The Fixed Version for Nginx package is older than the current one (amazon 2023.6.20241121 (Amazon Linux))

[serhii-ciq]

Description

Hello!
I performed a Trivy scan for my docker image and found the strange behavior for the suggested package:

nginx   │ CVE-2023-44487 │ HIGH     │ fixed  │ 1.26.2-1.amzn2023.ngx │ 1:1.24.0-1.amzn2023.0.2

It shows that fixed version 1:1.24.0-1.amzn2023.0.2 is older than my current version (1.26.2-1.amzn2023.ngx)

Could you please check it, probably this is a wrong suggestion.

Desired Behavior

The fixed version should be newer than the vulnerable version

Actual Behavior

The fixed version is older than the vulnerable version

Reproduction Steps

trivy image my-custom-nginx-build:latest

Target

Container Image

Scanner

Vulnerability

Output Format

JSON

Mode

None

Debug Output

========================================================================================================
Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────────┬─────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │   Installed Version   │      Fixed Version      │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ nginx   │ CVE-2023-44487 │ HIGH     │ fixed  │ 1.26.2-1.amzn2023.ngx │ 1:1.24.0-1.amzn2023.0.2 │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable   │
│         │                │          │        │                       │                         │ to a DDoS attack...                                          │
│         │                │          │        │                       │                         │ https://avd.aquasec.com/nvd/cve-2023-44487                   │

### Operating System

Windows

### Version

```bash
Version: 0.58.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-01-02 06:13:46.948760983 +0000 UTC
  NextUpdate: 2025-01-03 06:13:46.948760592 +0000 UTC
  DownloadedAt: 2025-01-02 10:15:54.6988347 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[itaysk]

didn't investigate this just a quick note that that the fixed version includes an epoch (the 1: prefix) which makes it greater than the installed version. this is the advisory details: https://alas.aws.amazon.com/AL2023/ALAS-2023-393.html

[serhii-ciq]

Thanks @itaysk
You are right. This is my bad :(
To install Nginx we use the official Nginx repo instead of the AmazonLinux repo.
The CVE updates appear in the official Nginx repo from time to time https://nginx.org/en/CHANGES

[serhii-ciq]

Hello all
I would like to reopen this issue and continue discussing

Let's refresh the context:

• I am using AmazonLinux:2023 docker images
• To install Nginx I added official Nginx repo

[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/amzn/2023/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
priority=9

My Nginx package is nginx-1.26.2-1.amzn2023.ngx.x86_64
The suffix ngx tells us that this is an Nginx build of the F5 vendor but not Amazon

Here the Trivy scanner detected the vulnerability

but if we check the description of the CVE https://avd.aquasec.com/nvd/2021/cve-2021-3618/
We can figure out that this CVE is not applicable to the F5 Nginx 1.26 builds

I think the Trivy scanner made a mistake during the package detection.

Feel free to ask any question

[knqyf263]

It's a known limitation. As written in the doc, third-party packages are not supported (we should document it in more detail). Furthermore, we didn't find a way to identify from the RPMDB which repositories the packages are currently installed from (e.g., nginx-stable), and they are all treated as official packages. This is why such false positives occur.

However, the cache database format has changed in newer Red Hat versions, and SQLite is now used. Thanks to this, repository information may be retrieved now.

bash-5.2# sqlite3 /var/lib/dnf/history.sqlite "
SELECT r.name, r.version, r.release, repo.repoid
FROM rpm r
JOIN item i ON r.item_id = i.id
JOIN trans_item ti ON i.id = ti.item_id
JOIN repo ON ti.repo_id = repo.id
WHERE r.name = 'nginx';"
nginx|1.26.2|1.amzn2023.ngx|nginx-stable

Having said that, it's still challenging to identify official repositories. A problem is how to determine whether ubi-8-baseos-rpms is official.

[root@4291a5ff70ac /]# dnf info sqlite
Last metadata expiration check: 0:00:36 ago on Tue Jan 28 03:20:26 2025.
Installed Packages
Name         : sqlite
Version      : 3.26.0
Release      : 19.el8_9
Architecture : aarch64
Size         : 1.3 M
Source       : sqlite-3.26.0-19.el8_9.src.rpm
Repository   : @System
From repo    : ubi-8-baseos-rpms
Summary      : Library that implements an embeddable SQL database engine
URL          : http://www.sqlite.org/
License      : Public Domain

[serhii-ciq]

Thank you @knqyf263 for this answer
Looking forward to getting this issue solved in the future :)

[knqyf263]

We'll open a ticket in the Red Hat forum as it's not an Amazon-specific issue.