Skip to content

ROX-12350: Detect CVE-2022-22978 #930

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 15 commits into from
Oct 17, 2022
Merged

ROX-12350: Detect CVE-2022-22978 #930

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
fd562b5
update
RTann Sep 13, 2022
ec898a7
update
RTann Sep 13, 2022
fcd84f7
Merge branch 'master' into ROX-12350
RTann Sep 14, 2022
e1f77fb
update
RTann Sep 14, 2022
5bb668d
Merge branch 'master' into ROX-12350
RTann Sep 21, 2022
03450ba
Merge branch 'master' into ROX-12350
RTann Sep 21, 2022
0bb0a26
Merge branch 'master' into ROX-12350
RTann Sep 23, 2022
45205ad
Merge branch 'master' into ROX-12350
RTann Sep 28, 2022
958b9fa
update
RTann Sep 28, 2022
8d84ec0
update
RTann Sep 28, 2022
c4cab3f
Merge branch 'master' into ROX-12350
RTann Sep 29, 2022
7a48dbb
update
RTann Sep 29, 2022
2de153e
update
RTann Sep 29, 2022
a258c22
Merge branch 'master' into ROX-12350
RTann Oct 5, 2022
d97d7e0
Merge branch 'master' into ROX-12350
RTann Oct 6, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 41 additions & 2 deletions cpe/attributes/java/java.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,36 @@ var (
immutableIndicators = []string{
"agent",
}

knownSpringVendors = []string{"pivotal", "pivotal_software", "vmware"}
knownSpringComponents = set.NewFrozenStringSet(
"spring_advanced_message_queuing_protocol",
"spring_aop",
"spring_beans",
"spring_boot",
"spring_boot_autoconfigure",
"spring_boot_jarmode_layertools",
"spring_cloud_function",
"spring_cloud_function_core",
"spring_cloud_gateway",
"spring_cloud_netflix",
"spring_cloud_openfeign",
"spring_context",
"spring_core",
"spring_data_mongodb",
"spring_data_rest",
"spring_expression",
"spring_jcl",
"spring_security",
"spring_security_core",
"spring_security_crypto",
"spring_security_oath",
"spring_security_web",
"spring_web",
"spring_web_flow",
"spring_webflux",
"spring_webmvc",
)
)

func isMutableName(name string) bool {
Expand Down Expand Up @@ -70,7 +100,7 @@ func ignored(c *component.Component) bool {
return false
}

func getPossibleVendors(origins []string) set.StringSet {
func getPossibleVendors(origins []string, names set.StringSet) set.StringSet {
// Try splitting on periods
vendorSet := set.NewStringSet()
for _, orig := range origins {
Expand All @@ -90,6 +120,15 @@ func getPossibleVendors(origins []string) set.StringSet {
if vendorSet.Cardinality() == 0 {
vendorSet.Add("apache")
}

// Add Spring-specific vendors.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it make sense to do this only after adding "apache" based on nothing but hope? Isn't the knownSpringComponents check more precise than the "apache" default and therefore should suppress the latter?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess another question would be, is it adequate to do this here even when vendorSet is non-empty (and wasn't populated via the apache fallback)?

for name := range names {
if knownSpringComponents.Contains(name) {
vendorSet.AddAll(knownSpringVendors...)
break
}
}
Comment on lines +125 to +130
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If performance is not a strong concern (it might be, though), you could also do

Suggested change
for name := range names {
if knownSpringComponents.Contains(name) {
vendorSet.AddAll(knownSpringVendors...)
break
}
}
if !names.Intersect(knownSpringComponents).IsEmpty() {
vendorSet.AddAll(knownSpringVendors...)
}

Or, to address the performance issue, maybe it would also be nice to add a Intersects(other Set) bool method to pkg/set (not in this PR, just as an idea).


return vendorSet
}

Expand All @@ -109,8 +148,8 @@ func GetJavaAttributes(c *component.Component) []*wfn.Attributes {
return nil
}

vendorSet := getPossibleVendors(java.Origins)
nameSet := common.GenerateNameKeys(c)
vendorSet := getPossibleVendors(java.Origins, nameSet)
versionSet := common.GenerateVersionKeys(c)
for k := range versionSet {
versionSet.Add(extensionRegex.ReplaceAllString(k, ""))
Expand Down
46 changes: 46 additions & 0 deletions e2etests/testcase_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3557,4 +3557,50 @@ Bug Fix(es) and Enhancement(s):
},
},
},
{
image: "quay.io/rhacs-eng/qa:spring-CVE-2022-22978",
registry: "https://quay.io",
username: os.Getenv("QUAY_RHACS_ENG_RO_USERNAME"),
password: os.Getenv("QUAY_RHACS_ENG_RO_PASSWORD"),
source: "NVD",
onlyCheckSpecifiedVulns: true,
namespace: "rhel:8",
expectedFeatures: []apiV1.Feature{
{
Name: "spring-security-web",
VersionFormat: component.JavaSourceType.String(),
Version: "5.5.5",
Location: "application/app.jar:BOOT-INF/lib/spring-security-web-5.5.5.jar",
Vulnerabilities: []apiV1.Vulnerability{
{
Name: "CVE-2022-22978",
Description: `In Spring Security versions 5.5.6 and 5.6.3 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers.

Applications using RegexRequestMatcher with '.' in the regular expression are possibly vulnerable to an authorization bypass.`,
Link: "https://nvd.nist.gov/vuln/detail/CVE-2022-22978",
Severity: "Important",
Metadata: map[string]interface{}{
"NVD": map[string]interface{}{
"CVSSv2": map[string]interface{}{
"ExploitabilityScore": 0.0,
"ImpactScore": 0.0,
"Score": 0.0,
"Vectors": "",
},
"CVSSv3": map[string]interface{}{
"ExploitabilityScore": 3.9,
"ImpactScore": 4.2,
"Score": 8.2,
"Vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
},
},
},
FixedBy: "5.5.7",
},
},
FixedBy: "5.5.7",
AddedBy: "sha256:5b6e3ce9721946e142ba43e488385ee4d323204a6052e0f20352d89ac00cafa2",
},
},
},
}
65 changes: 65 additions & 0 deletions pkg/vulnloader/nvdloader/manual.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -454,6 +454,71 @@ var manuallyEnrichedVulns = map[string]*schema.NVDCVEFeedJSON10DefCVEItem{
LastModifiedDate: "2022-03-31T00:00Z",
PublishedDate: "2022-03-31T00:00Z",
},
"CVE-2022-22978": {
CVE: &schema.CVEJSON40{
CVEDataMeta: &schema.CVEJSON40CVEDataMeta{
ID: "CVE-2022-22978",
},
DataFormat: "MITRE",
DataType: "CVE",
DataVersion: "4.0",
Description: &schema.CVEJSON40Description{
DescriptionData: []*schema.CVEJSON40LangString{
{
Lang: "en",
Value: "In Spring Security versions 5.5.6 and 5.6.3 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers.\n\nApplications using RegexRequestMatcher with '.' in the regular expression are possibly vulnerable to an authorization bypass.",
},
},
},
References: &schema.CVEJSON40References{
ReferenceData: []*schema.CVEJSON40Reference{
{
Name: "https://tanzu.vmware.com/security/cve-2022-22978",
},
},
},
},
Configurations: &schema.NVDCVEFeedJSON10DefConfigurations{
CVEDataVersion: "4.0",
Nodes: []*schema.NVDCVEFeedJSON10DefNode{
{
CPEMatch: []*schema.NVDCVEFeedJSON10DefCPEMatch{
{
Cpe23Uri: `cpe:2.3:a:vmware:spring\-security\-web:*:*:*:*:*:*:*:*`,
VersionEndExcluding: "5.6.4",
VersionStartIncluding: "5.6.0",
},
{
Cpe23Uri: `cpe:2.3:a:vmware:spring\-security\-web:*:*:*:*:*:*:*:*`,
VersionEndExcluding: "5.5.7",
},
},
Operator: "OR",
},
},
},
Impact: &schema.NVDCVEFeedJSON10DefImpact{
BaseMetricV3: &schema.NVDCVEFeedJSON10DefImpactBaseMetricV3{
CVSSV3: &schema.CVSSV30{
AttackComplexity: "LOW",
AttackVector: "NETWORK",
AvailabilityImpact: "NONE",
BaseScore: 8.2,
ConfidentialityImpact: "HIGH",
IntegrityImpact: "LOW",
PrivilegesRequired: "NONE",
Scope: "UNCHANGED",
UserInteraction: "NONE",
VectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
Version: "3.1",
},
ExploitabilityScore: 3.9,
ImpactScore: 4.2,
},
},
LastModifiedDate: "2022-05-16T00:00Z",
PublishedDate: "2022-05-16T00:00Z",
},
"CVE-2017-5638": {
CVE: &schema.CVEJSON40{
CVEDataMeta: &schema.CVEJSON40CVEDataMeta{
Expand Down