/errata/ELSA-2024-3588.html", - "https://nvd.nist.gov/vuln/detail/CVE-2024-33601", - "https://security.netapp.com/advisory/ntap-20240524-0014/", - "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0007", - "https://ubuntu.com/security/notices/USN-6804-1", - "https://www.cve.org/CVERecord?id=CVE-2024-33601", - "https://www.openwall.com/lists/oss-security/2024/04/24/2" - ], - "PublishedDate": "2024-05-06T20:15:11.603Z", - "LastModifiedDate": "2024-06-10T18:15:34.353Z" - }, - { - "VulnerabilityID": "CVE-2024-33602", - "PkgName": "glibc", - "InstalledVersion": "2.35-2.cm2", - "FixedVersion": "2.35-7.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-33602", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "glibc: netgroup cache assumes NSS callback uses in-buffer strings", - "Description": "nscd: netgroup cache assumes NSS callback uses in-buffer strings\n\nThe Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory\nwhen the NSS callback does not store all strings in the provided buffer.\nThe flaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", - "Severity": "MEDIUM", - "CweIDs": [ - "CWE-466" - ], - "CVSS": { - "redhat": { - "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "V3Score": 4 - } - }, - "References": [ - "https://access.redhat.com/errata/RHSA-2024:3339", - "https://access.redhat.com/security/cve/CVE-2024-33602", - "https://bugzilla.redhat.com/2273404", - "https://bugzilla.redhat.com/2277202", - "https://bugzilla.redhat.com/2277204", - "https://bugzilla.redhat.com/2277205", - "https://bugzilla.redhat.com/2277206", - "https://bugzilla.redhat.com/show_bug.cgi?id=2277202", - "https://bugzilla.redhat.com/show_bug.cgi?id=2277204", - "https://bugzilla.redhat.com/show_bug.cgi?id=2277205", - "https://bugzilla.redhat.com/show_bug.cgi?id=2277206", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33599", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33600", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33601", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33602", - "https://errata.almalinux.org/9/ALSA-2024-3339.html", - "https://errata.rockylinux.org/RLSA-2024:3344", - "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/", - "https://linux.oracle.com/cve/CVE-2024-33602.html", - "https://linux.oracle.com/errata/ELSA-2024-3588.html", - "https://nvd.nist.gov/vuln/detail/CVE-2024-33602", - "https://security.netapp.com/advisory/ntap-20240524-0012/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=31680", - "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0008", - "https://ubuntu.com/security/notices/USN-6804-1", - "https://www.cve.org/CVERecord?id=CVE-2024-33602", - "https://www.openwall.com/lists/oss-security/2024/04/24/2" - ], - "PublishedDate": "2024-05-06T20:15:11.68Z", - "LastModifiedDate": "2024-06-10T18:15:34.443Z" - }, - { - "VulnerabilityID": "CVE-2021-3998", - "PkgName": "glibc-iconv", - "InstalledVersion": "2.35-2.cm2", - "FixedVersion": "2.35-7.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3998", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "glibc: Unexpected return value from realpath() could leak data based on the application", - "Description": "A flaw was found in glibc. The realpath() function can mistakenly return an unexpected value, potentially leading to information leakage and disclosure of sensitive data.", - "Severity": "HIGH", - "CweIDs": [ - "CWE-125", - "CWE-252" - ], - "CVSS": { - "nvd": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "V3Score": 7.5 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "V3Score": 7.5 - } - }, - "References": [ - "https://access.redhat.com/security/cve/CVE-2021-3998", - "https://bugzilla.redhat.com/show_bug.cgi?id=2024633", - "https://nvd.nist.gov/vuln/detail/CVE-2021-3998", - "https://security-tracker.debian.org/tracker/CVE-2021-3998", - "https://security.netapp.com/advisory/ntap-20221020-0003/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=28770", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Bh=84d2d0fe20bdf94feed82b21b4d7d136db471f03", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Bh=ee8d5e33adb284601c00c94687bc907e10aec9bb", - "https://ubuntu.com/security/notices/USN-5310-1", - "https://www.cve.org/CVERecord?id=CVE-2021-3998", - "https://www.openwall.com/lists/oss-security/2022/01/24/4" - ], - "PublishedDate": "2022-08-24T16:15:09.01Z", - "LastModifiedDate": "2023-02-12T23:43:07.203Z" - }, - { - "VulnerabilityID": "CVE-2023-4911", - "PkgName": "glibc-iconv", - "InstalledVersion": "2.35-2.cm2", - "FixedVersion": "2.35-5.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-4911", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "glibc: buffer overflow in ld.so leading to privilege escalation", - "Description": "A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.", - "Severity": "HIGH", - "CweIDs": [ - "CWE-787", - "CWE-122" - ], - "CVSS": { - "nvd": { - "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "V3Score": 7.8 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "V3Score": 7.8 - } - }, - "References": [ - "http://packetstormsecurity.com/files/174986/glibc-ld.so-Local-Privilege-Escalation.html", - "http://packetstormsecurity.com/files/176288/Glibc-Tunables-Privilege-Escalation.html", - "http://seclists.org/fulldisclosure/2023/Oct/11", - "http://www.openwall.com/lists/oss-security/2023/10/03/2", - "http://www.openwall.com/lists/oss-security/2023/10/03/3", - "http://www.openwall.com/lists/oss-security/2023/10/05/1", - "http://www.openwall.com/lists/oss-security/2023/10/13/11", - "http://www.openwall.com/lists/oss-security/2023/10/14/3", - "http://www.openwall.com/lists/oss-security/2023/10/14/5", - "http://www.openwall.com/lists/oss-security/2023/10/14/6", - "https://access.redhat.com/errata/RHSA-2023:5453", - "https://access.redhat.com/errata/RHSA-2023:5454", - "https://access.redhat.com/errata/RHSA-2023:5455", - "https://access.redhat.com/errata/RHSA-2023:5476", - "https://access.redhat.com/errata/RHSA-2024:0033", - "https://access.redhat.com/security/cve/CVE-2023-4911", - "https://bugzilla.redhat.com/2234712", - "https://bugzilla.redhat.com/2237782", - "https://bugzilla.redhat.com/2237798", - "https://bugzilla.redhat.com/2238352", - "https://bugzilla.redhat.com/show_bug.cgi?id=2234712", - "https://bugzilla.redhat.com/show_bug.cgi?id=2237782", - "https://bugzilla.redhat.com/show_bug.cgi?id=2237798", - "https://bugzilla.redhat.com/show_bug.cgi?id=2238352", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4527", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4806", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4813", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4911", - "https://errata.almalinux.org/9/ALSA-2023-5453.html", - "https://errata.rockylinux.org/RLSA-2023:5455", - "https://linux.oracle.com/cve/CVE-2023-4911.html", - "https://linux.oracle.com/errata/ELSA-2023-5455.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4DBUQRRPB47TC3NJOUIBVWUGFHBJAFDL/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFG4P76UHHZEWQ26FWBXG76N2QLKKPZA/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAQWHTSVOCOZ5K6KPIWKRT3JX4RTZUR/", - "https://nvd.nist.gov/vuln/detail/CVE-2023-4911", - "https://security.gentoo.org/glsa/202310-03", - "https://security.netapp.com/advisory/ntap-20231013-0006/", - "https://ubuntu.com/security/notices/USN-6409-1", - "https://www.cve.org/CVERecord?id=CVE-2023-4911", - "https://www.debian.org/security/2023/dsa-5514", - "https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt", - "https://www.qualys.com/cve-2023-4911/" - ], - "PublishedDate": "2023-10-03T18:15:10.463Z", - "LastModifiedDate": "2024-02-22T20:18:58.02Z" - }, - { - "VulnerabilityID": "CVE-2023-5156", - "PkgName": "glibc-iconv", - "InstalledVersion": "2.35-2.cm2", - "FixedVersion": "2.35-6.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-5156", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "glibc: DoS due to memory leak in getaddrinfo.c", - "Description": "A flaw was found in the GNU C Library. A recent fix for CVE-2023-4806 introduced the potential for a memory leak, which may result in an application crash.", - "Severity": "HIGH", - "CweIDs": [ - "CWE-401" - ], - "CVSS": { - "nvd": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 7.5 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 7.5 - } - }, - "References": [ - "http://www.openwall.com/lists/oss-security/2023/10/03/4", - "http://www.openwall.com/lists/oss-security/2023/10/03/5", - "http://www.openwall.com/lists/oss-security/2023/10/03/6", - "http://www.openwall.com/lists/oss-security/2023/10/03/8", - "https://access.redhat.com/security/cve/CVE-2023-5156", - "https://bugzilla.redhat.com/show_bug.cgi?id=2240541", - "https://nvd.nist.gov/vuln/detail/CVE-2023-5156", - "https://security.gentoo.org/glsa/202402-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=30884", - "https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=ec6b95c3303c700eb89eebeda2d7264cc184a796", - "https://sourceware.org/pipermail/libc-alpha/2023-September/151691.html", - "https://ubuntu.com/security/notices/USN-6541-1", - "https://ubuntu.com/security/notices/USN-6541-2", - "https://www.cve.org/CVERecord?id=CVE-2023-5156" - ], - "PublishedDate": "2023-09-25T16:15:15.613Z", - "LastModifiedDate": "2024-02-23T16:01:18.39Z" - }, - { - "VulnerabilityID": "CVE-2024-33599", - "PkgName": "glibc-iconv", - "InstalledVersion": "2.35-2.cm2", - "FixedVersion": "2.35-7.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-33599", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "glibc: stack-based buffer overflow in netgroup cache", - "Description": "nscd: Stack-based buffer overflow in netgroup cache\n\nIf the Name Service Cache Daemon's (nscd) fixed size cache is exhausted\nby client requests then a subsequent client request for netgroup data\nmay result in a stack-based buffer overflow. This flaw was introduced\nin glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n", - "Severity": "HIGH", - "CweIDs": [ - "CWE-121" - ], - "CVSS": { - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H", - "V3Score": 7.6 - } - }, - "References": [ - "https://access.redhat.com/errata/RHSA-2024:3339", - "https://access.redhat.com/security/cve/CVE-2024-33599", - "https://bugzilla.redhat.com/2273404", - "https://bugzilla.redhat.com/2277202", - "https://bugzilla.redhat.com/2277204", - "https://bugzilla.redhat.com/2277205", - "https://bugzilla.redhat.com/2277206", - "https://bugzilla.redhat.com/show_bug.cgi?id=2277202", - "https://bugzilla.redhat.com/show_bug.cgi?id=2277204", - "https://bugzilla.redhat.com/show_bug.cgi?id=2277205", - "https://bugzilla.redhat.com/show_bug.cgi?id=2277206", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33599", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33600", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33601", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33602", - "https://errata.almalinux.org/9/ALSA-2024-3339.html", - "https://errata.rockylinux.org/RLSA-2024:3344", - "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/", - "https://linux.oracle.com/cve/CVE-2024-33599.html", - "https://linux.oracle.com/errata/ELSA-2024-3588.html", - "https://nvd.nist.gov/vuln/detail/CVE-2024-33599", - "https://security.netapp.com/advisory/ntap-20240524-0011/", - "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0005", - "https://ubuntu.com/security/notices/USN-6804-1", - "https://www.cve.org/CVERecord?id=CVE-2024-33599", - "https://www.openwall.com/lists/oss-security/2024/04/24/2" - ], - "PublishedDate": "2024-05-06T20:15:11.437Z", - "LastModifiedDate": "2024-06-10T17:16:27.94Z" - }, - { - "VulnerabilityID": "CVE-2024-33600", - "PkgName": "glibc-iconv", - "InstalledVersion": "2.35-2.cm2", - "FixedVersion": "2.35-7.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-33600", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "glibc: null pointer dereferences after failed netgroup cache insertion", - "Description": "nscd: Null pointer crashes after notfound response\n\nIf the Name Service Cache Daemon's (nscd) cache fails to add a not-found\nnetgroup response to the cache, the client request can result in a null\npointer dereference. This flaw was introduced in glibc 2.15 when the\ncache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", - "Severity": "HIGH", - "CweIDs": [ - "CWE-476" - ], - "CVSS": { - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "V3Score": 5.3 - } - }, - "References": [ - "https://access.redhat.com/errata/RHSA-2024:3339", - "https://access.redhat.com/security/cve/CVE-2024-33600", - "https://bugzilla.redhat.com/2273404", - "https://bugzilla.redhat.com/2277202", - "https://bugzilla.redhat.com/2277204", - "https://bugzilla.redhat.com/2277205", - "https://bugzilla.redhat.com/2277206", - "https://bugzilla.redhat.com/show_bug.cgi?id=2277202", - "https://bugzilla.redhat.com/show_bug.cgi?id=2277204", - "https://bugzilla.redhat.com/show_bug.cgi?id=2277205", - "https://bugzilla.redhat.com/show_bug.cgi?id=2277206", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33599", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33600", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33601", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33602", - "https://errata.almalinux.org/9/ALSA-2024-3339.html", - "https://errata.rockylinux.org/RLSA-2024:3344", - "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/", - "https://linux.oracle.com/cve/CVE-2024-33600.html", - "https://linux.oracle.com/errata/ELSA-2024-3588.html", - "https://nvd.nist.gov/vuln/detail/CVE-2024-33600", - "https://security.netapp.com/advisory/ntap-20240524-0013/", - "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0006", - "https://ubuntu.com/security/notices/USN-6804-1", - "https://www.cve.org/CVERecord?id=CVE-2024-33600", - "https://www.openwall.com/lists/oss-security/2024/04/24/2" - ], - "PublishedDate": "2024-05-06T20:15:11.523Z", - "LastModifiedDate": "2024-06-10T17:16:28.037Z" - }, - { - "VulnerabilityID": "CVE-2023-4806", - "PkgName": "glibc-iconv", - "InstalledVersion": "2.35-2.cm2", - "FixedVersion": "2.35-6.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-4806", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "glibc: potential use-after-free in getaddrinfo()", - "Description": "A flaw was found in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the _nss_*_gethostbyname2_r and _nss_*_getcanonname_r hooks without implementing the _nss_*_gethostbyname3_r hook. The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags.", - "Severity": "MEDIUM", - "CweIDs": [ - "CWE-416" - ], - "CVSS": { - "nvd": { - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 5.9 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 5.9 - } - }, - "References": [ - "http://www.openwall.com/lists/oss-security/2023/10/03/4", - "http://www.openwall.com/lists/oss-security/2023/10/03/5", - "http://www.openwall.com/lists/oss-security/2023/10/03/6", - "http://www.openwall.com/lists/oss-security/2023/10/03/8", - "https://access.redhat.com/errata/RHSA-2023:5453", - "https://access.redhat.com/errata/RHSA-2023:5455", - "https://access.redhat.com/errata/RHSA-2023:7409", - "https://access.redhat.com/security/cve/CVE-2023-4806", - "https://bugzilla.redhat.com/2234712", - "https://bugzilla.redhat.com/2237782", - "https://bugzilla.redhat.com/2237798", - "https://bugzilla.redhat.com/2238352", - "https://bugzilla.redhat.com/show_bug.cgi?id=2234712", - "https://bugzilla.redhat.com/show_bug.cgi?id=2237782", - "https://bugzilla.redhat.com/show_bug.cgi?id=2237798", - "https://bugzilla.redhat.com/show_bug.cgi?id=2238352", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4527", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4806", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4813", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4911", - "https://errata.almalinux.org/9/ALSA-2023-5453.html", - "https://errata.rockylinux.org/RLSA-2023:5455", - "https://linux.oracle.com/cve/CVE-2023-4806.html", - "https://linux.oracle.com/errata/ELSA-2023-5455.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4DBUQRRPB47TC3NJOUIBVWUGFHBJAFDL/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFG4P76UHHZEWQ26FWBXG76N2QLKKPZA/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAQWHTSVOCOZ5K6KPIWKRT3JX4RTZUR/", - "https://nvd.nist.gov/vuln/detail/CVE-2023-4806", - "https://security.gentoo.org/glsa/202310-03", - "https://security.netapp.com/advisory/ntap-20240125-0008/", - "https://ubuntu.com/security/notices/USN-6541-1", - "https://ubuntu.com/security/notices/USN-6541-2", - "https://www.cve.org/CVERecord?id=CVE-2023-4806" - ], - "PublishedDate": "2023-09-18T17:15:55.813Z", - "LastModifiedDate": "2024-01-25T14:15:26.36Z" - }, - { - "VulnerabilityID": "CVE-2024-33601", - "PkgName": "glibc-iconv", - "InstalledVersion": "2.35-2.cm2", - "FixedVersion": "2.35-7.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-33601", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "glibc: netgroup cache may terminate daemon on memory allocation failure", - "Description": "nscd: netgroup cache may terminate daemon on memory allocation failure\n\nThe Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or\nxrealloc and these functions may terminate the process due to a memory\nallocation failure resulting in a denial of service to the clients. The\nflaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", - "Severity": "MEDIUM", - "CweIDs": [ - "CWE-617" - ], - "CVSS": { - "redhat": { - "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "V3Score": 4 - } - }, - "References": [ - "https://access.redhat.com/errata/RHSA-2024:3339", - "https://access.redhat.com/security/cve/CVE-2024-33601", - "https://bugzilla.redhat.com/2273404", - "https://bugzilla.redhat.com/2277202", - "https://bugzilla.redhat.com/2277204", - "https://bugzilla.redhat.com/2277205", - "https://bugzilla.redhat.com/2277206", - "https://bugzilla.redhat.com/show_bug.cgi?id=2277202", - "https://bugzilla.redhat.com/show_bug.cgi?id=2277204", - "https://bugzilla.redhat.com/show_bug.cgi?id=2277205", - "https://bugzilla.redhat.com/show_bug.cgi?id=2277206", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33599", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33600", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33601", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33602", - "https://errata.almalinux.org/9/ALSA-2024-3339.html", - "https://errata.rockylinux.org/RLSA-2024:3344", - "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/", - "https://linux.oracle.com/cve/CVE-2024-33601.html", - "https://linux.oracle.com/errata/ELSA-2024-3588.html", - "https://nvd.nist.gov/vuln/detail/CVE-2024-33601", - "https://security.netapp.com/advisory/ntap-20240524-0014/", - "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0007", - "https://ubuntu.com/security/notices/USN-6804-1", - "https://www.cve.org/CVERecord?id=CVE-2024-33601", - "https://www.openwall.com/lists/oss-security/2024/04/24/2" - ], - "PublishedDate": "2024-05-06T20:15:11.603Z", - "LastModifiedDate": "2024-06-10T18:15:34.353Z" - }, - { - "VulnerabilityID": "CVE-2024-33602", - "PkgName": "glibc-iconv", - "InstalledVersion": "2.35-2.cm2", - "FixedVersion": "2.35-7.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-33602", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "glibc: netgroup cache assumes NSS callback uses in-buffer strings", - "Description": "nscd: netgroup cache assumes NSS callback uses in-buffer strings\n\nThe Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory\nwhen the NSS callback does not store all strings in the provided buffer.\nThe flaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", - "Severity": "MEDIUM", - "CweIDs": [ - "CWE-466" - ], - "CVSS": { - "redhat": { - "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "V3Score": 4 - } - }, - "References": [ - "https://access.redhat.com/errata/RHSA-2024:3339", - "https://access.redhat.com/security/cve/CVE-2024-33602", - "https://bugzilla.redhat.com/2273404", - "https://bugzilla.redhat.com/2277202", - "https://bugzilla.redhat.com/2277204", - "https://bugzilla.redhat.com/2277205", - "https://bugzilla.redhat.com/2277206", - "https://bugzilla.redhat.com/show_bug.cgi?id=2277202", - "https://bugzilla.redhat.com/show_bug.cgi?id=2277204", - "https://bugzilla.redhat.com/show_bug.cgi?id=2277205", - "https://bugzilla.redhat.com/show_bug.cgi?id=2277206", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33599", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33600", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33601", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33602", - "https://errata.almalinux.org/9/ALSA-2024-3339.html", - "https://errata.rockylinux.org/RLSA-2024:3344", - "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/", - "https://linux.oracle.com/cve/CVE-2024-33602.html", - "https://linux.oracle.com/errata/ELSA-2024-3588.html", - "https://nvd.nist.gov/vuln/detail/CVE-2024-33602", - "https://security.netapp.com/advisory/ntap-20240524-0012/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=31680", - "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0008", - "https://ubuntu.com/security/notices/USN-6804-1", - "https://www.cve.org/CVERecord?id=CVE-2024-33602", - "https://www.openwall.com/lists/oss-security/2024/04/24/2" - ], - "PublishedDate": "2024-05-06T20:15:11.68Z", - "LastModifiedDate": "2024-06-10T18:15:34.443Z" - }, - { - "VulnerabilityID": "CVE-2023-4039", - "PkgName": "libgcc", - "InstalledVersion": "11.2.0-2.cm2", - "FixedVersion": "11.2.0-6.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-4039", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "gcc: -fstack-protector fails to guard dynamic stack allocations on ARM64", - "Description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", - "Severity": "MEDIUM", - "CweIDs": [ - "CWE-693" - ], - "CVSS": { - "nvd": { - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", - "V3Score": 4.8 - } - }, - "References": [ - "https://access.redhat.com/security/cve/CVE-2023-4039", - "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", - "https://gcc.gnu.org/git/?p=gcc.git;a=blob_plain;f=SECURITY.txt", - "https://gcc.gnu.org/pipermail/gcc-patches/2023-October/634066.html", - "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf", - "https://inbox.sourceware.org/gcc-patches/46cfa37b-56eb-344d-0745-e0d35393392d@gotplt.org", - "https://linux.oracle.com/cve/CVE-2023-4039.html", - "https://linux.oracle.com/errata/ELSA-2023-28766.html", - "https://nvd.nist.gov/vuln/detail/CVE-2023-4039", - "https://rtx.meta.security/mitigation/2023/09/12/CVE-2023-4039.html", - "https://www.cve.org/CVERecord?id=CVE-2023-4039" - ], - "PublishedDate": "2023-09-13T09:15:15.69Z", - "LastModifiedDate": "2024-06-13T23:15:50.137Z" - }, - { - "VulnerabilityID": "CVE-2022-2068", - "PkgName": "openssl", - "InstalledVersion": "1.1.1k-15.cm2", - "FixedVersion": "1.1.1k-17.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-2068", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "openssl: the c_rehash script allows command injection", - "Description": "In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).", - "Severity": "CRITICAL", - "CweIDs": [ - "CWE-78" - ], - "CVSS": { - "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "V2Score": 10, - "V3Score": 9.8 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", - "V3Score": 6.7 - } - }, - "References": [ - "https://access.redhat.com/errata/RHSA-2022:6224", - "https://access.redhat.com/security/cve/CVE-2022-2068", - "https://bugzilla.redhat.com/2081494", - "https://bugzilla.redhat.com/2087911", - "https://bugzilla.redhat.com/2087913", - "https://bugzilla.redhat.com/2097310", - "https://bugzilla.redhat.com/2104905", - "https://bugzilla.redhat.com/show_bug.cgi?id=2081494", - "https://bugzilla.redhat.com/show_bug.cgi?id=2097310", - "https://bugzilla.redhat.com/show_bug.cgi?id=2100554", - "https://bugzilla.redhat.com/show_bug.cgi?id=2104905", - "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1292", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2068", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2097", - "https://errata.almalinux.org/9/ALSA-2022-6224.html", - "https://errata.rockylinux.org/RLSA-2022:5818", - "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2c9c35870601b4a44d86ddbf512b38df38285cfa", - "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7a9c027159fe9e1bbc2cd38a8a2914bff0d5abd9", - "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9639817dac8bbbaa64d09efad7464ccc405527c7", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2c9c35870601b4a44d86ddbf512b38df38285cfa", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7a9c027159fe9e1bbc2cd38a8a2914bff0d5abd9", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9639817dac8bbbaa64d09efad7464ccc405527c7", - "https://linux.oracle.com/cve/CVE-2022-2068.html", - "https://linux.oracle.com/errata/ELSA-2022-9751.html", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6WZZBKUHQFGSKGNXXKICSRPL7AMVW5M5/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA/", - "https://nvd.nist.gov/vuln/detail/CVE-2022-2068", - "https://security.netapp.com/advisory/ntap-20220707-0008/", - "https://ubuntu.com/security/notices/USN-5488-1", - "https://ubuntu.com/security/notices/USN-5488-2", - "https://ubuntu.com/security/notices/USN-6457-1", - "https://www.cve.org/CVERecord?id=CVE-2022-2068", - "https://www.debian.org/security/2022/dsa-5169", - "https://www.openssl.org/news/secadv/20220621.txt" - ], - "PublishedDate": "2022-06-21T15:15:09.06Z", - "LastModifiedDate": "2023-11-07T03:46:11.177Z" - }, - { - "VulnerabilityID": "CVE-2022-4450", - "PkgName": "openssl", - "InstalledVersion": "1.1.1k-15.cm2", - "FixedVersion": "1.1.1k-21.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-4450", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "openssl: double free after calling PEM_read_bio_ex", - "Description": "The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and\ndecodes the \"name\" (e.g. \"CERTIFICATE\"), any header data and the payload data.\nIf the function succeeds then the \"name_out\", \"header\" and \"data\" arguments are\npopulated with pointers to buffers containing the relevant decoded data. The\ncaller is responsible for freeing those buffers. It is possible to construct a\nPEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex()\nwill return a failure code but will populate the header argument with a pointer\nto a buffer that has already been freed. If the caller also frees this buffer\nthen a double free will occur. This will most likely lead to a crash. This\ncould be exploited by an attacker who has the ability to supply malicious PEM\nfiles for parsing to achieve a denial of service attack.\n\nThe functions PEM_read_bio() and PEM_read() are simple wrappers around\nPEM_read_bio_ex() and therefore these functions are also directly affected.\n\nThese functions are also called indirectly by a number of other OpenSSL\nfunctions including PEM_X509_INFO_read_bio_ex() and\nSSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal\nuses of these functions are not vulnerable because the caller does not free the\nheader argument if PEM_read_bio_ex() returns a failure code. These locations\ninclude the PEM_read_bio_TYPE() functions as well as the decoders introduced in\nOpenSSL 3.0.\n\nThe OpenSSL asn1parse command line application is also impacted by this issue.\n\n\n", - "Severity": "HIGH", - "CweIDs": [ - "CWE-415" - ], - "CVSS": { - "ghsa": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 7.5 - }, - "nvd": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 7.5 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 7.5 - } - }, - "References": [ - "https://access.redhat.com/errata/RHSA-2023:2165", - "https://access.redhat.com/security/cve/CVE-2022-4450", - "https://bugzilla.redhat.com/1960321", - "https://bugzilla.redhat.com/2164440", - "https://bugzilla.redhat.com/2164487", - "https://bugzilla.redhat.com/2164492", - "https://bugzilla.redhat.com/2164494", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144000", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144003", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144006", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144008", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144010", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144012", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144015", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144017", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144019", - "https://bugzilla.redhat.com/show_bug.cgi?id=2145170", - "https://bugzilla.redhat.com/show_bug.cgi?id=2158412", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164440", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164487", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164488", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164492", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164494", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164497", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164499", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164500", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4203", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4304", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4450", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0215", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0216", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0217", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0286", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0401", - "https://errata.almalinux.org/9/ALSA-2023-2165.html", - "https://errata.rockylinux.org/RLSA-2023:0946", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=63bcf189be73a9cc1264059bed6f57974be74a83", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bbcf509bd046b34cca19c766bbddc31683d0858b", - "https://linux.oracle.com/cve/CVE-2022-4450.html", - "https://linux.oracle.com/errata/ELSA-2023-32791.html", - "https://nvd.nist.gov/vuln/detail/CVE-2022-4450", - "https://rustsec.org/advisories/RUSTSEC-2023-0010.html", - "https://security.gentoo.org/glsa/202402-08", - "https://ubuntu.com/security/notices/USN-5844-1", - "https://ubuntu.com/security/notices/USN-6564-1", - "https://www.cve.org/CVERecord?id=CVE-2022-4450", - "https://www.openssl.org/news/secadv/20230207.txt" - ], - "PublishedDate": "2023-02-08T20:15:23.973Z", - "LastModifiedDate": "2024-02-04T09:15:08.733Z" - }, - { - "VulnerabilityID": "CVE-2023-0215", - "PkgName": "openssl", - "InstalledVersion": "1.1.1k-15.cm2", - "FixedVersion": "1.1.1k-21.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-0215", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "openssl: use-after-free following BIO_new_NDEF", - "Description": "The public API function BIO_new_NDEF is a helper function used for streaming\nASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the\nSMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by\nend user applications.\n\nThe function receives a BIO from the caller, prepends a new BIO_f_asn1 filter\nBIO onto the front of it to form a BIO chain, and then returns the new head of\nthe BIO chain to the caller. Under certain conditions, for example if a CMS\nrecipient public key is invalid, the new filter BIO is freed and the function\nreturns a NULL result indicating a failure. However, in this case, the BIO chain\nis not properly cleaned up and the BIO passed by the caller still retains\ninternal pointers to the previously freed filter BIO. If the caller then goes on\nto call BIO_pop() on the BIO then a use-after-free will occur. This will most\nlikely result in a crash.\n\n\n\nThis scenario occurs directly in the internal function B64_write_ASN1() which\nmay cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on\nthe BIO. This internal function is in turn called by the public API functions\nPEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream,\nSMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7.\n\nOther public API functions that may be impacted by this include\ni2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and\ni2d_PKCS7_bio_stream.\n\nThe OpenSSL cms and smime command line applications are similarly affected.\n\n\n\n", - "Severity": "HIGH", - "CweIDs": [ - "CWE-416" - ], - "CVSS": { - "ghsa": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 7.5 - }, - "nvd": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 7.5 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 7.5 - } - }, - "References": [ - "https://access.redhat.com/errata/RHSA-2023:2165", - "https://access.redhat.com/security/cve/CVE-2023-0215", - "https://bugzilla.redhat.com/1960321", - "https://bugzilla.redhat.com/2164440", - "https://bugzilla.redhat.com/2164487", - "https://bugzilla.redhat.com/2164492", - "https://bugzilla.redhat.com/2164494", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144000", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144003", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144006", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144008", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144010", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144012", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144015", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144017", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144019", - "https://bugzilla.redhat.com/show_bug.cgi?id=2145170", - "https://bugzilla.redhat.com/show_bug.cgi?id=2158412", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164440", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164487", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164488", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164492", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164494", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164497", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164499", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164500", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4203", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4304", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4450", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0215", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0216", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0217", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0286", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0401", - "https://errata.almalinux.org/9/ALSA-2023-2165.html", - "https://errata.rockylinux.org/RLSA-2023:0946", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8818064ce3c3c0f1b740a5aaba2a987e75bfbafd", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9816136fe31d92ace4037d5da5257f763aeeb4eb", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c3829dd8825c654652201e16f8a0a0c46ee3f344", - "https://linux.oracle.com/cve/CVE-2023-0215.html", - "https://linux.oracle.com/errata/ELSA-2023-32791.html", - "https://nvd.nist.gov/vuln/detail/CVE-2023-0215", - "https://rustsec.org/advisories/RUSTSEC-2023-0009.html", - "https://security.gentoo.org/glsa/202402-08", - "https://security.netapp.com/advisory/ntap-20230427-0007", - "https://security.netapp.com/advisory/ntap-20230427-0007/", - "https://security.netapp.com/advisory/ntap-20230427-0009", - "https://security.netapp.com/advisory/ntap-20230427-0009/", - "https://security.netapp.com/advisory/ntap-20240621-0006", - "https://security.netapp.com/advisory/ntap-20240621-0006/", - "https://ubuntu.com/security/notices/USN-5844-1", - "https://ubuntu.com/security/notices/USN-5845-1", - "https://ubuntu.com/security/notices/USN-5845-2", - "https://ubuntu.com/security/notices/USN-6564-1", - "https://www.cve.org/CVERecord?id=CVE-2023-0215", - "https://www.openssl.org/news/secadv/20230207.txt" - ], - "PublishedDate": "2023-02-08T20:15:24.107Z", - "LastModifiedDate": "2024-06-21T19:15:24.33Z" - }, - { - "VulnerabilityID": "CVE-2023-0286", - "PkgName": "openssl", - "InstalledVersion": "1.1.1k-15.cm2", - "FixedVersion": "1.1.1k-21.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-0286", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "openssl: X.400 address type confusion in X.509 GeneralName", - "Description": "There is a type confusion vulnerability relating to X.400 address processing\ninside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but\nthe public structure definition for GENERAL_NAME incorrectly specified the type\nof the x400Address field as ASN1_TYPE. This field is subsequently interpreted by\nthe OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an\nASN1_STRING.\n\nWhen CRL checking is enabled (i.e. the application sets the\nX509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass\narbitrary pointers to a memcmp call, enabling them to read memory contents or\nenact a denial of service. In most cases, the attack requires the attacker to\nprovide both the certificate chain and CRL, neither of which need to have a\nvalid signature. If the attacker only controls one of these inputs, the other\ninput must already contain an X.400 address as a CRL distribution point, which\nis uncommon. As such, this vulnerability is most likely to only affect\napplications which have implemented their own functionality for retrieving CRLs\nover a network.\n\n", - "Severity": "HIGH", - "CweIDs": [ - "CWE-843" - ], - "CVSS": { - "ghsa": { - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", - "V3Score": 7.4 - }, - "nvd": { - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", - "V3Score": 7.4 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", - "V3Score": 7.4 - } - }, - "References": [ - "https://access.redhat.com/errata/RHSA-2023:2165", - "https://access.redhat.com/security/cve/CVE-2023-0286", - "https://access.redhat.com/security/cve/cve-2023-0286", - "https://bugzilla.redhat.com/1960321", - "https://bugzilla.redhat.com/2164440", - "https://bugzilla.redhat.com/2164487", - "https://bugzilla.redhat.com/2164492", - "https://bugzilla.redhat.com/2164494", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144000", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144003", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144006", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144008", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144010", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144012", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144015", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144017", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144019", - "https://bugzilla.redhat.com/show_bug.cgi?id=2145170", - "https://bugzilla.redhat.com/show_bug.cgi?id=2158412", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164440", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164487", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164488", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164492", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164494", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164497", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164499", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164500", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4203", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4304", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4450", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0215", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0216", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0217", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0286", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0401", - "https://errata.almalinux.org/9/ALSA-2023-2165.html", - "https://errata.rockylinux.org/RLSA-2023:0946", - "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.2-relnotes.txt", - "https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/018_x509.patch.sig", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2f7530077e0ef79d98718138716bc51ca0cad658", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fd2af07dc083a350c959147097003a14a5e8ac4d", - "https://github.com/pyca/cryptography", - "https://github.com/pyca/cryptography/security/advisories/GHSA-x4qr-2fvf-3mr5", - "https://linux.oracle.com/cve/CVE-2023-0286.html", - "https://linux.oracle.com/errata/ELSA-2023-32791.html", - "https://nvd.nist.gov/vuln/detail/CVE-2023-0286", - "https://rustsec.org/advisories/RUSTSEC-2023-0006.html", - "https://security.gentoo.org/glsa/202402-08", - "https://ubuntu.com/security/notices/USN-5844-1", - "https://ubuntu.com/security/notices/USN-5845-1", - "https://ubuntu.com/security/notices/USN-5845-2", - "https://ubuntu.com/security/notices/USN-6564-1", - "https://www.cve.org/CVERecord?id=CVE-2023-0286", - "https://www.openssl.org/news/secadv/20230207.txt" - ], - "PublishedDate": "2023-02-08T20:15:24.267Z", - "LastModifiedDate": "2024-02-04T09:15:09.113Z" - }, - { - "VulnerabilityID": "CVE-2022-2097", - "PkgName": "openssl", - "InstalledVersion": "1.1.1k-15.cm2", - "FixedVersion": "1.1.1k-20.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-2097", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "openssl: AES OCB fails to encrypt some bytes", - "Description": "AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of \"in place\" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).", - "Severity": "MEDIUM", - "CweIDs": [ - "CWE-327" - ], - "CVSS": { - "ghsa": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "V3Score": 7.5 - }, - "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "V2Score": 5, - "V3Score": 5.3 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "V3Score": 5.3 - } - }, - "References": [ - "https://access.redhat.com/errata/RHSA-2022:6224", - "https://access.redhat.com/security/cve/CVE-2022-2097", - "https://bugzilla.redhat.com/2081494", - "https://bugzilla.redhat.com/2087911", - "https://bugzilla.redhat.com/2087913", - "https://bugzilla.redhat.com/2097310", - "https://bugzilla.redhat.com/2104905", - "https://bugzilla.redhat.com/show_bug.cgi?id=2081494", - "https://bugzilla.redhat.com/show_bug.cgi?id=2097310", - "https://bugzilla.redhat.com/show_bug.cgi?id=2100554", - "https://bugzilla.redhat.com/show_bug.cgi?id=2104905", - "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1292", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2068", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2097", - "https://errata.almalinux.org/9/ALSA-2022-6224.html", - "https://errata.rockylinux.org/RLSA-2022:5818", - "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=919925673d6c9cfed3c1085497f5dfbbed5fc431", - "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=a98f339ddd7e8f487d6e0088d4a9a42324885a93", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=919925673d6c9cfed3c1085497f5dfbbed5fc431", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a98f339ddd7e8f487d6e0088d4a9a42324885a93", - "https://github.com/alexcrichton/openssl-src-rs", - "https://linux.oracle.com/cve/CVE-2022-2097.html", - "https://linux.oracle.com/errata/ELSA-2022-9751.html", - "https://lists.debian.org/debian-lts-announce/2023/02/msg00019.html", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6CK57NBQFTPUMXAPJURCGXUYT76NQAK", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6CK57NBQFTPUMXAPJURCGXUYT76NQAK/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6567JERRHHJW2GNGJGKDRNHR7SNPZK7", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6567JERRHHJW2GNGJGKDRNHR7SNPZK7/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6CK57NBQFTPUMXAPJURCGXUYT76NQAK", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6CK57NBQFTPUMXAPJURCGXUYT76NQAK/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V6567JERRHHJW2GNGJGKDRNHR7SNPZK7", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V6567JERRHHJW2GNGJGKDRNHR7SNPZK7/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA", - "https://nvd.nist.gov/vuln/detail/CVE-2022-2097", - "https://rustsec.org/advisories/RUSTSEC-2022-0032.html", - "https://security.gentoo.org/glsa/202210-02", - "https://security.netapp.com/advisory/ntap-20220715-0011", - "https://security.netapp.com/advisory/ntap-20220715-0011/", - "https://security.netapp.com/advisory/ntap-20230420-0008", - "https://security.netapp.com/advisory/ntap-20230420-0008/", - "https://security.netapp.com/advisory/ntap-20240621-0006", - "https://security.netapp.com/advisory/ntap-20240621-0006/", - "https://ubuntu.com/security/notices/USN-5502-1", - "https://ubuntu.com/security/notices/USN-6457-1", - "https://www.cve.org/CVERecord?id=CVE-2022-2097", - "https://www.debian.org/security/2023/dsa-5343", - "https://www.openssl.org/news/secadv/20220705.txt" - ], - "PublishedDate": "2022-07-05T11:15:08.34Z", - "LastModifiedDate": "2024-06-21T19:15:23.083Z" - }, - { - "VulnerabilityID": "CVE-2022-4304", - "PkgName": "openssl", - "InstalledVersion": "1.1.1k-15.cm2", - "FixedVersion": "1.1.1k-21.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-4304", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "openssl: timing attack in RSA Decryption implementation", - "Description": "A timing based side channel exists in the OpenSSL RSA Decryption implementation\nwhich could be sufficient to recover a plaintext across a network in a\nBleichenbacher style attack. To achieve a successful decryption an attacker\nwould have to be able to send a very large number of trial messages for\ndecryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,\nRSA-OEAP and RSASVE.\n\nFor example, in a TLS connection, RSA is commonly used by a client to send an\nencrypted pre-master secret to the server. An attacker that had observed a\ngenuine connection between a client and a server could use this flaw to send\ntrial messages to the server and record the time taken to process them. After a\nsufficiently large number of messages the attacker could recover the pre-master\nsecret used for the original connection and thus be able to decrypt the\napplication data sent over that connection.\n\n", - "Severity": "MEDIUM", - "CweIDs": [ - "CWE-203" - ], - "CVSS": { - "ghsa": { - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", - "V3Score": 5.9 - }, - "nvd": { - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", - "V3Score": 5.9 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", - "V3Score": 5.9 - } - }, - "References": [ - "https://access.redhat.com/errata/RHSA-2023:2165", - "https://access.redhat.com/security/cve/CVE-2022-4304", - "https://bugzilla.redhat.com/1960321", - "https://bugzilla.redhat.com/2164440", - "https://bugzilla.redhat.com/2164487", - "https://bugzilla.redhat.com/2164492", - "https://bugzilla.redhat.com/2164494", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144000", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144003", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144006", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144008", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144010", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144012", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144015", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144017", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144019", - "https://bugzilla.redhat.com/show_bug.cgi?id=2145170", - "https://bugzilla.redhat.com/show_bug.cgi?id=2158412", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164440", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164487", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164488", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164492", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164494", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164497", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164499", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164500", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4203", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4304", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4450", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0215", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0216", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0217", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0286", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0401", - "https://errata.almalinux.org/9/ALSA-2023-2165.html", - "https://errata.rockylinux.org/RLSA-2023:0946", - "https://linux.oracle.com/cve/CVE-2022-4304.html", - "https://linux.oracle.com/errata/ELSA-2023-32791.html", - "https://nvd.nist.gov/vuln/detail/CVE-2022-4304", - "https://rustsec.org/advisories/RUSTSEC-2023-0007.html", - "https://security.gentoo.org/glsa/202402-08", - "https://ubuntu.com/security/notices/USN-5844-1", - "https://ubuntu.com/security/notices/USN-6564-1", - "https://www.cve.org/CVERecord?id=CVE-2022-4304", - "https://www.openssl.org/news/secadv/20230207.txt" - ], - "PublishedDate": "2023-02-08T20:15:23.887Z", - "LastModifiedDate": "2024-02-04T09:15:08.627Z" - }, - { - "VulnerabilityID": "CVE-2023-0465", - "PkgName": "openssl", - "InstalledVersion": "1.1.1k-15.cm2", - "FixedVersion": "1.1.1k-23.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-0465", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "openssl: Invalid certificate policies in leaf certificates are silently ignored", - "Description": "Applications that use a non-default option when verifying certificates may be\nvulnerable to an attack from a malicious CA to circumvent certain checks.\n\nInvalid certificate policies in leaf certificates are silently ignored by\nOpenSSL and other certificate policy checks are skipped for that certificate.\nA malicious CA could use this to deliberately assert invalid certificate policies\nin order to circumvent policy checking on the certificate altogether.\n\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.", - "Severity": "MEDIUM", - "CweIDs": [ - "CWE-295" - ], - "CVSS": { - "nvd": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "V3Score": 5.3 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "V3Score": 5.3 - } - }, - "References": [ - "https://access.redhat.com/errata/RHSA-2023:3722", - "https://access.redhat.com/security/cve/CVE-2023-0465", - "https://bugzilla.redhat.com/2181082", - "https://bugzilla.redhat.com/2182561", - "https://bugzilla.redhat.com/2182565", - "https://bugzilla.redhat.com/2188461", - "https://bugzilla.redhat.com/2207947", - "https://errata.almalinux.org/9/ALSA-2023-3722.html", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=10325176f3d3e98c6e2b3bf5ab1e3b334de6947a", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1dd43e0709fece299b15208f36cc7c76209ba0bb", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b013765abfa80036dc779dd0e50602c57bb3bf95", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=facfb1ab745646e97a1920977ae4a9965ea61d5c", - "https://linux.oracle.com/cve/CVE-2023-0465.html", - "https://linux.oracle.com/errata/ELSA-2023-3722.html", - "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html", - "https://nvd.nist.gov/vuln/detail/CVE-2023-0465", - "https://security.gentoo.org/glsa/202402-08", - "https://security.netapp.com/advisory/ntap-20230414-0001/", - "https://ubuntu.com/security/notices/USN-6039-1", - "https://www.cve.org/CVERecord?id=CVE-2023-0465", - "https://www.debian.org/security/2023/dsa-5417", - "https://www.openssl.org/news/secadv/20230328.txt" - ], - "PublishedDate": "2023-03-28T15:15:06.82Z", - "LastModifiedDate": "2024-02-04T09:15:09.43Z" - }, - { - "VulnerabilityID": "CVE-2023-0466", - "PkgName": "openssl", - "InstalledVersion": "1.1.1k-15.cm2", - "FixedVersion": "1.1.1k-23.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-0466", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "openssl: Certificate policy check not enabled", - "Description": "The function X509_VERIFY_PARAM_add0_policy() is documented to\nimplicitly enable the certificate policy check when doing certificate\nverification. However the implementation of the function does not\nenable the check which allows certificates with invalid or incorrect\npolicies to pass the certificate verification.\n\nAs suddenly enabling the policy check could break existing deployments it was\ndecided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()\nfunction.\n\nInstead the applications that require OpenSSL to perform certificate\npolicy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly\nenable the policy check by calling X509_VERIFY_PARAM_set_flags() with\nthe X509_V_FLAG_POLICY_CHECK flag argument.\n\nCertificate policy checks are disabled by default in OpenSSL and are not\ncommonly used by applications.", - "Severity": "MEDIUM", - "CweIDs": [ - "CWE-295" - ], - "CVSS": { - "nvd": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "V3Score": 5.3 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "V3Score": 5.3 - } - }, - "References": [ - "http://www.openwall.com/lists/oss-security/2023/09/28/4", - "https://access.redhat.com/errata/RHSA-2023:3722", - "https://access.redhat.com/security/cve/CVE-2023-0466", - "https://bugzilla.redhat.com/2181082", - "https://bugzilla.redhat.com/2182561", - "https://bugzilla.redhat.com/2182565", - "https://bugzilla.redhat.com/2188461", - "https://bugzilla.redhat.com/2207947", - "https://errata.almalinux.org/9/ALSA-2023-3722.html", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=51e8a84ce742db0f6c70510d0159dad8f7825908", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=73398dea26de9899fb4baa94098ad0a61f435c72", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc814a30fc4f0bc54fcea7d9a7462f5457aab061", - "https://linux.oracle.com/cve/CVE-2023-0466.html", - "https://linux.oracle.com/errata/ELSA-2023-3722.html", - "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html", - "https://nvd.nist.gov/vuln/detail/CVE-2023-0466", - "https://security.gentoo.org/glsa/202402-08", - "https://security.netapp.com/advisory/ntap-20230414-0001/", - "https://ubuntu.com/security/notices/USN-6039-1", - "https://www.cve.org/CVERecord?id=CVE-2023-0466", - "https://www.debian.org/security/2023/dsa-5417", - "https://www.openssl.org/news/secadv/20230328.txt" - ], - "PublishedDate": "2023-03-28T15:15:06.88Z", - "LastModifiedDate": "2024-02-04T09:15:09.54Z" - }, - { - "VulnerabilityID": "CVE-2023-2650", - "PkgName": "openssl", - "InstalledVersion": "1.1.1k-15.cm2", - "FixedVersion": "1.1.1k-25.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-2650", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "openssl: Possible DoS translating ASN.1 object identifiers", - "Description": "Issue summary: Processing some specially crafted ASN.1 object identifiers or\ndata containing them may be very slow.\n\nImpact summary: Applications that use OBJ_obj2txt() directly, or use any of\nthe OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message\nsize limit may experience notable to very long delays when processing those\nmessages, which may lead to a Denial of Service.\n\nAn OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -\nmost of which have no size limit. OBJ_obj2txt() may be used to translate\nan ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL\ntype ASN1_OBJECT) to its canonical numeric text form, which are the\nsub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by\nperiods.\n\nWhen one of the sub-identifiers in the OBJECT IDENTIFIER is very large\n(these are sizes that are seen as absurdly large, taking up tens or hundreds\nof KiBs), the translation to a decimal number in text may take a very long\ntime. The time complexity is O(n^2) with 'n' being the size of the\nsub-identifiers in bytes (*).\n\nWith OpenSSL 3.0, support to fetch cryptographic algorithms using names /\nidentifiers in string form was introduced. This includes using OBJECT\nIDENTIFIERs in canonical numeric text form as identifiers for fetching\nalgorithms.\n\nSuch OBJECT IDENTIFIERs may be received through the ASN.1 structure\nAlgorithmIdentifier, which is commonly used in multiple protocols to specify\nwhat cryptographic algorithm should be used to sign or verify, encrypt or\ndecrypt, or digest passed data.\n\nApplications that call OBJ_obj2txt() directly with untrusted data are\naffected, with any version of OpenSSL. If the use is for the mere purpose\nof display, the severity is considered low.\n\nIn OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,\nCMS, CMP/CRMF or TS. It also impacts anything that processes X.509\ncertificates, including simple things like verifying its signature.\n\nThe impact on TLS is relatively low, because all versions of OpenSSL have a\n100KiB limit on the peer's certificate chain. Additionally, this only\nimpacts clients, or servers that have explicitly enabled client\nauthentication.\n\nIn OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,\nsuch as X.509 certificates. This is assumed to not happen in such a way\nthat it would cause a Denial of Service, so these versions are considered\nnot affected by this issue in such a way that it would be cause for concern,\nand the severity is therefore considered low.", - "Severity": "MEDIUM", - "CweIDs": [ - "CWE-770" - ], - "CVSS": { - "nvd": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "V3Score": 6.5 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "V3Score": 6.5 - } - }, - "References": [ - "http://www.openwall.com/lists/oss-security/2023/05/30/1", - "https://access.redhat.com/errata/RHSA-2023:6330", - "https://access.redhat.com/security/cve/CVE-2023-2650", - "https://bugzilla.redhat.com/1858038", - "https://bugzilla.redhat.com/2207947", - "https://errata.almalinux.org/9/ALSA-2023-6330.html", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=423a2bc737a908ad0c77bda470b2b59dc879936b", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=853c5e56ee0b8650c73140816bb8b91d6163422c", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9e209944b35cf82368071f160a744b6178f9b098", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db779b0e10b047f2585615e0b8f2acdf21f8544a", - "https://linux.oracle.com/cve/CVE-2023-2650.html", - "https://linux.oracle.com/errata/ELSA-2023-6330.html", - "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html", - "https://nvd.nist.gov/vuln/detail/CVE-2023-2650", - "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0009", - "https://security.gentoo.org/glsa/202402-08", - "https://security.netapp.com/advisory/ntap-20230703-0001/", - "https://security.netapp.com/advisory/ntap-20231027-0009/", - "https://ubuntu.com/security/notices/USN-6119-1", - "https://ubuntu.com/security/notices/USN-6188-1", - "https://ubuntu.com/security/notices/USN-6672-1", - "https://www.cve.org/CVERecord?id=CVE-2023-2650", - "https://www.debian.org/security/2023/dsa-5417", - "https://www.openssl.org/news/secadv/20230530.txt" - ], - "PublishedDate": "2023-05-30T14:15:09.683Z", - "LastModifiedDate": "2024-02-04T09:15:09.643Z" - }, - { - "VulnerabilityID": "CVE-2023-3817", - "PkgName": "openssl", - "InstalledVersion": "1.1.1k-15.cm2", - "FixedVersion": "1.1.1k-26.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-3817", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "OpenSSL: Excessive time spent checking DH q parameter value", - "Description": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. After fixing\nCVE-2023-3446 it was discovered that a large q parameter value can also trigger\nan overly long computation during some of these checks. A correct q value,\nif present, cannot be larger than the modulus p parameter, thus it is\nunnecessary to perform these checks if q is larger than p.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulnerable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the \"-check\" option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.", - "Severity": "MEDIUM", - "CweIDs": [ - "CWE-834" - ], - "CVSS": { - "nvd": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "V3Score": 5.3 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "V3Score": 5.3 - } - }, - "References": [ - "http://seclists.org/fulldisclosure/2023/Jul/43", - "http://www.openwall.com/lists/oss-security/2023/07/31/1", - "http://www.openwall.com/lists/oss-security/2023/09/22/11", - "http://www.openwall.com/lists/oss-security/2023/09/22/9", - "http://www.openwall.com/lists/oss-security/2023/11/06/2", - "https://access.redhat.com/errata/RHSA-2024:2447", - "https://access.redhat.com/security/cve/CVE-2023-3817", - "https://bugzilla.redhat.com/2223016", - "https://bugzilla.redhat.com/2224962", - "https://bugzilla.redhat.com/2227852", - "https://bugzilla.redhat.com/2248616", - "https://bugzilla.redhat.com/2257571", - "https://bugzilla.redhat.com/2258502", - "https://bugzilla.redhat.com/2259944", - "https://errata.almalinux.org/9/ALSA-2024-2447.html", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=869ad69aadd985c7b8ca6f4e5dd0eb274c9f3644", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9002fd07327a91f35ba6c1307e71fa6fd4409b7f", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=91ddeba0f2269b017dc06c46c993a788974b1aa5", - "https://linux.oracle.com/cve/CVE-2023-3817.html", - "https://linux.oracle.com/errata/ELSA-2024-2447.html", - "https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html", - "https://nvd.nist.gov/vuln/detail/CVE-2023-3817", - "https://security.gentoo.org/glsa/202402-08", - "https://security.netapp.com/advisory/ntap-20230818-0014/", - "https://security.netapp.com/advisory/ntap-20231027-0008/", - "https://security.netapp.com/advisory/ntap-20240621-0006/", - "https://ubuntu.com/security/notices/USN-6435-1", - "https://ubuntu.com/security/notices/USN-6435-2", - "https://ubuntu.com/security/notices/USN-6450-1", - "https://ubuntu.com/security/notices/USN-6709-1", - "https://www.cve.org/CVERecord?id=CVE-2023-3817", - "https://www.openssl.org/news/secadv/20230731.txt" - ], - "PublishedDate": "2023-07-31T16:15:10.497Z", - "LastModifiedDate": "2024-06-21T19:15:28.01Z" - }, - { - "VulnerabilityID": "CVE-2023-5678", - "PkgName": "openssl", - "InstalledVersion": "1.1.1k-15.cm2", - "FixedVersion": "1.1.1k-28.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-5678", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "openssl: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow", - "Description": "Issue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n\"-pubcheck\" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n", - "Severity": "MEDIUM", - "CweIDs": [ - "CWE-754" - ], - "CVSS": { - "nvd": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "V3Score": 5.3 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "V3Score": 5.3 - } - }, - "References": [ - "http://www.openwall.com/lists/oss-security/2024/03/11/1", - "https://access.redhat.com/errata/RHSA-2024:2447", - "https://access.redhat.com/security/cve/CVE-2023-5678", - "https://bugzilla.redhat.com/2223016", - "https://bugzilla.redhat.com/2224962", - "https://bugzilla.redhat.com/2227852", - "https://bugzilla.redhat.com/2248616", - "https://bugzilla.redhat.com/2257571", - "https://bugzilla.redhat.com/2258502", - "https://bugzilla.redhat.com/2259944", - "https://errata.almalinux.org/9/ALSA-2024-2447.html", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", - "https://linux.oracle.com/cve/CVE-2023-5678.html", - "https://linux.oracle.com/errata/ELSA-2024-2447.html", - "https://nvd.nist.gov/vuln/detail/CVE-2023-5678", - "https://security.netapp.com/advisory/ntap-20231130-0010/", - "https://ubuntu.com/security/notices/USN-6622-1", - "https://ubuntu.com/security/notices/USN-6632-1", - "https://ubuntu.com/security/notices/USN-6709-1", - "https://www.cve.org/CVERecord?id=CVE-2023-5678", - "https://www.openssl.org/news/secadv/20231106.txt" - ], - "PublishedDate": "2023-11-06T16:15:42.67Z", - "LastModifiedDate": "2024-05-01T18:15:12.393Z" - }, - { - "VulnerabilityID": "CVE-2024-0727", - "PkgName": "openssl", - "InstalledVersion": "1.1.1k-15.cm2", - "FixedVersion": "1.1.1k-29.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-0727", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "openssl: denial of service via null dereference", - "Description": "Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.", - "Severity": "MEDIUM", - "CVSS": { - "ghsa": { - "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "V3Score": 5.5 - }, - "nvd": { - "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "V3Score": 5.5 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "V3Score": 5.5 - } - }, - "References": [ - "http://www.openwall.com/lists/oss-security/2024/03/11/1", - "https://access.redhat.com/errata/RHSA-2024:2447", - "https://access.redhat.com/security/cve/CVE-2024-0727", - "https://bugzilla.redhat.com/2223016", - "https://bugzilla.redhat.com/2224962", - "https://bugzilla.redhat.com/2227852", - "https://bugzilla.redhat.com/2248616", - "https://bugzilla.redhat.com/2257571", - "https://bugzilla.redhat.com/2258502", - "https://bugzilla.redhat.com/2259944", - "https://errata.almalinux.org/9/ALSA-2024-2447.html", - "https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2", - "https://github.com/github/advisory-database/pull/3472", - "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", - "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", - "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", - "https://github.com/openssl/openssl/pull/23362", - "https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d", - "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", - "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", - "https://linux.oracle.com/cve/CVE-2024-0727.html", - "https://linux.oracle.com/errata/ELSA-2024-2447.html", - "https://nvd.nist.gov/vuln/detail/CVE-2024-0727", - "https://security.netapp.com/advisory/ntap-20240208-0006", - "https://security.netapp.com/advisory/ntap-20240208-0006/", - "https://ubuntu.com/security/notices/USN-6622-1", - "https://ubuntu.com/security/notices/USN-6632-1", - "https://ubuntu.com/security/notices/USN-6709-1", - "https://www.cve.org/CVERecord?id=CVE-2024-0727", - "https://www.openssl.org/news/secadv/20240125.txt" - ], - "PublishedDate": "2024-01-26T09:15:07.637Z", - "LastModifiedDate": "2024-05-01T18:15:13.057Z" - }, - { - "VulnerabilityID": "CVE-2022-2068", - "PkgName": "openssl-libs", - "InstalledVersion": "1.1.1k-15.cm2", - "FixedVersion": "1.1.1k-17.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-2068", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "openssl: the c_rehash script allows command injection", - "Description": "In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).", - "Severity": "CRITICAL", - "CweIDs": [ - "CWE-78" - ], - "CVSS": { - "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "V2Score": 10, - "V3Score": 9.8 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", - "V3Score": 6.7 - } - }, - "References": [ - "https://access.redhat.com/errata/RHSA-2022:6224", - "https://access.redhat.com/security/cve/CVE-2022-2068", - "https://bugzilla.redhat.com/2081494", - "https://bugzilla.redhat.com/2087911", - "https://bugzilla.redhat.com/2087913", - "https://bugzilla.redhat.com/2097310", - "https://bugzilla.redhat.com/2104905", - "https://bugzilla.redhat.com/show_bug.cgi?id=2081494", - "https://bugzilla.redhat.com/show_bug.cgi?id=2097310", - "https://bugzilla.redhat.com/show_bug.cgi?id=2100554", - "https://bugzilla.redhat.com/show_bug.cgi?id=2104905", - "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1292", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2068", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2097", - "https://errata.almalinux.org/9/ALSA-2022-6224.html", - "https://errata.rockylinux.org/RLSA-2022:5818", - "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2c9c35870601b4a44d86ddbf512b38df38285cfa", - "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7a9c027159fe9e1bbc2cd38a8a2914bff0d5abd9", - "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9639817dac8bbbaa64d09efad7464ccc405527c7", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2c9c35870601b4a44d86ddbf512b38df38285cfa", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7a9c027159fe9e1bbc2cd38a8a2914bff0d5abd9", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9639817dac8bbbaa64d09efad7464ccc405527c7", - "https://linux.oracle.com/cve/CVE-2022-2068.html", - "https://linux.oracle.com/errata/ELSA-2022-9751.html", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6WZZBKUHQFGSKGNXXKICSRPL7AMVW5M5/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA/", - "https://nvd.nist.gov/vuln/detail/CVE-2022-2068", - "https://security.netapp.com/advisory/ntap-20220707-0008/", - "https://ubuntu.com/security/notices/USN-5488-1", - "https://ubuntu.com/security/notices/USN-5488-2", - "https://ubuntu.com/security/notices/USN-6457-1", - "https://www.cve.org/CVERecord?id=CVE-2022-2068", - "https://www.debian.org/security/2022/dsa-5169", - "https://www.openssl.org/news/secadv/20220621.txt" - ], - "PublishedDate": "2022-06-21T15:15:09.06Z", - "LastModifiedDate": "2023-11-07T03:46:11.177Z" - }, - { - "VulnerabilityID": "CVE-2022-4450", - "PkgName": "openssl-libs", - "InstalledVersion": "1.1.1k-15.cm2", - "FixedVersion": "1.1.1k-21.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-4450", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "openssl: double free after calling PEM_read_bio_ex", - "Description": "The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and\ndecodes the \"name\" (e.g. \"CERTIFICATE\"), any header data and the payload data.\nIf the function succeeds then the \"name_out\", \"header\" and \"data\" arguments are\npopulated with pointers to buffers containing the relevant decoded data. The\ncaller is responsible for freeing those buffers. It is possible to construct a\nPEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex()\nwill return a failure code but will populate the header argument with a pointer\nto a buffer that has already been freed. If the caller also frees this buffer\nthen a double free will occur. This will most likely lead to a crash. This\ncould be exploited by an attacker who has the ability to supply malicious PEM\nfiles for parsing to achieve a denial of service attack.\n\nThe functions PEM_read_bio() and PEM_read() are simple wrappers around\nPEM_read_bio_ex() and therefore these functions are also directly affected.\n\nThese functions are also called indirectly by a number of other OpenSSL\nfunctions including PEM_X509_INFO_read_bio_ex() and\nSSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal\nuses of these functions are not vulnerable because the caller does not free the\nheader argument if PEM_read_bio_ex() returns a failure code. These locations\ninclude the PEM_read_bio_TYPE() functions as well as the decoders introduced in\nOpenSSL 3.0.\n\nThe OpenSSL asn1parse command line application is also impacted by this issue.\n\n\n", - "Severity": "HIGH", - "CweIDs": [ - "CWE-415" - ], - "CVSS": { - "ghsa": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 7.5 - }, - "nvd": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 7.5 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 7.5 - } - }, - "References": [ - "https://access.redhat.com/errata/RHSA-2023:2165", - "https://access.redhat.com/security/cve/CVE-2022-4450", - "https://bugzilla.redhat.com/1960321", - "https://bugzilla.redhat.com/2164440", - "https://bugzilla.redhat.com/2164487", - "https://bugzilla.redhat.com/2164492", - "https://bugzilla.redhat.com/2164494", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144000", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144003", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144006", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144008", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144010", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144012", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144015", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144017", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144019", - "https://bugzilla.redhat.com/show_bug.cgi?id=2145170", - "https://bugzilla.redhat.com/show_bug.cgi?id=2158412", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164440", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164487", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164488", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164492", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164494", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164497", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164499", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164500", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4203", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4304", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4450", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0215", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0216", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0217", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0286", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0401", - "https://errata.almalinux.org/9/ALSA-2023-2165.html", - "https://errata.rockylinux.org/RLSA-2023:0946", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=63bcf189be73a9cc1264059bed6f57974be74a83", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bbcf509bd046b34cca19c766bbddc31683d0858b", - "https://linux.oracle.com/cve/CVE-2022-4450.html", - "https://linux.oracle.com/errata/ELSA-2023-32791.html", - "https://nvd.nist.gov/vuln/detail/CVE-2022-4450", - "https://rustsec.org/advisories/RUSTSEC-2023-0010.html", - "https://security.gentoo.org/glsa/202402-08", - "https://ubuntu.com/security/notices/USN-5844-1", - "https://ubuntu.com/security/notices/USN-6564-1", - "https://www.cve.org/CVERecord?id=CVE-2022-4450", - "https://www.openssl.org/news/secadv/20230207.txt" - ], - "PublishedDate": "2023-02-08T20:15:23.973Z", - "LastModifiedDate": "2024-02-04T09:15:08.733Z" - }, - { - "VulnerabilityID": "CVE-2023-0215", - "PkgName": "openssl-libs", - "InstalledVersion": "1.1.1k-15.cm2", - "FixedVersion": "1.1.1k-21.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-0215", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "openssl: use-after-free following BIO_new_NDEF", - "Description": "The public API function BIO_new_NDEF is a helper function used for streaming\nASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the\nSMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by\nend user applications.\n\nThe function receives a BIO from the caller, prepends a new BIO_f_asn1 filter\nBIO onto the front of it to form a BIO chain, and then returns the new head of\nthe BIO chain to the caller. Under certain conditions, for example if a CMS\nrecipient public key is invalid, the new filter BIO is freed and the function\nreturns a NULL result indicating a failure. However, in this case, the BIO chain\nis not properly cleaned up and the BIO passed by the caller still retains\ninternal pointers to the previously freed filter BIO. If the caller then goes on\nto call BIO_pop() on the BIO then a use-after-free will occur. This will most\nlikely result in a crash.\n\n\n\nThis scenario occurs directly in the internal function B64_write_ASN1() which\nmay cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on\nthe BIO. This internal function is in turn called by the public API functions\nPEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream,\nSMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7.\n\nOther public API functions that may be impacted by this include\ni2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and\ni2d_PKCS7_bio_stream.\n\nThe OpenSSL cms and smime command line applications are similarly affected.\n\n\n\n", - "Severity": "HIGH", - "CweIDs": [ - "CWE-416" - ], - "CVSS": { - "ghsa": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 7.5 - }, - "nvd": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 7.5 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 7.5 - } - }, - "References": [ - "https://access.redhat.com/errata/RHSA-2023:2165", - "https://access.redhat.com/security/cve/CVE-2023-0215", - "https://bugzilla.redhat.com/1960321", - "https://bugzilla.redhat.com/2164440", - "https://bugzilla.redhat.com/2164487", - "https://bugzilla.redhat.com/2164492", - "https://bugzilla.redhat.com/2164494", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144000", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144003", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144006", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144008", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144010", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144012", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144015", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144017", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144019", - "https://bugzilla.redhat.com/show_bug.cgi?id=2145170", - "https://bugzilla.redhat.com/show_bug.cgi?id=2158412", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164440", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164487", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164488", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164492", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164494", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164497", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164499", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164500", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4203", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4304", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4450", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0215", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0216", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0217", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0286", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0401", - "https://errata.almalinux.org/9/ALSA-2023-2165.html", - "https://errata.rockylinux.org/RLSA-2023:0946", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8818064ce3c3c0f1b740a5aaba2a987e75bfbafd", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9816136fe31d92ace4037d5da5257f763aeeb4eb", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c3829dd8825c654652201e16f8a0a0c46ee3f344", - "https://linux.oracle.com/cve/CVE-2023-0215.html", - "https://linux.oracle.com/errata/ELSA-2023-32791.html", - "https://nvd.nist.gov/vuln/detail/CVE-2023-0215", - "https://rustsec.org/advisories/RUSTSEC-2023-0009.html", - "https://security.gentoo.org/glsa/202402-08", - "https://security.netapp.com/advisory/ntap-20230427-0007", - "https://security.netapp.com/advisory/ntap-20230427-0007/", - "https://security.netapp.com/advisory/ntap-20230427-0009", - "https://security.netapp.com/advisory/ntap-20230427-0009/", - "https://security.netapp.com/advisory/ntap-20240621-0006", - "https://security.netapp.com/advisory/ntap-20240621-0006/", - "https://ubuntu.com/security/notices/USN-5844-1", - "https://ubuntu.com/security/notices/USN-5845-1", - "https://ubuntu.com/security/notices/USN-5845-2", - "https://ubuntu.com/security/notices/USN-6564-1", - "https://www.cve.org/CVERecord?id=CVE-2023-0215", - "https://www.openssl.org/news/secadv/20230207.txt" - ], - "PublishedDate": "2023-02-08T20:15:24.107Z", - "LastModifiedDate": "2024-06-21T19:15:24.33Z" - }, - { - "VulnerabilityID": "CVE-2023-0286", - "PkgName": "openssl-libs", - "InstalledVersion": "1.1.1k-15.cm2", - "FixedVersion": "1.1.1k-21.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-0286", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "openssl: X.400 address type confusion in X.509 GeneralName", - "Description": "There is a type confusion vulnerability relating to X.400 address processing\ninside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but\nthe public structure definition for GENERAL_NAME incorrectly specified the type\nof the x400Address field as ASN1_TYPE. This field is subsequently interpreted by\nthe OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an\nASN1_STRING.\n\nWhen CRL checking is enabled (i.e. the application sets the\nX509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass\narbitrary pointers to a memcmp call, enabling them to read memory contents or\nenact a denial of service. In most cases, the attack requires the attacker to\nprovide both the certificate chain and CRL, neither of which need to have a\nvalid signature. If the attacker only controls one of these inputs, the other\ninput must already contain an X.400 address as a CRL distribution point, which\nis uncommon. As such, this vulnerability is most likely to only affect\napplications which have implemented their own functionality for retrieving CRLs\nover a network.\n\n", - "Severity": "HIGH", - "CweIDs": [ - "CWE-843" - ], - "CVSS": { - "ghsa": { - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", - "V3Score": 7.4 - }, - "nvd": { - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", - "V3Score": 7.4 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", - "V3Score": 7.4 - } - }, - "References": [ - "https://access.redhat.com/errata/RHSA-2023:2165", - "https://access.redhat.com/security/cve/CVE-2023-0286", - "https://access.redhat.com/security/cve/cve-2023-0286", - "https://bugzilla.redhat.com/1960321", - "https://bugzilla.redhat.com/2164440", - "https://bugzilla.redhat.com/2164487", - "https://bugzilla.redhat.com/2164492", - "https://bugzilla.redhat.com/2164494", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144000", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144003", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144006", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144008", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144010", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144012", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144015", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144017", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144019", - "https://bugzilla.redhat.com/show_bug.cgi?id=2145170", - "https://bugzilla.redhat.com/show_bug.cgi?id=2158412", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164440", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164487", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164488", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164492", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164494", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164497", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164499", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164500", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4203", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4304", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4450", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0215", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0216", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0217", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0286", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0401", - "https://errata.almalinux.org/9/ALSA-2023-2165.html", - "https://errata.rockylinux.org/RLSA-2023:0946", - "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.2-relnotes.txt", - "https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/018_x509.patch.sig", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2f7530077e0ef79d98718138716bc51ca0cad658", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fd2af07dc083a350c959147097003a14a5e8ac4d", - "https://github.com/pyca/cryptography", - "https://github.com/pyca/cryptography/security/advisories/GHSA-x4qr-2fvf-3mr5", - "https://linux.oracle.com/cve/CVE-2023-0286.html", - "https://linux.oracle.com/errata/ELSA-2023-32791.html", - "https://nvd.nist.gov/vuln/detail/CVE-2023-0286", - "https://rustsec.org/advisories/RUSTSEC-2023-0006.html", - "https://security.gentoo.org/glsa/202402-08", - "https://ubuntu.com/security/notices/USN-5844-1", - "https://ubuntu.com/security/notices/USN-5845-1", - "https://ubuntu.com/security/notices/USN-5845-2", - "https://ubuntu.com/security/notices/USN-6564-1", - "https://www.cve.org/CVERecord?id=CVE-2023-0286", - "https://www.openssl.org/news/secadv/20230207.txt" - ], - "PublishedDate": "2023-02-08T20:15:24.267Z", - "LastModifiedDate": "2024-02-04T09:15:09.113Z" - }, - { - "VulnerabilityID": "CVE-2022-2097", - "PkgName": "openssl-libs", - "InstalledVersion": "1.1.1k-15.cm2", - "FixedVersion": "1.1.1k-20.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-2097", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "openssl: AES OCB fails to encrypt some bytes", - "Description": "AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of \"in place\" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).", - "Severity": "MEDIUM", - "CweIDs": [ - "CWE-327" - ], - "CVSS": { - "ghsa": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "V3Score": 7.5 - }, - "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "V2Score": 5, - "V3Score": 5.3 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "V3Score": 5.3 - } - }, - "References": [ - "https://access.redhat.com/errata/RHSA-2022:6224", - "https://access.redhat.com/security/cve/CVE-2022-2097", - "https://bugzilla.redhat.com/2081494", - "https://bugzilla.redhat.com/2087911", - "https://bugzilla.redhat.com/2087913", - "https://bugzilla.redhat.com/2097310", - "https://bugzilla.redhat.com/2104905", - "https://bugzilla.redhat.com/show_bug.cgi?id=2081494", - "https://bugzilla.redhat.com/show_bug.cgi?id=2097310", - "https://bugzilla.redhat.com/show_bug.cgi?id=2100554", - "https://bugzilla.redhat.com/show_bug.cgi?id=2104905", - "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1292", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2068", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2097", - "https://errata.almalinux.org/9/ALSA-2022-6224.html", - "https://errata.rockylinux.org/RLSA-2022:5818", - "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=919925673d6c9cfed3c1085497f5dfbbed5fc431", - "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=a98f339ddd7e8f487d6e0088d4a9a42324885a93", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=919925673d6c9cfed3c1085497f5dfbbed5fc431", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a98f339ddd7e8f487d6e0088d4a9a42324885a93", - "https://github.com/alexcrichton/openssl-src-rs", - "https://linux.oracle.com/cve/CVE-2022-2097.html", - "https://linux.oracle.com/errata/ELSA-2022-9751.html", - "https://lists.debian.org/debian-lts-announce/2023/02/msg00019.html", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6CK57NBQFTPUMXAPJURCGXUYT76NQAK", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6CK57NBQFTPUMXAPJURCGXUYT76NQAK/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6567JERRHHJW2GNGJGKDRNHR7SNPZK7", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6567JERRHHJW2GNGJGKDRNHR7SNPZK7/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6CK57NBQFTPUMXAPJURCGXUYT76NQAK", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6CK57NBQFTPUMXAPJURCGXUYT76NQAK/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V6567JERRHHJW2GNGJGKDRNHR7SNPZK7", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V6567JERRHHJW2GNGJGKDRNHR7SNPZK7/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA", - "https://nvd.nist.gov/vuln/detail/CVE-2022-2097", - "https://rustsec.org/advisories/RUSTSEC-2022-0032.html", - "https://security.gentoo.org/glsa/202210-02", - "https://security.netapp.com/advisory/ntap-20220715-0011", - "https://security.netapp.com/advisory/ntap-20220715-0011/", - "https://security.netapp.com/advisory/ntap-20230420-0008", - "https://security.netapp.com/advisory/ntap-20230420-0008/", - "https://security.netapp.com/advisory/ntap-20240621-0006", - "https://security.netapp.com/advisory/ntap-20240621-0006/", - "https://ubuntu.com/security/notices/USN-5502-1", - "https://ubuntu.com/security/notices/USN-6457-1", - "https://www.cve.org/CVERecord?id=CVE-2022-2097", - "https://www.debian.org/security/2023/dsa-5343", - "https://www.openssl.org/news/secadv/20220705.txt" - ], - "PublishedDate": "2022-07-05T11:15:08.34Z", - "LastModifiedDate": "2024-06-21T19:15:23.083Z" - }, - { - "VulnerabilityID": "CVE-2022-4304", - "PkgName": "openssl-libs", - "InstalledVersion": "1.1.1k-15.cm2", - "FixedVersion": "1.1.1k-21.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-4304", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "openssl: timing attack in RSA Decryption implementation", - "Description": "A timing based side channel exists in the OpenSSL RSA Decryption implementation\nwhich could be sufficient to recover a plaintext across a network in a\nBleichenbacher style attack. To achieve a successful decryption an attacker\nwould have to be able to send a very large number of trial messages for\ndecryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,\nRSA-OEAP and RSASVE.\n\nFor example, in a TLS connection, RSA is commonly used by a client to send an\nencrypted pre-master secret to the server. An attacker that had observed a\ngenuine connection between a client and a server could use this flaw to send\ntrial messages to the server and record the time taken to process them. After a\nsufficiently large number of messages the attacker could recover the pre-master\nsecret used for the original connection and thus be able to decrypt the\napplication data sent over that connection.\n\n", - "Severity": "MEDIUM", - "CweIDs": [ - "CWE-203" - ], - "CVSS": { - "ghsa": { - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", - "V3Score": 5.9 - }, - "nvd": { - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", - "V3Score": 5.9 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", - "V3Score": 5.9 - } - }, - "References": [ - "https://access.redhat.com/errata/RHSA-2023:2165", - "https://access.redhat.com/security/cve/CVE-2022-4304", - "https://bugzilla.redhat.com/1960321", - "https://bugzilla.redhat.com/2164440", - "https://bugzilla.redhat.com/2164487", - "https://bugzilla.redhat.com/2164492", - "https://bugzilla.redhat.com/2164494", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144000", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144003", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144006", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144008", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144010", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144012", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144015", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144017", - "https://bugzilla.redhat.com/show_bug.cgi?id=2144019", - "https://bugzilla.redhat.com/show_bug.cgi?id=2145170", - "https://bugzilla.redhat.com/show_bug.cgi?id=2158412", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164440", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164487", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164488", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164492", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164494", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164497", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164499", - "https://bugzilla.redhat.com/show_bug.cgi?id=2164500", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4203", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4304", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4450", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0215", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0216", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0217", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0286", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0401", - "https://errata.almalinux.org/9/ALSA-2023-2165.html", - "https://errata.rockylinux.org/RLSA-2023:0946", - "https://linux.oracle.com/cve/CVE-2022-4304.html", - "https://linux.oracle.com/errata/ELSA-2023-32791.html", - "https://nvd.nist.gov/vuln/detail/CVE-2022-4304", - "https://rustsec.org/advisories/RUSTSEC-2023-0007.html", - "https://security.gentoo.org/glsa/202402-08", - "https://ubuntu.com/security/notices/USN-5844-1", - "https://ubuntu.com/security/notices/USN-6564-1", - "https://www.cve.org/CVERecord?id=CVE-2022-4304", - "https://www.openssl.org/news/secadv/20230207.txt" - ], - "PublishedDate": "2023-02-08T20:15:23.887Z", - "LastModifiedDate": "2024-02-04T09:15:08.627Z" - }, - { - "VulnerabilityID": "CVE-2023-0465", - "PkgName": "openssl-libs", - "InstalledVersion": "1.1.1k-15.cm2", - "FixedVersion": "1.1.1k-23.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-0465", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "openssl: Invalid certificate policies in leaf certificates are silently ignored", - "Description": "Applications that use a non-default option when verifying certificates may be\nvulnerable to an attack from a malicious CA to circumvent certain checks.\n\nInvalid certificate policies in leaf certificates are silently ignored by\nOpenSSL and other certificate policy checks are skipped for that certificate.\nA malicious CA could use this to deliberately assert invalid certificate policies\nin order to circumvent policy checking on the certificate altogether.\n\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.", - "Severity": "MEDIUM", - "CweIDs": [ - "CWE-295" - ], - "CVSS": { - "nvd": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "V3Score": 5.3 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "V3Score": 5.3 - } - }, - "References": [ - "https://access.redhat.com/errata/RHSA-2023:3722", - "https://access.redhat.com/security/cve/CVE-2023-0465", - "https://bugzilla.redhat.com/2181082", - "https://bugzilla.redhat.com/2182561", - "https://bugzilla.redhat.com/2182565", - "https://bugzilla.redhat.com/2188461", - "https://bugzilla.redhat.com/2207947", - "https://errata.almalinux.org/9/ALSA-2023-3722.html", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=10325176f3d3e98c6e2b3bf5ab1e3b334de6947a", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1dd43e0709fece299b15208f36cc7c76209ba0bb", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b013765abfa80036dc779dd0e50602c57bb3bf95", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=facfb1ab745646e97a1920977ae4a9965ea61d5c", - "https://linux.oracle.com/cve/CVE-2023-0465.html", - "https://linux.oracle.com/errata/ELSA-2023-3722.html", - "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html", - "https://nvd.nist.gov/vuln/detail/CVE-2023-0465", - "https://security.gentoo.org/glsa/202402-08", - "https://security.netapp.com/advisory/ntap-20230414-0001/", - "https://ubuntu.com/security/notices/USN-6039-1", - "https://www.cve.org/CVERecord?id=CVE-2023-0465", - "https://www.debian.org/security/2023/dsa-5417", - "https://www.openssl.org/news/secadv/20230328.txt" - ], - "PublishedDate": "2023-03-28T15:15:06.82Z", - "LastModifiedDate": "2024-02-04T09:15:09.43Z" - }, - { - "VulnerabilityID": "CVE-2023-0466", - "PkgName": "openssl-libs", - "InstalledVersion": "1.1.1k-15.cm2", - "FixedVersion": "1.1.1k-23.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-0466", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "openssl: Certificate policy check not enabled", - "Description": "The function X509_VERIFY_PARAM_add0_policy() is documented to\nimplicitly enable the certificate policy check when doing certificate\nverification. However the implementation of the function does not\nenable the check which allows certificates with invalid or incorrect\npolicies to pass the certificate verification.\n\nAs suddenly enabling the policy check could break existing deployments it was\ndecided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()\nfunction.\n\nInstead the applications that require OpenSSL to perform certificate\npolicy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly\nenable the policy check by calling X509_VERIFY_PARAM_set_flags() with\nthe X509_V_FLAG_POLICY_CHECK flag argument.\n\nCertificate policy checks are disabled by default in OpenSSL and are not\ncommonly used by applications.", - "Severity": "MEDIUM", - "CweIDs": [ - "CWE-295" - ], - "CVSS": { - "nvd": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "V3Score": 5.3 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "V3Score": 5.3 - } - }, - "References": [ - "http://www.openwall.com/lists/oss-security/2023/09/28/4", - "https://access.redhat.com/errata/RHSA-2023:3722", - "https://access.redhat.com/security/cve/CVE-2023-0466", - "https://bugzilla.redhat.com/2181082", - "https://bugzilla.redhat.com/2182561", - "https://bugzilla.redhat.com/2182565", - "https://bugzilla.redhat.com/2188461", - "https://bugzilla.redhat.com/2207947", - "https://errata.almalinux.org/9/ALSA-2023-3722.html", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=51e8a84ce742db0f6c70510d0159dad8f7825908", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=73398dea26de9899fb4baa94098ad0a61f435c72", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc814a30fc4f0bc54fcea7d9a7462f5457aab061", - "https://linux.oracle.com/cve/CVE-2023-0466.html", - "https://linux.oracle.com/errata/ELSA-2023-3722.html", - "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html", - "https://nvd.nist.gov/vuln/detail/CVE-2023-0466", - "https://security.gentoo.org/glsa/202402-08", - "https://security.netapp.com/advisory/ntap-20230414-0001/", - "https://ubuntu.com/security/notices/USN-6039-1", - "https://www.cve.org/CVERecord?id=CVE-2023-0466", - "https://www.debian.org/security/2023/dsa-5417", - "https://www.openssl.org/news/secadv/20230328.txt" - ], - "PublishedDate": "2023-03-28T15:15:06.88Z", - "LastModifiedDate": "2024-02-04T09:15:09.54Z" - }, - { - "VulnerabilityID": "CVE-2023-2650", - "PkgName": "openssl-libs", - "InstalledVersion": "1.1.1k-15.cm2", - "FixedVersion": "1.1.1k-25.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-2650", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "openssl: Possible DoS translating ASN.1 object identifiers", - "Description": "Issue summary: Processing some specially crafted ASN.1 object identifiers or\ndata containing them may be very slow.\n\nImpact summary: Applications that use OBJ_obj2txt() directly, or use any of\nthe OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message\nsize limit may experience notable to very long delays when processing those\nmessages, which may lead to a Denial of Service.\n\nAn OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -\nmost of which have no size limit. OBJ_obj2txt() may be used to translate\nan ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL\ntype ASN1_OBJECT) to its canonical numeric text form, which are the\nsub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by\nperiods.\n\nWhen one of the sub-identifiers in the OBJECT IDENTIFIER is very large\n(these are sizes that are seen as absurdly large, taking up tens or hundreds\nof KiBs), the translation to a decimal number in text may take a very long\ntime. The time complexity is O(n^2) with 'n' being the size of the\nsub-identifiers in bytes (*).\n\nWith OpenSSL 3.0, support to fetch cryptographic algorithms using names /\nidentifiers in string form was introduced. This includes using OBJECT\nIDENTIFIERs in canonical numeric text form as identifiers for fetching\nalgorithms.\n\nSuch OBJECT IDENTIFIERs may be received through the ASN.1 structure\nAlgorithmIdentifier, which is commonly used in multiple protocols to specify\nwhat cryptographic algorithm should be used to sign or verify, encrypt or\ndecrypt, or digest passed data.\n\nApplications that call OBJ_obj2txt() directly with untrusted data are\naffected, with any version of OpenSSL. If the use is for the mere purpose\nof display, the severity is considered low.\n\nIn OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,\nCMS, CMP/CRMF or TS. It also impacts anything that processes X.509\ncertificates, including simple things like verifying its signature.\n\nThe impact on TLS is relatively low, because all versions of OpenSSL have a\n100KiB limit on the peer's certificate chain. Additionally, this only\nimpacts clients, or servers that have explicitly enabled client\nauthentication.\n\nIn OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,\nsuch as X.509 certificates. This is assumed to not happen in such a way\nthat it would cause a Denial of Service, so these versions are considered\nnot affected by this issue in such a way that it would be cause for concern,\nand the severity is therefore considered low.", - "Severity": "MEDIUM", - "CweIDs": [ - "CWE-770" - ], - "CVSS": { - "nvd": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "V3Score": 6.5 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "V3Score": 6.5 - } - }, - "References": [ - "http://www.openwall.com/lists/oss-security/2023/05/30/1", - "https://access.redhat.com/errata/RHSA-2023:6330", - "https://access.redhat.com/security/cve/CVE-2023-2650", - "https://bugzilla.redhat.com/1858038", - "https://bugzilla.redhat.com/2207947", - "https://errata.almalinux.org/9/ALSA-2023-6330.html", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=423a2bc737a908ad0c77bda470b2b59dc879936b", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=853c5e56ee0b8650c73140816bb8b91d6163422c", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9e209944b35cf82368071f160a744b6178f9b098", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db779b0e10b047f2585615e0b8f2acdf21f8544a", - "https://linux.oracle.com/cve/CVE-2023-2650.html", - "https://linux.oracle.com/errata/ELSA-2023-6330.html", - "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html", - "https://nvd.nist.gov/vuln/detail/CVE-2023-2650", - "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0009", - "https://security.gentoo.org/glsa/202402-08", - "https://security.netapp.com/advisory/ntap-20230703-0001/", - "https://security.netapp.com/advisory/ntap-20231027-0009/", - "https://ubuntu.com/security/notices/USN-6119-1", - "https://ubuntu.com/security/notices/USN-6188-1", - "https://ubuntu.com/security/notices/USN-6672-1", - "https://www.cve.org/CVERecord?id=CVE-2023-2650", - "https://www.debian.org/security/2023/dsa-5417", - "https://www.openssl.org/news/secadv/20230530.txt" - ], - "PublishedDate": "2023-05-30T14:15:09.683Z", - "LastModifiedDate": "2024-02-04T09:15:09.643Z" - }, - { - "VulnerabilityID": "CVE-2023-3817", - "PkgName": "openssl-libs", - "InstalledVersion": "1.1.1k-15.cm2", - "FixedVersion": "1.1.1k-26.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-3817", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "OpenSSL: Excessive time spent checking DH q parameter value", - "Description": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. After fixing\nCVE-2023-3446 it was discovered that a large q parameter value can also trigger\nan overly long computation during some of these checks. A correct q value,\nif present, cannot be larger than the modulus p parameter, thus it is\nunnecessary to perform these checks if q is larger than p.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulnerable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the \"-check\" option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.", - "Severity": "MEDIUM", - "CweIDs": [ - "CWE-834" - ], - "CVSS": { - "nvd": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "V3Score": 5.3 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "V3Score": 5.3 - } - }, - "References": [ - "http://seclists.org/fulldisclosure/2023/Jul/43", - "http://www.openwall.com/lists/oss-security/2023/07/31/1", - "http://www.openwall.com/lists/oss-security/2023/09/22/11", - "http://www.openwall.com/lists/oss-security/2023/09/22/9", - "http://www.openwall.com/lists/oss-security/2023/11/06/2", - "https://access.redhat.com/errata/RHSA-2024:2447", - "https://access.redhat.com/security/cve/CVE-2023-3817", - "https://bugzilla.redhat.com/2223016", - "https://bugzilla.redhat.com/2224962", - "https://bugzilla.redhat.com/2227852", - "https://bugzilla.redhat.com/2248616", - "https://bugzilla.redhat.com/2257571", - "https://bugzilla.redhat.com/2258502", - "https://bugzilla.redhat.com/2259944", - "https://errata.almalinux.org/9/ALSA-2024-2447.html", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=869ad69aadd985c7b8ca6f4e5dd0eb274c9f3644", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9002fd07327a91f35ba6c1307e71fa6fd4409b7f", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=91ddeba0f2269b017dc06c46c993a788974b1aa5", - "https://linux.oracle.com/cve/CVE-2023-3817.html", - "https://linux.oracle.com/errata/ELSA-2024-2447.html", - "https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html", - "https://nvd.nist.gov/vuln/detail/CVE-2023-3817", - "https://security.gentoo.org/glsa/202402-08", - "https://security.netapp.com/advisory/ntap-20230818-0014/", - "https://security.netapp.com/advisory/ntap-20231027-0008/", - "https://security.netapp.com/advisory/ntap-20240621-0006/", - "https://ubuntu.com/security/notices/USN-6435-1", - "https://ubuntu.com/security/notices/USN-6435-2", - "https://ubuntu.com/security/notices/USN-6450-1", - "https://ubuntu.com/security/notices/USN-6709-1", - "https://www.cve.org/CVERecord?id=CVE-2023-3817", - "https://www.openssl.org/news/secadv/20230731.txt" - ], - "PublishedDate": "2023-07-31T16:15:10.497Z", - "LastModifiedDate": "2024-06-21T19:15:28.01Z" - }, - { - "VulnerabilityID": "CVE-2023-5678", - "PkgName": "openssl-libs", - "InstalledVersion": "1.1.1k-15.cm2", - "FixedVersion": "1.1.1k-28.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-5678", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "openssl: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow", - "Description": "Issue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n\"-pubcheck\" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n", - "Severity": "MEDIUM", - "CweIDs": [ - "CWE-754" - ], - "CVSS": { - "nvd": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "V3Score": 5.3 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "V3Score": 5.3 - } - }, - "References": [ - "http://www.openwall.com/lists/oss-security/2024/03/11/1", - "https://access.redhat.com/errata/RHSA-2024:2447", - "https://access.redhat.com/security/cve/CVE-2023-5678", - "https://bugzilla.redhat.com/2223016", - "https://bugzilla.redhat.com/2224962", - "https://bugzilla.redhat.com/2227852", - "https://bugzilla.redhat.com/2248616", - "https://bugzilla.redhat.com/2257571", - "https://bugzilla.redhat.com/2258502", - "https://bugzilla.redhat.com/2259944", - "https://errata.almalinux.org/9/ALSA-2024-2447.html", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6", - "https://linux.oracle.com/cve/CVE-2023-5678.html", - "https://linux.oracle.com/errata/ELSA-2024-2447.html", - "https://nvd.nist.gov/vuln/detail/CVE-2023-5678", - "https://security.netapp.com/advisory/ntap-20231130-0010/", - "https://ubuntu.com/security/notices/USN-6622-1", - "https://ubuntu.com/security/notices/USN-6632-1", - "https://ubuntu.com/security/notices/USN-6709-1", - "https://www.cve.org/CVERecord?id=CVE-2023-5678", - "https://www.openssl.org/news/secadv/20231106.txt" - ], - "PublishedDate": "2023-11-06T16:15:42.67Z", - "LastModifiedDate": "2024-05-01T18:15:12.393Z" - }, - { - "VulnerabilityID": "CVE-2024-0727", - "PkgName": "openssl-libs", - "InstalledVersion": "1.1.1k-15.cm2", - "FixedVersion": "1.1.1k-29.cm2", - "Status": "fixed", - "Layer": { - "Digest": "sha256:4324717d2f87e483bea250555338d9e622b93f0c594c5e43440c09c659606b0a", - "DiffID": "sha256:64c9ae4ff471b05d7eb2ec7d6284d687badb5717130a91bfa32b979b9ae06c99" - }, - "SeveritySource": "cbl-mariner", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-0727", - "DataSource": { - "ID": "cbl-mariner", - "Name": "CBL-Mariner Vulnerability Data", - "URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData" - }, - "Title": "openssl: denial of service via null dereference", - "Description": "Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.", - "Severity": "MEDIUM", - "CVSS": { - "ghsa": { - "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "V3Score": 5.5 - }, - "nvd": { - "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "V3Score": 5.5 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "V3Score": 5.5 - } - }, - "References": [ - "http://www.openwall.com/lists/oss-security/2024/03/11/1", - "https://access.redhat.com/errata/RHSA-2024:2447", - "https://access.redhat.com/security/cve/CVE-2024-0727", - "https://bugzilla.redhat.com/2223016", - "https://bugzilla.redhat.com/2224962", - "https://bugzilla.redhat.com/2227852", - "https://bugzilla.redhat.com/2248616", - "https://bugzilla.redhat.com/2257571", - "https://bugzilla.redhat.com/2258502", - "https://bugzilla.redhat.com/2259944", - "https://errata.almalinux.org/9/ALSA-2024-2447.html", - "https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2", - "https://github.com/github/advisory-database/pull/3472", - "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", - "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", - "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", - "https://github.com/openssl/openssl/pull/23362", - "https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d", - "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", - "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", - "https://linux.oracle.com/cve/CVE-2024-0727.html", - "https://linux.oracle.com/errata/ELSA-2024-2447.html", - "https://nvd.nist.gov/vuln/detail/CVE-2024-0727", - "https://security.netapp.com/advisory/ntap-20240208-0006", - "https://security.netapp.com/advisory/ntap-20240208-0006/", - "https://ubuntu.com/security/notices/USN-6622-1", - "https://ubuntu.com/security/notices/USN-6632-1", - "https://ubuntu.com/security/notices/USN-6709-1", - "https://www.cve.org/CVERecord?id=CVE-2024-0727", - "https://www.openssl.org/news/secadv/20240125.txt" - ], - "PublishedDate": "2024-01-26T09:15:07.637Z", - "LastModifiedDate": "2024-05-01T18:15:13.057Z" - } - ] - } - ] -} diff --git a/pkg/buildkit/buildkit_test.go b/pkg/buildkit/buildkit_test.go index 40b3f677..54cd6b36 100644 --- a/pkg/buildkit/buildkit_test.go +++ b/pkg/buildkit/buildkit_test.go @@ -271,7 +271,6 @@ func TestArrayFile(t *testing.T) { } for _, tt := range tests { - tt := tt t.Run(tt.desc, func(t *testing.T) { b := ArrayFile(tt.input) assert.Equal(t, tt.expected, string(b)) diff --git a/pkg/patch/patch.go b/pkg/patch/patch.go index ffb1652b..2127328d 100644 --- a/pkg/patch/patch.go +++ b/pkg/patch/patch.go @@ -335,6 +335,8 @@ func getOSType(ctx context.Context, osreleaseBytes []byte) (string, error) { return "centos", nil case strings.Contains(osType, "mariner"): return "cbl-mariner", nil + case strings.Contains(osType, "azure linux"): + return "azurelinux", nil case strings.Contains(osType, "red hat"): return "redhat", nil case strings.Contains(osType, "rocky"): diff --git a/pkg/patch/patch_test.go b/pkg/patch/patch_test.go index 359969a3..0f153cd9 100644 --- a/pkg/patch/patch_test.go +++ b/pkg/patch/patch_test.go @@ -144,6 +144,19 @@ func TestGetOSType(t *testing.T) { err: nil, expectedOSType: "cbl-mariner", }, + { + osRelease: []byte(`NAME="Microsoft Azure Linux" + VERSION="3.0.20240727" + ID=azurelinux + VERSION_ID="3.0" + PRETTY_NAME="Microsoft Azure Linux 3.0" + ANSI_COLOR="1;34" + HOME_URL="https://aka.ms/azurelinux" + BUG_REPORT_URL="https://aka.ms/azurelinux" + SUPPORT_URL="https://aka.ms/azurelinux"`), + err: nil, + expectedOSType: "azurelinux", + }, { osRelease: []byte(`NAME="Red Hat Enterprise Linux" VERSION="8.9 (Ootpa)" @@ -157,7 +170,7 @@ func TestGetOSType(t *testing.T) { HOME_URL="https://www.redhat.com/" DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8" BUG_REPORT_URL="https://bugzilla.redhat.com/" - + REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8" REDHAT_BUGZILLA_PRODUCT_VERSION=8.9 REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux" @@ -199,7 +212,7 @@ func TestGetOSType(t *testing.T) { CPE_NAME="cpe:/o:oracle:linux:7:9:server" HOME_URL="https://linux.oracle.com/" BUG_REPORT_URL="https://github.com/oracle/oracle-linux" - + ORACLE_BUGZILLA_PRODUCT="Oracle Linux 7" ORACLE_BUGZILLA_PRODUCT_VERSION=7.9 ORACLE_SUPPORT_PRODUCT="Oracle Linux" @@ -221,7 +234,7 @@ func TestGetOSType(t *testing.T) { CPE_NAME="cpe:/o:oracle:linux:8:9:server" HOME_URL="https://linux.oracle.com/" BUG_REPORT_URL="https://github.com/oracle/oracle-linux" - + ORACLE_BUGZILLA_PRODUCT="Oracle Linux 8" ORACLE_BUGZILLA_PRODUCT_VERSION=8.9 ORACLE_SUPPORT_PRODUCT="Oracle Linux" diff --git a/pkg/pkgmgr/dpkg.go b/pkg/pkgmgr/dpkg.go index 8f18810e..38527e64 100644 --- a/pkg/pkgmgr/dpkg.go +++ b/pkg/pkgmgr/dpkg.go @@ -101,9 +101,9 @@ func getDPKGStatusType(b []byte) dpkgStatusType { return DPKGStatusNone } - st, err := strconv.Atoi(string(b)) + st, err := strconv.ParseUint(string(b), 10, 32) if err != nil { - st = int(DPKGStatusNone) + st = uint64(DPKGStatusNone) } // convert ascii digit to byte @@ -407,12 +407,12 @@ func (dm *dpkgManager) unpackAndMergeUpdates(ctx context.Context, updates unvers `bash`, `-c`, ` json_str=$PACKAGES_PRESENT update_packages="" - + while IFS=':' read -r package version; do pkg_name=$(echo "$package" | sed 's/^"\(.*\)"$/\1/') pkg_version=$(echo "$version" | sed 's/^"\(.*\)"$/\1/') latest_version=$(apt-cache show $pkg_name 2>/dev/null | awk -F ': ' '/Version:/{print $2}') - + if [ "$latest_version" != "$pkg_version" ]; then update_packages="$update_packages $pkg_name" fi diff --git a/pkg/pkgmgr/pkgmgr.go b/pkg/pkgmgr/pkgmgr.go index 15fe6c68..3d68370e 100644 --- a/pkg/pkgmgr/pkgmgr.go +++ b/pkg/pkgmgr/pkgmgr.go @@ -30,11 +30,23 @@ type PackageManager interface { func GetPackageManager(osType string, osVersion string, config *buildkit.Config, workingFolder string) (PackageManager, error) { switch osType { case "alpine": - return &apkManager{config: config, workingFolder: workingFolder}, nil + return &apkManager{ + config: config, + workingFolder: workingFolder, + }, nil case "debian", "ubuntu": - return &dpkgManager{config: config, workingFolder: workingFolder, osVersion: osVersion}, nil - case "cbl-mariner", "centos", "oracle", "redhat", "rocky", "amazon": - return &rpmManager{config: config, workingFolder: workingFolder, osVersion: osVersion}, nil + return &dpkgManager{ + config: config, + workingFolder: workingFolder, + osVersion: osVersion, + }, nil + case "cbl-mariner", "azurelinux", "centos", "oracle", "redhat", "rocky", "amazon": + return &rpmManager{ + config: config, + workingFolder: workingFolder, + osType: osType, + osVersion: osVersion, + }, nil default: return nil, fmt.Errorf("unsupported osType %s specified", osType) } diff --git a/pkg/pkgmgr/pkgmgr_test.go b/pkg/pkgmgr/pkgmgr_test.go index 03229a41..349e6e61 100644 --- a/pkg/pkgmgr/pkgmgr_test.go +++ b/pkg/pkgmgr/pkgmgr_test.go @@ -63,6 +63,18 @@ func TestGetPackageManager(t *testing.T) { assert.IsType(t, &rpmManager{}, manager) }) + t.Run("should return an rpmManager for azurelinux", func(t *testing.T) { + // Call the GetPackageManager function with "azurelinux" as osType + manager, err := GetPackageManager("azurelinux", "1.0", config, workingFolder) + + // Assert that there is no error and the manager is not nil + assert.NoError(t, err) + assert.NotNil(t, manager) + + // Assert that the manager is an instance of rpmManager + assert.IsType(t, &rpmManager{}, manager) + }) + t.Run("should return an rpmManager for redhat", func(t *testing.T) { // Call the GetPackageManager function with "redhat" as osType manager, err := GetPackageManager("redhat", "1.0", config, workingFolder) diff --git a/pkg/pkgmgr/rpm.go b/pkg/pkgmgr/rpm.go index a376afa1..c8c44840 100644 --- a/pkg/pkgmgr/rpm.go +++ b/pkg/pkgmgr/rpm.go @@ -45,6 +45,7 @@ type rpmManager struct { rpmTools rpmToolPaths isDistroless bool packageInfo map[string]string + osType string osVersion string } @@ -107,19 +108,26 @@ func isLessThanRPMVersion(v1, v2 string) bool { } // Map the target image OSType & OSVersion to an appropriate tooling image. -func getRPMImageName(manifest *unversioned.UpdateManifest) string { - // Standardize on mariner as tooling image base as redhat/ubi does not provide - // static busybox binary - image := "mcr.microsoft.com/cbl-mariner/base/core" - version := "2.0" - if manifest != nil && manifest.Metadata.OS.Type == "cbl-mariner" { - // Use appropriate version of cbl-mariner image if available - vers := strings.Split(manifest.Metadata.OS.Version, ".") - if len(vers) < 2 { - vers = append(vers, "0") - } - version = fmt.Sprintf("%s.%s", vers[0], vers[1]) +func getRPMImageName(manifest *unversioned.UpdateManifest, osType string, osVersion string) string { + var image, version string + + if osType == "azurelinux" { + image = "mcr.microsoft.com/azurelinux/base/core" + version = osVersion + } else { + // Standardize on cbl-mariner as tooling image base as redhat/ubi does not provide static busybox binary + image = "mcr.microsoft.com/cbl-mariner/base/core" + version = "2.0" + + if manifest != nil && manifest.Metadata.OS.Type == "cbl-mariner" { + vers := strings.Split(manifest.Metadata.OS.Version, ".") + if len(vers) < 2 { + vers = append(vers, "0") + } + version = fmt.Sprintf("%s.%s", vers[0], vers[1]) + } } + log.Debugf("Using %s:%s as basis for tooling image", image, version) return fmt.Sprintf("%s:%s", image, version) } @@ -210,7 +218,7 @@ func (rm *rpmManager) InstallUpdates(ctx context.Context, manifest *unversioned. log.Debugf("latest unique RPMs: %v", updates) } - toolImageName := getRPMImageName(manifest) + toolImageName := getRPMImageName(manifest, rm.osType, rm.osVersion) if err := rm.probeRPMStatus(ctx, toolImageName); err != nil { return nil, nil, err } @@ -348,7 +356,7 @@ func (rm *rpmManager) probeRPMStatus(ctx context.Context, toolImage string) erro } var allErrors *multierror.Error - if rpmTools["dnf"] == "" && rpmTools["yum"] == "" && rpmTools["microdnf"] == "" { + if rpmTools["tdnf"] == "" && rpmTools["dnf"] == "" && rpmTools["yum"] == "" && rpmTools["microdnf"] == "" { err = errors.New("image contains no RPM package managers needed for patching") log.Error(err) allErrors = multierror.Append(allErrors, err) @@ -449,14 +457,18 @@ func (rm *rpmManager) installUpdates(ctx context.Context, updates unversioned.Up // Install patches using available rpm managers in order of preference var installCmd string switch { - case rm.rpmTools["dnf"] != "": - checkUpdateTemplate := `sh -c "%[1]s check-update; if [ $? -ne 0 ]; then echo >> /updates.txt; fi"` - if !rm.checkForUpgrades(ctx, rm.rpmTools["dnf"], checkUpdateTemplate) { + case rm.rpmTools["tdnf"] != "" || rm.rpmTools["dnf"] != "": + dnfTooling := rm.rpmTools["tdnf"] + if dnfTooling == "" { + dnfTooling = rm.rpmTools["dnf"] + } + checkUpdateTemplate := `sh -c "$(%[1]s -q check-update | wc -l); if [ $? -ne 0 ]; then echo >> /updates.txt; fi"` + if !rm.checkForUpgrades(ctx, dnfTooling, checkUpdateTemplate) { return nil, nil, fmt.Errorf("no patchable packages found") } const dnfInstallTemplate = `sh -c '%[1]s upgrade %[2]s -y && %[1]s clean all'` - installCmd = fmt.Sprintf(dnfInstallTemplate, rm.rpmTools["dnf"], pkgs) + installCmd = fmt.Sprintf(dnfInstallTemplate, dnfTooling, pkgs) case rm.rpmTools["yum"] != "": checkUpdateTemplate := `sh -c 'if [ "$(%[1]s -q check-update | wc -l)" -ne 0 ]; then echo >> /updates.txt; fi'` if !rm.checkForUpgrades(ctx, rm.rpmTools["yum"], checkUpdateTemplate) { diff --git a/pkg/pkgmgr/rpm_test.go b/pkg/pkgmgr/rpm_test.go index f088b445..9c8fdc09 100644 --- a/pkg/pkgmgr/rpm_test.go +++ b/pkg/pkgmgr/rpm_test.go @@ -96,12 +96,15 @@ func TestIsLessThanRPMVersion(t *testing.T) { // TestGetRPMImageName tests the getRPMImageName function with different manifest inputs. func TestGetRPMImageName(t *testing.T) { - // Define test cases with input manifest and expected output image name testCases := []struct { - manifest *unversioned.UpdateManifest - image string + name string // Adding name for better test identification + manifest *unversioned.UpdateManifest + osType string + osVersion string + image string }{ { + name: "CBL-Mariner 2.0", manifest: &unversioned.UpdateManifest{ Metadata: unversioned.Metadata{ OS: unversioned.OS{ @@ -110,9 +113,12 @@ func TestGetRPMImageName(t *testing.T) { }, }, }, - image: "mcr.microsoft.com/cbl-mariner/base/core:2.0", + osType: "cbl-mariner", + osVersion: "2.0.0", + image: "mcr.microsoft.com/cbl-mariner/base/core:2.0", }, { + name: "CBL-Mariner 1.5", manifest: &unversioned.UpdateManifest{ Metadata: unversioned.Metadata{ OS: unversioned.OS{ @@ -121,9 +127,12 @@ func TestGetRPMImageName(t *testing.T) { }, }, }, - image: "mcr.microsoft.com/cbl-mariner/base/core:1.5", + osType: "cbl-mariner", + osVersion: "1.5", + image: "mcr.microsoft.com/cbl-mariner/base/core:1.5", }, { + name: "CBL-Mariner 3 (default minor version)", manifest: &unversioned.UpdateManifest{ Metadata: unversioned.Metadata{ OS: unversioned.OS{ @@ -132,27 +141,58 @@ func TestGetRPMImageName(t *testing.T) { }, }, }, - image: "mcr.microsoft.com/cbl-mariner/base/core:3.0", // default minor version to 0 + osType: "cbl-mariner", + osVersion: "3", + image: "mcr.microsoft.com/cbl-mariner/base/core:3.0", }, { + name: "Azure Linux 3.0", manifest: &unversioned.UpdateManifest{ Metadata: unversioned.Metadata{ OS: unversioned.OS{ - Type: "redhat", - Version: "8.4", + Type: "azurelinux", + Version: "3.0", }, }, }, - image: "mcr.microsoft.com/cbl-mariner/base/core:2.0", // use default version of cbl-mariner image + osType: "azurelinux", + osVersion: "3.0", + image: "mcr.microsoft.com/azurelinux/base/core:3.0", + }, + { + name: "Azure Linux 3.0 without update manifest", + manifest: &unversioned.UpdateManifest{}, + osType: "azurelinux", + osVersion: "3.0", + image: "mcr.microsoft.com/azurelinux/base/core:3.0", + }, + { + name: "Azure Linux future version", + manifest: &unversioned.UpdateManifest{}, + osType: "azurelinux", + osVersion: "999.0", + image: "mcr.microsoft.com/azurelinux/base/core:999.0", + }, + { + name: "RedHat (defaults to Azure Linux)", + manifest: &unversioned.UpdateManifest{}, + osType: "redhat", + osVersion: "8.4", + image: "mcr.microsoft.com/cbl-mariner/base/core:2.0", // uses default CBL-Mariner image + }, + { + name: "Nil manifest", + manifest: nil, + osType: "", + osVersion: "", + image: "mcr.microsoft.com/cbl-mariner/base/core:2.0", // uses default CBL-Mariner image }, } - // Loop over test cases and run getRPMImageName function with each input manifest + // Loop over test cases and run getRPMImageName function with each input for _, tc := range testCases { - t.Run(tc.image, func(t *testing.T) { - image := getRPMImageName(tc.manifest) - - // Use testify package to assert that the output image name matches the expected one + t.Run(tc.name, func(t *testing.T) { + image := getRPMImageName(tc.manifest, tc.osType, tc.osVersion) assert.Equal(t, tc.image, image) }) } diff --git a/test/e2e/plugin_test.go b/test/e2e/plugin_test.go index 8ce39967..9fedb959 100644 --- a/test/e2e/plugin_test.go +++ b/test/e2e/plugin_test.go @@ -27,12 +27,11 @@ func TestPlugins(t *testing.T) { } for _, tc := range testCases { - tc := tc // capture range variable t.Run(tc.image, func(t *testing.T) { t.Parallel() _, err := runPatch(tc.image, tc.report) if err != nil { - assert.Equal(t, tc.err, fmt.Errorf(err.Error())) + assert.Equal(t, tc.err, fmt.Errorf("%s", err.Error())) } else { assert.Equal(t, tc.err, nil) } diff --git a/website/docs/faq.md b/website/docs/faq.md index 4d6927b5..5d70143f 100644 --- a/website/docs/faq.md +++ b/website/docs/faq.md @@ -15,21 +15,32 @@ To patch vulnerabilities for applications, you can package these applications an ## My disk space is being filled up after using Copa. How can I fix this? -If you find that your storage is rapidly being taken up after working with Copa, run `docker system prune`. This will prune all unused images, containers and caches. +If you find that your storage is rapidly being taken up after working with Copa, run `docker system prune`. This will prune all unused images, containers and caches. ## How does Copa determine what tooling image to use? All images being passed into Copa have their versioning data carefully extracted and stripped so that an appropriate tooling image can be obtained from a container repository. -Debian: All debian-based images have their `minor.patch` versioning stripped and `-slim` appended. e.g. if `nginx:1.21.6` is being patched, `debian:11-slim` is used as the tooling image. +### DPKG -Ubuntu: All Ubuntu-based images use the same versioning that was passed in. e.g. if `tomcat:10.1.17-jre17-temurin-jammy` is passed in, `ubuntu:22.04` will be used for the tooling image. +#### Debian +All debian-based images have their `minor.patch` versioning stripped and `-slim` appended. e.g. if `nginx:1.21.6` is being patched, `debian:11-slim` is used as the tooling image. + +#### Ubuntu +All Ubuntu-based images use the same versioning that was passed in. e.g. if `tomcat:10.1.17-jre17-temurin-jammy` is passed in, `ubuntu:22.04` will be used for the tooling image. There is one caveat for Ubuntu-based images. If an Ubuntu-based image is being patched without a Trivy scan, Copa is unable to parse a scan for versioning information. In these scenarios, Copa will fallback to `debian:stable-slim` as the tooling image. -RPM: All RPM-based images will use `mcr.microsoft.com/cbl-mariner/base/core:2.0` as the tooling image. +### RPM + +#### Azure Linux 3.0+ +Azure Linux based images will use `mcr.microsoft.com/azurelinux/base/core` with the same version as the image being patched. + +#### CBL-Mariner (Azure Linux 1 and 2), CentOS, Oracle Linux, Rocky Linux, and Amazon Linux +These RPM-based distros will use `mcr.microsoft.com/cbl-mariner/base/core:2.0` -APK: APK-based images never use a tooling image, as Copa does not patch distroless alpine images. +### APK (Alpine) +APK-based images never use a tooling image, as Copa does not patch distroless alpine images. ## After Copa patched the image, why does the scanner still show patched OS package vulnerabilities?