False positive on node.js 18.18.2 on Oracle Linux #5672

bianjp · 2023-11-28T08:22:25Z

bianjp
Nov 28, 2023

IDs

CVE-2023-38552, CVE-2023-39331, CVE-2023-39332, CVE-2023-39333, CVE-2023-44487, CVE-2023-45143

Description

According to Oracle errata, four CVE are fixed in nodejs-18.18.2: CVE-2023-38552, CVE-2023-39333, CVE-2023-44487, CVE-2023-45143
According to https://avd.aquasec.com/nvd/2023/cve-2023-39331/, https://avd.aquasec.com/nvd/2023/cve-2023-39332/, these two CVE only affects nodejs 20.x, so nodejs 18.x shoud not be reported: CVE-2023-39331, CVE-2023-39332

Sorry I don't know how to check whether Oracle oval data source is correct.

Reproduction Steps

1. Build an image based on oraclelinux:8: `docker build -t test .`
   
   FROM oraclelinux:8
   RUN yum module enable nodejs:18 && yum install -y nodejs && yum clean all
   
2. Scan the image: `trivy image test`

Target

Container Image

Scanner

Vulnerability

Target OS

Oracle Linux 8

Debug Output

2023-11-28T15:41:22.318+0800  DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-28T15:41:22.319+0800  DEBUG Ignore statuses {"statuses": null}
2023-11-28T15:41:22.321+0800  DEBUG cache dir:  /home/bianjp/.cache/trivy
2023-11-28T15:41:22.321+0800  DEBUG DB update was skipped because the local DB is the latest
2023-11-28T15:41:22.321+0800  DEBUG DB Schema: 2, UpdatedAt: 2023-11-28 06:10:28.918789361 +0000 UTC, NextUpdate: 2023-11-28 12:10:28.91878909 +0000 UTC, DownloadedAt: 2023-11-28 07:21:17.576165156 +0000 UTC
2023-11-28T15:41:22.321+0800  INFO  Vulnerability scanning is enabled
2023-11-28T15:41:22.321+0800  DEBUG Vulnerability type:  [os library]
2023-11-28T15:41:22.321+0800  INFO  Secret scanning is enabled
2023-11-28T15:41:22.321+0800  INFO  If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-11-28T15:41:22.321+0800  INFO  Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2023-11-28T15:41:22.323+0800  DEBUG No secret config detected: trivy-secret.yaml
2023-11-28T15:41:22.323+0800  DEBUG The nuget packages directory couldn't be found. License search disabled
2023-11-28T15:41:22.323+0800  DEBUG No secret config detected: trivy-secret.yaml
2023-11-28T15:41:22.323+0800  DEBUG Image ID: sha256:3044d8c0cb0b8a054f5881481a4e108b0490a7ee83994f2d8859244ce58895e4
2023-11-28T15:41:22.323+0800  DEBUG Diff IDs: [sha256:fa8c1b6b6fb93702a297d2c7d54b733af1ba473f87287c7f098de2f9a22842db sha256:f4a0491903ba376bbd762a00106650967a0b648b1b88bcf95a41b743bf7bb946]
2023-11-28T15:41:22.323+0800  DEBUG Base Layers: [sha256:fa8c1b6b6fb93702a297d2c7d54b733af1ba473f87287c7f098de2f9a22842db]
2023-11-28T15:41:22.325+0800  DEBUG Missing image ID in cache: sha256:3044d8c0cb0b8a054f5881481a4e108b0490a7ee83994f2d8859244ce58895e4
2023-11-28T15:41:22.325+0800  DEBUG Missing diff ID in cache: sha256:f4a0491903ba376bbd762a00106650967a0b648b1b88bcf95a41b743bf7bb946
2023-11-28T15:41:27.061+0800  DEBUG No secrets found in container image config
2023-11-28T15:41:27.067+0800  INFO  Detected OS: oracle
2023-11-28T15:41:27.067+0800  INFO  Detecting Oracle Linux vulnerabilities...
2023-11-28T15:41:27.067+0800  DEBUG Oracle Linux: os version: 8
2023-11-28T15:41:27.067+0800  DEBUG Oracle Linux: the number of packages: 186
2023-11-28T15:41:27.074+0800  INFO  Number of language-specific files: 0

test (oracle 8.8)

Total: 29 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 25, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────────────────────────────────────┬───────────────────────────────────────────────────┬─────────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │                 Installed Version                 │                   Fixed Version                   │                            Title                            │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────────────────────────────────────┼───────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ nodejs           │ CVE-2023-38552 │ HIGH     │        │ 1:18.18.2-1.module+el8.8.0+21193+eb5c830b         │ 1:20.8.1-1.module+el8.9.0+90082+b6a613a6          │ nodejs: integrity checks according to policies can be       │
│                  │                │          │        │                                                   │                                                   │ circumvented                                                │
│                  │                │          │        │                                                   │                                                   │ https://avd.aquasec.com/nvd/cve-2023-38552                  │
│                  ├────────────────┤          │        │                                                   │                                                   ├─────────────────────────────────────────────────────────────┤
│                  │ CVE-2023-39331 │          │        │                                                   │                                                   │ nodejs: permission model improperly protects against path   │
│                  │                │          │        │                                                   │                                                   │ traversal                                                   │
│                  │                │          │        │                                                   │                                                   │ https://avd.aquasec.com/nvd/cve-2023-39331                  │
│                  ├────────────────┤          │        │                                                   │                                                   ├─────────────────────────────────────────────────────────────┤
│                  │ CVE-2023-39332 │          │        │                                                   │                                                   │ nodejs: path traversal through path stored in Uint8Array    │
│                  │                │          │        │                                                   │                                                   │ https://avd.aquasec.com/nvd/cve-2023-39332                  │
│                  ├────────────────┤          │        │                                                   │                                                   ├─────────────────────────────────────────────────────────────┤
│                  │ CVE-2023-39333 │          │        │                                                   │                                                   │ nodejs: code injection via WebAssembly export names         │
│                  │                │          │        │                                                   │                                                   │ https://avd.aquasec.com/nvd/cve-2023-39333                  │
│                  ├────────────────┤          │        │                                                   │                                                   ├─────────────────────────────────────────────────────────────┤
│                  │ CVE-2023-44487 │          │        │                                                   │                                                   │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable  │
│                  │                │          │        │                                                   │                                                   │ to a DDoS attack...                                         │
│                  │                │          │        │                                                   │                                                   │ https://avd.aquasec.com/nvd/cve-2023-44487                  │
│                  ├────────────────┤          │        │                                                   │                                                   ├─────────────────────────────────────────────────────────────┤
│                  │ CVE-2023-45143 │          │        │                                                   │                                                   │ node-undici: cookie leakage                                 │
│                  │                │          │        │                                                   │                                                   │ https://avd.aquasec.com/nvd/cve-2023-45143                  │
├──────────────────┼────────────────┤          │        │                                                   │                                                   ├─────────────────────────────────────────────────────────────┤
│ nodejs-docs      │ CVE-2023-38552 │          │        │                                                   │                                                   │ nodejs: integrity checks according to policies can be       │
│                  │                │          │        │                                                   │                                                   │ circumvented                                                │
│                  │                │          │        │                                                   │                                                   │ https://avd.aquasec.com/nvd/cve-2023-38552                  │
│                  ├────────────────┤          │        │                                                   │                                                   ├─────────────────────────────────────────────────────────────┤
│                  │ CVE-2023-39331 │          │        │                                                   │                                                   │ nodejs: permission model improperly protects against path   │
│                  │                │          │        │                                                   │                                                   │ traversal                                                   │
│                  │                │          │        │                                                   │                                                   │ https://avd.aquasec.com/nvd/cve-2023-39331                  │
│                  ├────────────────┤          │        │                                                   │                                                   ├─────────────────────────────────────────────────────────────┤
│                  │ CVE-2023-39332 │          │        │                                                   │                                                   │ nodejs: path traversal through path stored in Uint8Array    │
│                  │                │          │        │                                                   │                                                   │ https://avd.aquasec.com/nvd/cve-2023-39332                  │
│                  ├────────────────┤          │        │                                                   │                                                   ├─────────────────────────────────────────────────────────────┤
│                  │ CVE-2023-39333 │          │        │                                                   │                                                   │ nodejs: code injection via WebAssembly export names         │
│                  │                │          │        │                                                   │                                                   │ https://avd.aquasec.com/nvd/cve-2023-39333                  │
│                  ├────────────────┤          │        │                                                   │                                                   ├─────────────────────────────────────────────────────────────┤
│                  │ CVE-2023-44487 │          │        │                                                   │                                                   │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable  │
│                  │                │          │        │                                                   │                                                   │ to a DDoS attack...                                         │
│                  │                │          │        │                                                   │                                                   │ https://avd.aquasec.com/nvd/cve-2023-44487                  │
│                  ├────────────────┤          │        │                                                   │                                                   ├─────────────────────────────────────────────────────────────┤
│                  │ CVE-2023-45143 │          │        │                                                   │                                                   │ node-undici: cookie leakage                                 │
│                  │                │          │        │                                                   │                                                   │ https://avd.aquasec.com/nvd/cve-2023-45143                  │
├──────────────────┼────────────────┤          │        │                                                   │                                                   ├─────────────────────────────────────────────────────────────┤
│ nodejs-full-i18n │ CVE-2023-38552 │          │        │                                                   │                                                   │ nodejs: integrity checks according to policies can be       │
│                  │                │          │        │                                                   │                                                   │ circumvented                                                │
│                  │                │          │        │                                                   │                                                   │ https://avd.aquasec.com/nvd/cve-2023-38552                  │
│                  ├────────────────┤          │        │                                                   │                                                   ├─────────────────────────────────────────────────────────────┤
│                  │ CVE-2023-39331 │          │        │                                                   │                                                   │ nodejs: permission model improperly protects against path   │
│                  │                │          │        │                                                   │                                                   │ traversal                                                   │
│                  │                │          │        │                                                   │                                                   │ https://avd.aquasec.com/nvd/cve-2023-39331                  │
│                  ├────────────────┤          │        │                                                   │                                                   ├─────────────────────────────────────────────────────────────┤
│                  │ CVE-2023-39332 │          │        │                                                   │                                                   │ nodejs: path traversal through path stored in Uint8Array    │
│                  │                │          │        │                                                   │                                                   │ https://avd.aquasec.com/nvd/cve-2023-39332                  │
│                  ├────────────────┤          │        │                                                   │                                                   ├─────────────────────────────────────────────────────────────┤
│                  │ CVE-2023-39333 │          │        │                                                   │                                                   │ nodejs: code injection via WebAssembly export names         │
│                  │                │          │        │                                                   │                                                   │ https://avd.aquasec.com/nvd/cve-2023-39333                  │
│                  ├────────────────┤          │        │                                                   │                                                   ├─────────────────────────────────────────────────────────────┤
│                  │ CVE-2023-44487 │          │        │                                                   │                                                   │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable  │
│                  │                │          │        │                                                   │                                                   │ to a DDoS attack...                                         │
│                  │                │          │        │                                                   │                                                   │ https://avd.aquasec.com/nvd/cve-2023-44487                  │
│                  ├────────────────┤          │        │                                                   │                                                   ├─────────────────────────────────────────────────────────────┤
│                  │ CVE-2023-45143 │          │        │                                                   │                                                   │ node-undici: cookie leakage                                 │
│                  │                │          │        │                                                   │                                                   │ https://avd.aquasec.com/nvd/cve-2023-45143                  │
├──────────────────┼────────────────┤          │        ├───────────────────────────────────────────────────┼───────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ npm              │ CVE-2023-38552 │          │        │ 1:9.8.1-1.18.18.2.1.module+el8.8.0+21193+eb5c830b │ 1:10.1.0-1.20.8.1.1.module+el8.9.0+90082+b6a613a6 │ nodejs: integrity checks according to policies can be       │
│                  │                │          │        │                                                   │                                                   │ circumvented                                                │
│                  │                │          │        │                                                   │                                                   │ https://avd.aquasec.com/nvd/cve-2023-38552                  │
│                  ├────────────────┤          │        │                                                   │                                                   ├─────────────────────────────────────────────────────────────┤
│                  │ CVE-2023-39331 │          │        │                                                   │                                                   │ nodejs: permission model improperly protects against path   │
│                  │                │          │        │                                                   │                                                   │ traversal                                                   │
│                  │                │          │        │                                                   │                                                   │ https://avd.aquasec.com/nvd/cve-2023-39331                  │
│                  ├────────────────┤          │        │                                                   │                                                   ├─────────────────────────────────────────────────────────────┤
│                  │ CVE-2023-39332 │          │        │                                                   │                                                   │ nodejs: path traversal through path stored in Uint8Array    │
│                  │                │          │        │                                                   │                                                   │ https://avd.aquasec.com/nvd/cve-2023-39332                  │
│                  ├────────────────┤          │        │                                                   │                                                   ├─────────────────────────────────────────────────────────────┤
│                  │ CVE-2023-39333 │          │        │                                                   │                                                   │ nodejs: code injection via WebAssembly export names         │
│                  │                │          │        │                                                   │                                                   │ https://avd.aquasec.com/nvd/cve-2023-39333                  │
│                  ├────────────────┤          │        │                                                   │                                                   ├─────────────────────────────────────────────────────────────┤
│                  │ CVE-2023-44487 │          │        │                                                   │                                                   │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable  │
│                  │                │          │        │                                                   │                                                   │ to a DDoS attack...                                         │
│                  │                │          │        │                                                   │                                                   │ https://avd.aquasec.com/nvd/cve-2023-44487                  │
│                  ├────────────────┤          │        │                                                   │                                                   ├─────────────────────────────────────────────────────────────┤
│                  │ CVE-2023-45143 │          │        │                                                   │                                                   │ node-undici: cookie leakage                                 │
│                  │                │          │        │                                                   │                                                   │ https://avd.aquasec.com/nvd/cve-2023-45143                  │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────────────────────────────────────┴───────────────────────────────────────────────────┴─────────────────────────────────────────────────────────────┘

Version

Version: dev
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-11-28 06:10:28.918789361 +0000 UTC
  NextUpdate: 2023-11-28 12:10:28.91878909 +0000 UTC
  DownloadedAt: 2023-11-28 07:21:17.576165156 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-11-28 00:42:19.474906024 +0000 UTC
  NextUpdate: 2023-12-01 00:42:19.474905854 +0000 UTC
  DownloadedAt: 2023-11-28 02:44:15.280271303 +0000 UTC

Checklist

Read the documentation regarding wrong detection
Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

DmitriyLewen · 2023-11-30T09:33:15Z

DmitriyLewen
Nov 30, 2023
Maintainer

Hello @bianjp
Thanks for your report!

There are some difficulties with parsing Oracle Database.
Oracle doesn't separate versions for packages - https://docs.oracle.com/en/database/oracle/oracle-database/21/ladbi/rpm-packages-naming-convention.html#GUID-04FBD99C-77A8-4E31-9C8D-5B6B2EAE68DB
Vulnerability database doesn't use version range.
e.g. there is ELSA-2023-7205 with your CVEs.
Database says:

<criterion test_ref="oval:com.oracle.elsa:tst:20237205003" comment="nodejs is earlier than 1:20.8.1-1.module+el8.9.0+90082+b6a613a6"/>
<criterion test_ref="oval:com.oracle.elsa:tst:20237205004" comment="nodejs is signed with the Oracle Linux 8 key"/>

We can't be sure that only versions of nodejs 20.X.X are vulnerable.
Therefore we use the range > 0, < 1:20.8.1-1.module+el8.9.0+90082+b6a613a6.

Regards, Dmitriy

4 replies

bianjp Nov 30, 2023
Author

Is this problem Oracle specific? Or OVAL Language specific?

DmitriyLewen Dec 1, 2023
Maintainer

I think this is Oracle specific.
OVAL supports operators for creating version ranges - https://oval.mitre.org/language/version5.11/ovaldefinition/documentation/oval-common-schema.html#OperationEnumeration

bianjp Dec 1, 2023
Author

Thanks. Any way to report this issue to Oracle?

DmitriyLewen Dec 1, 2023
Maintainer

There is a link on the ELSA pages to contact the Oracle team:

This page is automatically generated and has not been checked for errors or omissions. For clarifications or corrections, contact the Oracle Linux ULN team.

But it doesn't seem to work now 😞

tvierling · 2024-04-26T16:37:08Z

tvierling
Apr 26, 2024

<criterion test_ref="oval:com.oracle.elsa:tst:20237205003" comment="nodejs is earlier than 1:20.8.1-1.module+el8.9.0+90082+b6a613a6"/>
<criterion test_ref="oval:com.oracle.elsa:tst:20237205004" comment="nodejs is signed with the Oracle Linux 8 key"/>

We can't be sure that only versions of nodejs 20.X.X are vulnerable.
Therefore we use the range > 0, < 1:20.8.1-1.module+el8.9.0+90082+b6a613a6.

You missed this OVAL criterion for that advisory:

<criterion test_ref="oval:com.oracle.elsa:tst:20237205003" comment="Module nodejs:20 is enabled"/>

This criterion is not optional. It means that this ELSA is only applicable if nodejs:20 is enabled; otherwise the ELSA should be skipped entirely. This is part of Application Streams (AppStreams) where different version release trains can be installed in different environments.

The enabled version of a stream can be found by looking at the metadata file. For checking nodejs:20 for instance, look at

/etc/dnf/modules.d/nodejs.module

and check that it contains stream=20. If the file does not exist, the stream= value is missing, or that value is set to something other than 20, then this ELSA does not apply; don't bother checking the version of the package at all.

2 replies

masahiro331 Jun 14, 2024

For some packages, if you install without specifying a version, the modularityLabel will not be specified.
e.g. (nodejs, php, perl)

$ docker run -it oraclelinux:8 /bin/bash
[root@50cd16946d2c /]# dnf module install nodejs
[root@50cd16946d2c /]# rpm -q nodejs --qf "%{NAME} %{MODULARITYLABEL}\n"
nodejs (none)

MaineK00n Jun 17, 2024

I also encountered a similar case.

$ docker run -it oraclelinux:8 /bin/bash
[root@169a306ba19f ~]# dnf module install -y container-tools:ol8:20190518020532:3ba8ebeb:x86_64
[root@169a306ba19f ~]# rpm -q runc --queryformat "%{NAME} %{EPOCHNUM} %{VERSION} %{RELEASE} %{ARCH} %{MODULARITYLABEL}\n"
runc 0 1.0.0 54.rc5.dev.git2abd837.module+el8+5201+6423ecab x86_64 (none)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

False positive on node.js 18.18.2 on Oracle Linux #5672

{{title}}

Replies: 2 comments 6 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

False positive on node.js 18.18.2 on Oracle Linux #5672

bianjp Nov 28, 2023

IDs

Description

Reproduction Steps

Target

Scanner

Target OS

Debug Output

Version

Checklist

Replies: 2 comments · 6 replies

DmitriyLewen Nov 30, 2023 Maintainer

bianjp Nov 30, 2023 Author

DmitriyLewen Dec 1, 2023 Maintainer

bianjp Dec 1, 2023 Author

DmitriyLewen Dec 1, 2023 Maintainer

tvierling Apr 26, 2024

masahiro331 Jun 14, 2024

MaineK00n Jun 17, 2024

bianjp
Nov 28, 2023

Replies: 2 comments 6 replies

DmitriyLewen
Nov 30, 2023
Maintainer

bianjp Nov 30, 2023
Author

DmitriyLewen Dec 1, 2023
Maintainer

bianjp Dec 1, 2023
Author

DmitriyLewen Dec 1, 2023
Maintainer

tvierling
Apr 26, 2024