Missing Container Scan Result for CVE-2023-24329 / USN-5960-1

[joe-cheuk]

IDs

CVE-2023-24329, USN-5960-1

Description

Based on the Ubuntu USN website, for USN-5960-1 / CVE-2023-24329

Patch is available for Ubuntu 18.04 (since March 2023)

Ubuntu 18.04
[python2.7](https://launchpad.net/ubuntu/+source/python2.7) - [2.7.17-1~18.04ubuntu1.11](https://launchpad.net/ubuntu/+source/python2.7/2.7.17-1~18.04ubuntu1.11)
[python3.6](https://launchpad.net/ubuntu/+source/python3.6) - [3.6.9-1~18.04ubuntu1.12](https://launchpad.net/ubuntu/+source/python3.6/3.6.9-1~18.04ubuntu1.12)

But the scan result didn't flag any vulnerabilities on this CVE.

Reproduction Steps

1. trivy image --scanners vuln --vuln-type os --format json <IMAGE> --output ~/Downloads/vout.json --list-all-pkgs
2. In the file, we can see that 2 vulnerable versions of python are installed
        {
          "ID": "[email protected]~18.04ubuntu1.10",
          "Name": "python2.7",
          "Version": "2.7.17",
          "Release": "1~18.04ubuntu1.10",
          "Arch": "amd64",
          "SrcName": "python2.7",
          "SrcVersion": "2.7.17",
          "SrcRelease": "1~18.04ubuntu1.10",
          "Licenses": [
            "GPL-2.0",
            "# Licensed to PSF under a Contributor Agreement",
            "Apache-2.0",
            "This software is provided 'as-is'",
            "without any express",
            "implied",
            "Permission is hereby granted",
            "free of charge",
            "to any person obtaining",
            "This software is provided as-is",
            "without express",
            "* Permission to use this software in any way is granted without",
            "see above",
            "some license as Python.",
            "Expat",
            "PSF-2",
            "Apache-2",
            "Python",
            "ISC",
            "LGPL-2.1"
          ],
          "Maintainer": "Ubuntu Core Developers \[email protected]\u003e",
          "DependsOn": [
            "[email protected]~18.04ubuntu1.10",
            "[email protected]",
            "[email protected]~18.04ubuntu1.10"
          ],
          "Layer": {
            "Digest": "sha256:-",
            "DiffID": "sha256:-"
          }
        },

        {
          "ID": "[email protected]~18.04ubuntu1.10",
          "Name": "python3.6",
          "Version": "3.6.9",
          "Release": "1~18.04ubuntu1.10",
          "Arch": "amd64",
          "SrcName": "python3.6",
          "SrcVersion": "3.6.9",
          "SrcRelease": "1~18.04ubuntu1.10",
          "Licenses": [
            "GPL-2.0",
            "Redistribution",
            "use in source",
            "binary forms",
            "with",
            "without",
            "By obtaining",
            "using",
            "and/or copying this software and/or its",
            "Permission to use",
            "copy",
            "modify",
            "distribute this software and",
            "This software is provided 'as-is'",
            "without any express",
            "implied",
            "Permission  is  hereby granted",
            "free  of charge",
            "to  any person",
            "Permission is hereby granted",
            "free of charge",
            "to any person obtaining",
            "distribute this software",
            "its",
            "This software is provided as-is",
            "without express",
            "distribute this software for any",
            "* Permission to use this software in any way is granted without"
          ],
          "Maintainer": "Ubuntu Developers \[email protected]\u003e",
          "DependsOn": [
            "[email protected]~18.04ubuntu1.10",
            "[email protected]",
            "[email protected]~18.04ubuntu1.10"
          ],
          "Layer": {
            "Digest": "sha256:-",
            "DiffID": "sha256:-"
          }
        },

3. `CVE-2023-24329` and `USN-5960-1` are not included in the output file.
4. Based on the USN link above, we expect Trivy to flag both libraries and recommend for an update to the corresponding python version.

Target

Container Image

Scanner

Vulnerability

Target OS

No response

Debug Output

2023-06-15T10:31:42.860-0700    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-06-15T10:31:42.873-0700    DEBUG   cache dir:  -
2023-06-15T10:31:42.874-0700    DEBUG   DB update was skipped because the local DB is the latest
2023-06-15T10:31:42.874-0700    DEBUG   DB Schema: 2, UpdatedAt: 2023-06-15 12:07:38.367537265 +0000 UTC, NextUpdate: 2023-06-15 18:07:38.367536865 +0000 UTC, DownloadedAt: 2023-06-15 15:57:07.127053 +0000 UTC
2023-06-15T10:31:42.874-0700    INFO    Vulnerability scanning is enabled
2023-06-15T10:31:42.874-0700    DEBUG   Vulnerability type:  [os]
2023-06-15T10:31:44.807-0700    DEBUG   Image ID: sha256:-
2023-06-15T10:31:44.807-0700    DEBUG   Diff IDs: [-]
2023-06-15T10:31:44.807-0700    DEBUG   Base Layers: [-]
2023-06-15T10:31:44.844-0700    INFO    Detected OS: ubuntu
2023-06-15T10:31:44.844-0700    INFO    Detecting Ubuntu vulnerabilities...
2023-06-15T10:31:44.844-0700    DEBUG   ubuntu: os version: 18.04
2023-06-15T10:31:44.844-0700    DEBUG   ubuntu: the number of packages: 519
2023-06-15T10:31:44.896-0700    WARN    This OS version is no longer supported by the distribution: ubuntu 18.04
2023-06-15T10:31:44.896-0700    WARN    The vulnerability detection may be insufficient because security updates are not provided

Version

Version: 0.42.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-06-15 12:07:38.367537265 +0000 UTC
  NextUpdate: 2023-06-15 18:07:38.367536865 +0000 UTC
  DownloadedAt: 2023-06-15 15:57:07.127053 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-06-12 00:58:09.155334694 +0000 UTC
  NextUpdate: 2023-06-15 00:58:09.155334094 +0000 UTC
  DownloadedAt: 2023-06-12 23:58:47.500035 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[knqyf263]

@DmitriyLewen Can you please take a look?

[DmitriyLewen]

It seems yes.

[knqyf263]

Can you check Ubuntu OVAL? I'd like to know if OVAL is also wrong or not.
https://security-metadata.canonical.com/oval/

[DmitriyLewen]

if i understand correctly - OVAL doesn't have information about this fix:

        <definition class="vulnerability" id="oval:com.ubuntu.bionic:def:2023243290000000" version="1">
            <metadata>
                <title>CVE-2023-24329 on Ubuntu 18.04 LTS (bionic) - medium.</title>
                <description>An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.</description>
                ...
            </metadata>
            <oval:notes>
                <oval:note>leosilva&gt; there are some discussions around that issue that raises doubts about if it was properly fixed or not. till further investigation it'll be marked as needed again.</oval:note>
            </oval:notes>
            <criteria>
                <extend_definition definition_ref="oval:com.ubuntu.bionic:def:100" comment="Ubuntu 18.04 LTS (bionic) is installed." applicability_check="true" />
                <criteria operator="OR">
                    <criterion test_ref="oval:com.ubuntu.bionic:tst:2021233360000010" comment="python2.7: while related to the CVE in some way, a decision has been made to ignore this issue (note: 'end of standard support, was needed')." />
                    ...
                </criteria>
            </criteria>
...
        <linux-def:dpkginfo_test id="oval:com.ubuntu.bionic:tst:2021233360000010" version="1" check_existence="at_least_one_exists" check="at least one" comment="Does the 'python2.7' package exist?">
            <linux-def:object object_ref="oval:com.ubuntu.bionic:obj:201320990000040"/>
        </linux-def:dpkginfo_test>
...
        <linux-def:dpkginfo_object id="oval:com.ubuntu.bionic:obj:201320990000040" version="1" comment="The 'python2.7' package binaries.">
            <linux-def:name var_ref="oval:com.ubuntu.bionic:var:201320990000040" var_check="at least one" />
        </linux-def:dpkginfo_object>

OVAL does not check the version of python2.7, it only checks for the presence of this package.

[knqyf263]

Looks like OVAL is also saying there is no patch. I suspect 2.7.17-1~18.04ubuntu1.11 actually doesn't fix CVE-2023-24329.

[DmitriyLewen]

Agree with you.
@joe-cheuk as you can see above - looks like USN-5960-1 is wrong.