False Positive CVE-2022-24903 reported on rsyslog 8.24.0-57.0.3.el7_9.3 against Oracle Linux 7

[navzen2000]

Discussed in #4662

^{Originally posted by navzen2000 June 19, 2023}

IDs

CVE-2022-24903

Description

Trivy reported CVE-2022-24903 against rsyslog-8.24.0-57.0.3.el7_9.3

As per ELSA-2022-4803, CVE-2022-24903 is already fixed in
rsyslog-8.24.0-57.0.1.el7_9.3.x86_64.rpm

Reproduction Steps

1.Ran trivy on Oracle Linux 7 
2. trivy --scanners vuln image container-registry.oracle.com/os/oraclelinux:7 --debug

Target

Container Image

Scanner

Vulnerability

Target OS

Oracle Linux 7

Debug Output

2023-06-18T20:48:14.593-0700    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-06-18T20:48:14.595-0700    DEBUG   cache dir:  /home/xxxx/.cache/trivy
2023-06-18T20:48:14.595-0700    DEBUG   DB update was skipped because the local DB is the latest
2023-06-18T20:48:14.595-0700    DEBUG   DB Schema: 2, UpdatedAt: 2023-06-19 00:12:32.144184076 +0000 UTC, NextUpdate: 2023-06-19 06:12:32.144183676 +0000 UTC, DownloadedAt: 2023-06-19 03:34:37.787346904 +0000 UTC
2023-06-18T20:48:14.595-0700    INFO    Vulnerability scanning is enabled
2023-06-18T20:48:14.595-0700    DEBUG   Vulnerability type:  [os library]
2023-06-18T20:48:14.598-0700    DEBUG   Image ID: sha256:d18e878ac7425407c036c196caf0e61cfe0e130823932285e0f4f9972c190ad6
2023-06-18T20:48:14.598-0700    DEBUG   Diff IDs: [sha256:bc198e3a2f790a31fe27662f4d70f3d5f952428be2e526642452412ad10d879c sha256:06947ed981bed1bdcc9b698f9fc3b50246cb7f52a516f8f05a475b6dfc8956d1 sha256:40f3e4042f1aa399b5451d6cc981870231dba8bc5929fcfb9a22e6a6f786eb19 sha256:b4f48d5f9736ac9c2baace0a61ebcad81d62c3fd98b588f4576834564f3e9c6e sha256:71a2138ff761a61c8615f07420f64c84b18c65ce04a57444b3e982403491b064 sha256:13733f2d01fc2a47706e24b68cec74d8d6fa038b80a86cdf77a4c61f2acdba8f sha256:904dd38897405c308b4125ddf1c2e84849aba020c03204d3748dfc83609f292a sha256:78d9a0545274dce51441b72babd089b336846302e684035e5283ad491ee86963 sha256:1ecc633d3898154467aab7323995716a5788ade56e64647fd9c4d2e7f2ceae06 sha256:07254f727cc55093263f01a9acbe55375ae32fa3e4e885658267652e5dc2c4a2 sha256:4702ad3605f9adc586324827da3e42991bb6f5295fc213738d1ec3a8778c81c5 sha256:894377d6fb5a6c90e5607852444061e6583c20f4db7baa977015fe6c57b3bc9d]
2023-06-18T20:48:14.598-0700    DEBUG   Base Layers: [sha256:bc198e3a2f790a31fe27662f4d70f3d5f952428be2e526642452412ad10d879c sha256:06947ed981bed1bdcc9b698f9fc3b50246cb7f52a516f8f05a475b6dfc8956d1 sha256:40f3e4042f1aa399b5451d6cc981870231dba8bc5929fcfb9a22e6a6f786eb19 sha256:b4f48d5f9736ac9c2baace0a61ebcad81d62c3fd98b588f4576834564f3e9c6e]
2023-06-18T20:48:14.621-0700    INFO    Detected OS: oracle
2023-06-18T20:48:14.621-0700    INFO    Detecting Oracle Linux vulnerabilities...
2023-06-18T20:48:14.621-0700    DEBUG   Oracle Linux: os version: 7
2023-06-18T20:48:14.621-0700    DEBUG   Oracle Linux: the number of packages: 144
2023-06-18T20:48:14.627-0700    INFO    Number of language-specific files: 0

registryxxx.xx.xx/xxxxx/xxxx/xxx:xxx(oracle 7.8)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬───────────────────────┬───────────────────────┬───────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │   Installed Version   │     Fixed Version     │                       Title                       │
├─────────┼────────────────┼──────────┼───────────────────────┼───────────────────────┼───────────────────────────────────────────────────┤
│ rsyslog │ CVE-2022-24903 │ HIGH     │ 8.24.0-57.0.3.el7_9.3 │ 8.24.0-57.0.4.el7_9.3 │ rsyslog: Heap-based overflow in TCP syslog server │
│         │                │          │                       │                       │ https://avd.aquasec.com/nvd/cve-2022-24903        │
└─────────┴────────────────┴──────────┴───────────────────────┴───────────────────────┴───────────────────────────────────────────────────┘



"Results": [
    {
      "Target": "xxxx/xxx/xxx/xxx:xxxx (oracle 7.8)",
      "Class": "os-pkgs",
      "Type": "oracle",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2022-24903",
          "PkgID": "[email protected]_9.3.x86_64",
          "PkgName": "rsyslog",
          "InstalledVersion": "8.24.0-57.0.3.el7_9.3",
          "FixedVersion": "8.24.0-57.0.4.el7_9.3",
          "Layer": {
            "DiffID": "sha256:894377d6fb5a6c90e5607852444061e6583c20f4db7baa977015fe6c57b3bc9d"
          },
          "SeveritySource": "oracle-oval",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24903",
          "DataSource": {
            "ID": "oracle-oval",
            "Name": "Oracle Linux OVAL definitions",
            "URL": "https://linux.oracle.com/security/oval/"
          },
          "Title": "rsyslog: Heap-based overflow in TCP syslog server",
          "Description": "Rsyslog is a rocket-fast system for log processing. Modules for TCP syslog reception have a potential heap buffer overflow when octet-counted framing is used. This can result in a segfault or some other malfunction. As of our understanding, this vulnerability can not be used for remote code execution. But there may still be a slight chance for experts to do that. The bug occurs when the octet count is read. While there is a check for the maximum number of octets, digits are written to a heap buffer even when the octet count is over the maximum, This can be used to overrun the memory buffer. However, once the sequence of digits stop, no additional characters can be added to the buffer. In our opinion, this makes remote exploits impossible or at least highly complex. Octet-counted framing is one of two potential framing modes. It is relatively uncommon, but enabled by default on receivers. Modules `imtcp`, `imptcp`, `imgssapi`, and `imhttp` are used for regular syslog message reception. It is best practice not to directly expose them to the public. When this practice is followed, the risk is considerably lower. Module `imdiag` is a diagnostics module primarily intended for testbench runs. We do not expect it to be present on any production installation. Octet-counted framing is not very common. Usually, it needs to be specifically enabled at senders. If users do not need it, they can turn it off for the most important modules. This will mitigate the vulnerability.",
          "Severity": "HIGH",
          "CweIDs": [
            "CWE-120"
          ],

Version

trivy version
Version: 0.42.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-06-19 00:12:32.144184076 +0000 UTC
  NextUpdate: 2023-06-19 06:12:32.144183676 +0000 UTC
  DownloadedAt: 2023-06-19 03:34:37.787346904 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-06-14 00:53:51.047584786 +0000 UTC
  NextUpdate: 2023-06-17 00:53:51.047584286 +0000 UTC
  DownloadedAt: 2023-06-14 05:45:17.781260147 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[afdesk]

Trivy takes a wrong arch for rsyslog.
we need to investigate it more in Trivy DB

[github-actions]

This issue is stale because it has been labeled with inactivity.