CVE-2023-44487 was not detected in jar file

[DuyTran-TomTom]

IDs

CVE-2023-44487

Description

CVE-2023-44487 is presented in netty-* packages from 4.1.0 to up to and excluding 4.1.100

https://netty.io/news/2023/10/10/4-1-100-Final.html
https://nvd.nist.gov/vuln/detail/CVE-2023-44487

This CVE was not detected by trivy scan.

Reproduction Steps

1. Build jar file with netty version below 4.1.100
2. Dockerize mentioned jar file
3. Run trivy scan on that image

Target

Container Image

Scanner

Vulnerability

Target OS

Ubuntu 22.04

Debug Output

trivy image xxx:1.0.0 --debug
2023-11-01T17:39:53.573+0100	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-01T17:39:53.573+0100	DEBUG	Ignore statuses	{"statuses": null}
2023-11-01T17:39:53.587+0100	DEBUG	cache dir:  /Users/x/Library/Caches/trivy
2023-11-01T17:39:53.588+0100	DEBUG	DB update was skipped because the local DB is the latest
2023-11-01T17:39:53.588+0100	DEBUG	DB Schema: 2, UpdatedAt: 2023-11-01 12:23:03.331804893 +0000 UTC, NextUpdate: 2023-11-01 18:23:03.331803393 +0000 UTC, DownloadedAt: 2023-11-01 16:22:41.413072 +0000 UTC
2023-11-01T17:39:53.589+0100	INFO	Vulnerability scanning is enabled
2023-11-01T17:39:53.589+0100	DEBUG	Vulnerability type:  [os library]
2023-11-01T17:39:53.589+0100	INFO	Secret scanning is enabled
2023-11-01T17:39:53.589+0100	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-11-01T17:39:53.589+0100	INFO	Please see also https://aquasecurity.github.io/trivy/v0.46/docs/scanner/secret/#recommendation for faster secret detection
2023-11-01T17:39:53.650+0100	DEBUG	No secret config detected: trivy-secret.yaml
2023-11-01T17:39:53.651+0100	DEBUG	The nuget packages directory couldn't be found. License search disabled
2023-11-01T17:39:53.651+0100	DEBUG	No secret config detected: trivy-secret.yaml
2023-11-01T17:39:53.652+0100	DEBUG	Image ID: sha256:d4c1780d8d04ec33a187a70b3dfcdfeea1ccbbacfb06e8a7a22dfcbe3b1584a2
2023-11-01T17:39:53.652+0100	DEBUG	Diff IDs: [sha256:4693057ce2364720d39e57e85a5b8e0bd9ac3573716237736d6470ec5b7b7230 sha256:1061c27d7cdf5af544ae24b937a7ddf5452a1eca7e673f4a30d091b3781aa42d sha256:c8f2cb4a73e6463357af2b6bbe027963c9c6b3e98cd38828bcdbb267a8030ec3 sha256:886a2e4f7e2f2c078c7e83f80f135ba9335c05c9676c371d8f2ebb37ab904499 sha256:43c4ce75b6808e0a0dd6f52d113b09bf2b2b974054498f3863969c547a7ba559 sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef sha256:5bff94ac216df04e57cd93bd1a24b64a114fb842feb5b760783e7ed4f815385a sha256:d4c78932ac02741d6aa26bf7eccc9f8282fe27f709d46ebb0973d22b1b2ce8b5 sha256:fd0e7892bfe5bf854b03355fd91826a6bba06d2fd33ff192cd40e595149b9573 sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef sha256:0a6913e15f0ba2171858e7dad4a1370c90c85bf6ab903235ae63a3c04e35f575 sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef]
2023-11-01T17:39:53.652+0100	DEBUG	Base Layers: [sha256:4693057ce2364720d39e57e85a5b8e0bd9ac3573716237736d6470ec5b7b7230 sha256:1061c27d7cdf5af544ae24b937a7ddf5452a1eca7e673f4a30d091b3781aa42d sha256:c8f2cb4a73e6463357af2b6bbe027963c9c6b3e98cd38828bcdbb267a8030ec3 sha256:886a2e4f7e2f2c078c7e83f80f135ba9335c05c9676c371d8f2ebb37ab904499 sha256:43c4ce75b6808e0a0dd6f52d113b09bf2b2b974054498f3863969c547a7ba559]
2023-11-01T17:39:53.655+0100	INFO	Detected OS: alpine
2023-11-01T17:39:53.655+0100	INFO	Detecting Alpine vulnerabilities...
2023-11-01T17:39:53.655+0100	DEBUG	alpine: os version: 3.18
2023-11-01T17:39:53.655+0100	DEBUG	alpine: package repository: 3.18
2023-11-01T17:39:53.655+0100	DEBUG	alpine: the number of packages: 40
2023-11-01T17:39:53.657+0100	INFO	Number of language-specific files: 1
2023-11-01T17:39:53.657+0100	INFO	Detecting jar vulnerabilities...
2023-11-01T17:39:53.657+0100	DEBUG	Detecting library vulnerabilities, type: jar, path: 

xxx:1.0.0 (alpine 3.18.3)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────┐
│  Library   │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                     Title                     │
├────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2023-5363 │ MEDIUM   │ fixed  │ 3.1.2-r0          │ 3.1.4-r0      │ Incorrect cipher key and IV length processing │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5363     │
├────────────┤               │          │        │                   │               │                                               │
│ libssl3    │               │          │        │                   │               │                                               │
│            │               │          │        │                   │               │                                               │
└────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────┘
2023-11-01T17:39:53.670+0100	INFO	Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Java (jar)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 0, CRITICAL: 0)

┌───────────────────────────────────────────────────┬─────────────────────┬──────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│                      Library                      │    Vulnerability    │ Severity │  Status  │ Installed Version │ Fixed Version │                            Title                            │
├───────────────────────────────────────────────────┼─────────────────────┼──────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ io.netty:netty-codec-http2 (application.jar)      │ GHSA-xpw8-rcwv-8f8p │ MEDIUM   │ fixed    │ 4.1.99.Final      │ 4.1.100.Final │ io.netty:netty-codec-http2 vulnerable to HTTP/2 Rapid Reset │
│                                                   │                     │          │          │                   │               │ Attack                                                      │
│                                                   │                     │          │          │                   │               │ https://github.com/advisories/GHSA-xpw8-rcwv-8f8p           │
├───────────────────────────────────────────────────┼─────────────────────┤          ├──────────┤                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│ io.netty:netty-handler (application.jar)          │ CVE-2023-4586       │          │ affected │                   │               │ Hot Rod client does not enable hostname validation when     │
│                                                   │                     │          │          │                   │               │ using TLS...                                                │
│                                                   │                     │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-4586                   │
├───────────────────────────────────────────────────┼─────────────────────┤          ├──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ org.bouncycastle:bcprov-jdk18on (application.jar) │ CVE-2023-33201      │          │ fixed    │ 1.73              │ 1.74          │ potential blind LDAP injection attack using a self-signed   │
│                                                   │                     │          │          │                   │               │ certificate                                                 │
│                                                   │                     │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-33201                  │
└───────────────────────────────────────────────────┴─────────────────────┴──────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

Version

trivy --version                                                                                                                            
Version: 0.46.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-11-01 12:23:03.331804893 +0000 UTC
  NextUpdate: 2023-11-01 18:23:03.331803393 +0000 UTC
  DownloadedAt: 2023-11-01 16:22:41.413072 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-11-01 00:58:41.918311516 +0000 UTC
  NextUpdate: 2023-11-04 00:58:41.918311016 +0000 UTC
  DownloadedAt: 2023-11-01 16:24:22.825474 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @DuyTran-TomTom
Thanks for your report!

Looks like GHSA hasn't information that java package is vulnerable - GHSA-qppj-fm5r-hxr3
Can you create PR for GitHub to add this package?

Regards, Dmitriy