Vulnerability Exception 'approve' function applies vulnerability exception but throws a ruby exception #271
Comments
|
@derpadoo first off, thank you for taking the time and effort to submit this issue. I think you're on to something here, but my first question to ask would be, are you seeing this happen when you're submitting exceptions using reasons other than |
|
Changed reason to "ACCEPTABLE_RISK" and got the same result. It applies the exception, but takes about a minute, and throws the ruby exception
exc = Nexpose::VulnException.new(vuln_id,
Nexpose::VulnException::Scope::SPECIFIC_INSTANCE_OF_SPECIFIC_ASSET,
Nexpose::VulnException::Reason::ACCEPTABLE_RISK) |
|
@derpadoo perfect, thank you. Will do some research then update this issue later today. |
|
Alright, I think we're going to have to do some more intense debugging. Using your same steps to repro, I was unable to get either the delay with the approval time, and also did not receive the error message. Just so we can remove my assumptions from my testing, can you provide what data you're using for those few variables you listed?
Also, could you please run this command, and give me the approximate count? |
|
@sgreen-r7 Appreciate you taking a look at this... 1.They are all type Strings: vuln_id - type String, "cifs-smb-signing-not-required" Here are the pastables put into the irb interpreter with trace, error message, and the ~60 seconds it takes to apply the exception: asset_id = '77942'
port = '22058'
vuln_id = 'apache-httpd-cve-2012-0883'
ticket_number = 'VULN0019765'
expiration_date = '2017-10-17'
exc = Nexpose::VulnException.new(vuln_id, Nexpose::VulnException::Scope::SPECIFIC_INSTANCE_OF_SPECIFIC_ASSET, Nexpose::VulnException::Reason::ACCEPTABLE_RISK)
exc.port = port
exc.asset_id = asset_id
exc.submitter = 'api-script'
exc.reviewer = 'api-script'
exception_id = exc.save(@nsc, "Ticket Number: #{ticket_number}")
success = exc.update_expiration_date(@nsc, expiration_date)
puts "Current Time : " + Time.now.inspect
success = exc.approve(@nsc, "Auto-Approved by api-script, Ticket # #{ticket_number}")
puts "Current Time : " + Time.now.inspectand the result
|
|
Sometimes these messages show up too: |
|
So I think I figured out what's going on. When success = exc.approve(@nsc, "Auto-Approved by api-script, Ticket # #{ticket_number}")`is called, the exception is approved immediately according to the web gui, however, the script doesn't move on to the next exception. It waits 60 seconds to approve it, but it's already been approved, hence the error message
This updated function works for our case, but I'm not sure what the correct solution for the gem/function is. def approve(connection, comment = nil)
xml = connection.make_xml('VulnerabilityExceptionApproveRequest',
{ 'exception-id' => @id })
if comment
cxml = REXML::Element.new('comment')
cxml.add_text(comment)
xml.add_element(cxml)
@reviewer_comment = comment
end
connection.execute(xml, '1.2', timeout: 1).success
end |
|
@derpadoo Yeah I'm inclined to agree with your conclusion, which is where I kinda ended up yesterday with some of my testing. I think right now your console might "have too many vuln exceptions", and the gem response/reaction time is underperforming. So the
I'm currently in the process of testing that theory specifically. I think we should be able to remedy this with extra options inside the gem. However, that probably won't be a today (Fri 4/21) thing, but more than likely a next week thing. I can help you some options to make your script run more smoothing with error rescuing for that duplicate approval error - if you would like? That should help for the 'now' and then once we update the gem, we can revisit this error of the double approval, and the unresponsiveness of the gem for this action. Again, thank you for the amount of logs/output you've provided thus far -- it's been extremely helpful. Let me know what you would like to do in the meantime. |
|
@sgreen-r7 So our script is good enough for now and can work under the current configuration. For your awareness, we are also working this through the Rapid7 internal ticketing system. We are experiencing an issue now where we reach the postgresql max_connections limit (300 in our case) which generates the error message I previously posted.
Running a process list shows 200-300 idle postgres processes which prevent further connections and degrade the web GUI. These processes linger for hours and I'm afraid to just kill them. While running our script when no scans were going, I ran the command
and watched the count increase by 2 consistently until the database connections give out. It appears two of the functions below are making a database connection, but not closing it cleanly when it is finished so the connections keep stacking up. exc.save I tried wrapping each vulnerability exception request by connecting to the API, applying the exception, and then disconnecting from the API, but that didn't help. I can submit this as a separate issue if you want. |
|
@derpadoo -- That db connection issue is something else, and that would be better serviced via our internal ticketing system. I'll still go ahead and leave this issue open for now, as a reference to point back to, when we rollout our new features to allow for customizing timeouts and whatnot. Feel free to make additional comments on this issue, if needed. We can troubleshoot any specific "gem issue" within github -- while any other general nexpose questions can be addressed within our internal ticketing system. |
|
I am also experiencing the same error as above: I originally had this issue back in early June, but then it went away for awhile and is now back. I tried the timeout mentioned above by @derpadoo but that did not work for my case. Any help getting this working would be appreciated. |
|
Try upgrade to >7.0.0 and editing the timeout. Feel free to comment on this issue, or reopen a new one if this is still happening after upgrading and setting a custom timeout. |
|
@EverythingShines How many exceptions are in your database? Just another data point...seeing similar behavior when using the Python client (https://github.com/rapid7/nexpose-client-python). That library has a timeout that can be set, so exceptions are approved quickly, but the idle postgresql connections don't go away and eventually render the web GUI inoperable. I don't think this is a client (Ruby or Python) issue, but more of a server/console issue. Approving exceptions through the web GUI takes ~15 to return after hitting approve as well. Same type of behavior with the exception being applied immediately, but then something is cranking away in the background until the web GUI exception page returns. |
|
We currently have a little over 5,000 total exceptions in our DB. Upgrading to 7.0.0 worked for me with the default value. I think I just wasn't setting the timeout high enough. When I was playing with it earlier, I initially set the timeout to 10 seconds, which was fine for the first two exceptions I wanted to make, which only had 30 or so instances across the environment. But as soon as I hit the third one, which had about 225 instances, it errored out. Once I removed that tweak and left the timeout at the default, the script completed successfully. Thank you! |
When using the exception approved function (http://www.rubydoc.info/gems/nexpose/5.3.1/Nexpose/VulnException#approve-instance_method), an exception is approved, but takes about 60 seconds, and then returns a message:
Expected Behavior
The function used to take only a few seconds and did not through the ruby exception, but a change was noticed around 4/5-7 2017.
Current Behavior
Returns the message below, even though the exception is approved:
Possible Solution
It appears one of the updates 6.4.30, 6.4.31, or 6.4.31 (https://help.rapid7.com/nexpose/en-us/release-notes/index.html) changed something.
Steps to Reproduce (for bugs)
Ruby code that reproduces the issue:
Context
Trying to submit and approved vulnerability exceptions through the Nexpose API.
Your Environment
Nexpose gem version:
5.3.1
Ruby version:
ruby -v
ruby 2.3.0p0 (2015-12-25 revision 53290) [x86_64-linux]
Operating System and version:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.5 LTS"
NAME="Ubuntu"
VERSION="14.04.5 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.5 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
6.4.34
The text was updated successfully, but these errors were encountered: