GHSA improperly consumes and re-publishes CVE version metadata #771
Comments
|
Apologies about that. I've updated our advisory to reflect the CVE and I'll dig into what went wrong there. Thanks 👍 |
|
@darakian Thanks! To clarify, the above is an example of a very common problem for us, there are almost 100 more CVEs in which we exclude backports since 2020, and almost all of them are improperly represented in their corresponding GHSAs. I reviewed our CVE entries that specify backports as exclusions from the range and list the results below. I hope this review/feedback helps you identify possible problems in the GHSA process. That said, after thinking about this a bit, I consider CVE JSON v4 as underspecified. It does not seem to specify the semantics of overlapping version specifiers/ranges, other than the example being
which probably involves a Review of GHSA 2020-2022
|
|
Hey @daniel-beck, Ya digging into this we ignore the cve product versions as they are a. uncommon and b. under specified leading to them being an unreliable source of information. We're in the process of migrating to CVE JSON v5 as well so, I don't expect our v4 support to change anytime soon. For that list of CVEs I've made an internal issue for us to re-review them. I'll update you here when we can process them. Many thanks for letting us know 👍 |
|
Hi @daniel-beck, Just an update to let you know this is still on our list to backfill! We continually improve our database and the Curation team are constantly running these types of campaigns. This one just hasn't made it to the top of our list yet. Thanks for your patience! |
|
All of GHSA-j664-qhh4-hpf8 GHSA-584m-7r4m-8j6v GHSA-rrgp-c2w8-6vg6 GHSA-hf9h-vv4m-2f33 GHSA-frgr-c5f2-8qhh GHSA-h76p-mc68-jv3p GHSA-cj6r-8pxj-5jv6 drop version exclusions defined in the original CVE JSON metadata, thereby improperly including (i.e. claiming to be affected) 2.387.x LTS releases of Jenkins. It's not even the fault of CVE JSON v4 in this case, since there was no downconversion done by MITRE. Bonus: Half of the entries don't have 2.375.4 as a fixed version despite the fix versions being identical for all of these. |
|
@daniel-beck does #2260 (comment) correct for CVE-2022-20613 or should version 1.34.2 be excluded as well? I didn't see 1.34.2 as excluded per the Jenkins announcement so have left it out for the moment |
We currently do not mention backports that are irrelevant for most users in end user announcements for easier readability (it gets messy fast). For full version information, see the CVE metadata at cve.org. |
|
Okay thanks, I'll start working through updating these using the assumption that the |
Apologies about that. That was down to manual error on my part. I was reading from the NVD version of the CVE. Given that the LTS and regular releases are on the same maven artifact could I ask you for the affected ranges as opposed to the unaffected ranges? |
|
@darakian Thanks for your response! The reference you provided doesn't list any versions ranges other than the prose I wrote for the CVE description, so I guess you mean that? I left out the 1.606 start of range given its obsolescence, but considering 2.427 through 2.441 unaffected would be wrong based on that as well (if you read the version ranges as independent, which is how we describe them for admins), and is far more relevant to admins keeping things up to date.
Unsure what you're asking. I'd prefer to keep the approach chosen for future CVEs, as the "affected" ranges look quite messy if you're unwilling to mix release lines. But for programmatic consumers, it looks fairly straightforward:
(With the added problem that for another ~4 weeks or so there won't be a 2.440.1 fixed version.) FWIW a similar problem exists for CVE-2024-23898 which has a different initial affected release but same fixed versions. |
Yep. That plus me trying to make what I thought would be a sensible combined range. Again sorry about that. 😞
The CVE record you linked had versions listed as
That's unfortunate. I've updated our record and left the fixed version off for the time being. Let me know if you'd rather I put
Reading from https://www.cve.org/CVERecord?id=CVE-2024-23898 the initial version on that one should be |
No worries, was just really surprised about the lack of resemblance, especially as I was hoping CVE JSON v5's unambiguous version ranges (see previous conversation) would help with GHSA republishing. Thanks for the super quick followup 👍
Correct, 2.222.1 is part of that range by Maven rules. |
Ya, it's a pretty manual process on our end and while we try to minimize errors they do pop up. This issue has the upside of exposing a gap in how we're ingesting cve 5.0 data as well though, so there's some positivity there. Happy to get to this quick too. Timezones working out 🎉 Ok, GHSA-53ph-2r2x-vqw8 is also updated now. No fix versions on that one either. Please let me know if I've typo'd 🙇 |
|
Thanks for the updates! FWIW fix versions 2.426.3 and 2.442 exist today for both. 2.440.1 will also have the fix, to be released in February. Whether that means no fix versions recorded until then because you have to touch these again anyway is you to you. |
|
Went ahead and added |
Thanks!
In terms of version math, yes. Stable lines and backports mean that "version later" ≠ "date later" however, which is why the split ranges.
The forthcoming 2.440.1 stable release is also the reason I split the second and third range. For context if you're very bored, https://www.jenkins.io/download/lts/
2.440 is a recent weekly release we chose to be the next LTS baseline. We'll backport the security fixes into 2.440.1. See how much easier this is by just specifying what versions are unaffected as I do on cve.org? 😁 |
|
I see. Would it make more sense to tell a user on the weekly release line to go to the next weekly rather than the next LTS though?
Sorta no, but my brain is wired for affected versions so that's probably a me problem 😄 |
This is what we're doing, it's just that the pairs of (affected version range, fix version) in GHSA don't seem to map well to how we assign Jenkins versions. It seems either readable for humans, but not technically correct; or difficult to read, while programmatically consumable. Our advisories skip some details (e.g., we didn't bother mentioning the release 1.606 from 2015 there) for easier consumption by administrators; while our CVE metadata is canonically correct and intended for programmatic consumption. Different content for different audiences, basically. |
Interesting. Ok, I'll have to rethink how we represent that on our side. We have a constraint where our "fixed" versions cannot be "lower" than the vulnerable version range.
Makes total sense to me. Write for your intended reader 😄 |
Whatever process is used to create GitHub Security Advisories does not consume version ranges from CVE metadata properly.
This results, for example, in GHSA-g975-f26h-93g8 claiming that version 2.24.2 is affected, when https://github.com/CVEProject/cvelist/blob/9a1d65a12274643c9bad407acb8368f2b60d2b5c/2022/43xxx/CVE-2022-43408.json#L22-L25 specifically excludes it.
This creates a ton of unnecessary confusion for users and false positive security scan results, and should be fixed.
The text was updated successfully, but these errors were encountered: