Skip to content

ROX-18001: add drools CPE for CVE-2021-41411 #1205

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
Jul 6, 2023
Merged

ROX-18001: add drools CPE for CVE-2021-41411 #1205

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
3dddaab
add drools cpe for CVE-2021-41411
dcaravel Jun 28, 2023
b336094
fix grpc test
dcaravel Jun 28, 2023
599245d
update fixedby
dcaravel Jun 29, 2023
0d74c6a
update testcase to use new non-scratch image
dcaravel Jul 3, 2023
7c719a9
Merge remote-tracking branch 'origin/master' into dc/add-drools-vuln-cpe
dcaravel Jul 5, 2023
54e4af0
TEMP debug for gzip error
dcaravel Jul 5, 2023
718fcce
revert TEMP/debug changes
dcaravel Jul 5, 2023
094b159
Add TEMP/debug statements back
dcaravel Jul 5, 2023
ef4db9e
revert TEMP again
dcaravel Jul 5, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions e2etests/testcase_test.go
View file
Open in desktop
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for adding the test for this.

Original file line number Diff line number Diff line change
Expand Up @@ -3972,4 +3972,48 @@ All OpenShift Container Platform 4.10 users are advised to upgrade to these upda
},
},
},
{
image: "quay.io/rhacs-eng/qa:drools-CVE-2021-41411",
registry: "https://quay.io",
username: os.Getenv("QUAY_RHACS_ENG_RO_USERNAME"),
password: os.Getenv("QUAY_RHACS_ENG_RO_PASSWORD"),
source: "NVD",
namespace: "rhel:8",
onlyCheckSpecifiedVulns: true,
expectedFeatures: []apiV1.Feature{
{
Name: "drools",
VersionFormat: component.JavaSourceType.String(),
Version: "6.4.0.final",
Location: "org.drools.drools-core-6.4.0.Final.jar:drools-core",
Vulnerabilities: []apiV1.Vulnerability{
{
Name: "CVE-2021-41411",
Description: "drools <=7.59.x is affected by an XML External Entity (XXE) vulnerability in KieModuleMarshaller.java. The Validator class is not used correctly, resulting in the XXE injection vulnerability.",
Link: "https://nvd.nist.gov/vuln/detail/CVE-2021-41411",
Severity: "Critical",
FixedBy: "7.60.0.Final",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I saw in NVD that FixedBy excludes 7.6.0. Is this correct?

image

Copy link
Contributor Author

@dcaravel dcaravel Jul 6, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Up to (excluding) I believe is meant to mean all versions prior to 7.6.0 but not including 7.6.0 itself. The NVD data appears bad, the description in NVD contradicts the highlighted section and starts with drools <=7.59.x is affected by ... (notice y version 59 in double digits as opposed to the 6 in the CPE block). The GitHub advisory data appears accurate and uses versions that match the actual package (ie: x.y.z.Final):

image

Metadata: map[string]interface{}{
"NVD": map[string]interface{}{
"CVSSv2": map[string]interface{}{
"ExploitabilityScore": 10.0,
"ImpactScore": 6.4,
"Score": 7.5,
"Vectors": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
},
"CVSSv3": map[string]interface{}{
"ExploitabilityScore": 3.9,
"ImpactScore": 5.9,
"Score": 9.8,
"Vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
},
},
},
},
},
FixedBy: "7.60.0.Final",
AddedBy: "sha256:3078c14ffbc62cd9a56f8951d08d6b55a45394fbb5a0aa8f9eca1b1472e3f21d",
},
},
},
}
102 changes: 102 additions & 0 deletions pkg/vulnloader/nvdloader/manual.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -824,4 +824,106 @@ var manuallyEnrichedVulns = map[string]*schema.NVDCVEFeedJSON10DefCVEItem{
LastModifiedDate: "2021-02-24T12:15Z",
PublishedDate: "2017-03-11T02:59Z",
},
// CVE-2021-41411 was not being detected for `org.drools.drools-core-6.4.0.Final.jar`.
// This entry adds an additional CPE URI (in addition to what exists in NVD) to
// enable matching.
"CVE-2021-41411": {
CVE: &schema.CVEJSON40{
CVEDataMeta: &schema.CVEJSON40CVEDataMeta{
ASSIGNER: "cve@mitre.org",
ID: "CVE-2021-41411",
},
DataFormat: "MITRE",
DataType: "CVE",
DataVersion: "4.0",
Description: &schema.CVEJSON40Description{
DescriptionData: []*schema.CVEJSON40LangString{
{
Lang: "en",
Value: "drools <=7.59.x is affected by an XML External Entity (XXE) vulnerability in KieModuleMarshaller.java. The Validator class is not used correctly, resulting in the XXE injection vulnerability.",
},
},
},
Problemtype: &schema.CVEJSON40Problemtype{
ProblemtypeData: []*schema.CVEJSON40ProblemtypeProblemtypeData{
{
Description: []*schema.CVEJSON40LangString{
{
Lang: "en",
Value: "CWE-611",
},
},
},
},
},
References: &schema.CVEJSON40References{
ReferenceData: []*schema.CVEJSON40Reference{
{
Name: "https://github.com/kiegroup/drools/pull/3808",
Refsource: "MISC",
Tags: []string{"Patch", "Third Party Advisory"},
URL: "https://github.com/kiegroup/drools/pull/3808",
},
},
},
},
Configurations: &schema.NVDCVEFeedJSON10DefConfigurations{
CVEDataVersion: "4.0",
Nodes: []*schema.NVDCVEFeedJSON10DefNode{
{
CPEMatch: []*schema.NVDCVEFeedJSON10DefCPEMatch{
{
Cpe23Uri: `cpe:2.3:a:redhat:drools:*:*:*:*:*:*:*:*`,
VersionEndExcluding: "7.60.0.Final",
Vulnerable: true,
},
{
Cpe23Uri: `cpe:2.3:a:drools:drools:*:*:*:*:*:*:*:*`,
VersionEndExcluding: "7.60.0.Final",
Vulnerable: true,
},
},
Operator: "OR",
},
},
},
Impact: &schema.NVDCVEFeedJSON10DefImpact{
BaseMetricV2: &schema.NVDCVEFeedJSON10DefImpactBaseMetricV2{
CVSSV2: &schema.CVSSV20{
AccessComplexity: "LOW",
AccessVector: "NETWORK",
Authentication: "NONE",
AvailabilityImpact: "PARTIAL",
BaseScore: 7.5,
ConfidentialityImpact: "PARTIAL",
IntegrityImpact: "PARTIAL",
VectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P",
Version: "2.0",
},
ExploitabilityScore: 10,
ImpactScore: 6.4,
Severity: "HIGH",
},
BaseMetricV3: &schema.NVDCVEFeedJSON10DefImpactBaseMetricV3{
CVSSV3: &schema.CVSSV30{
AttackComplexity: "LOW",
AttackVector: "NETWORK",
AvailabilityImpact: "HIGH",
BaseScore: 9.8,
BaseSeverity: "CRITICAL",
ConfidentialityImpact: "HIGH",
IntegrityImpact: "HIGH",
PrivilegesRequired: "NONE",
Scope: "UNCHANGED",
UserInteraction: "NONE",
VectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
Version: "3.1",
},
ExploitabilityScore: 3.9,
ImpactScore: 5.9,
},
},
LastModifiedDate: "2022-06-28T13:56Z",
PublishedDate: "2022-06-16T10:15Z",
},
}