ebarretto | Guest38, are you the author of this https://askubuntu.com/questions/1444976/confused-about-reported-kernel-cve-by-openscap-with-oval-on-ubuntu-20-04-22-04/ ? | 09:49 |
---|---|---|
Guest38 | yes I am | 12:28 |
ebarretto | Guest38, have you tried to use a newer OVAL data and see if you can reproduce the issue? I couldn't here | 12:52 |
Guest38 | yes, I refresh the OVAL definition before each run. I will try one run again today | 13:01 |
ebarretto | great, let me know if this is still happening | 13:04 |
Guest38 | new test | 16:30 |
Guest38 | fjc@nas:~$ uname -a | 16:31 |
Guest38 | Linux nas 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux | 16:31 |
Guest38 | fjc@nas:~$ grep -i "oval:timestamp" com.ubuntu.jammy.cve.oval.xml | 16:31 |
Guest38 | <oval:timestamp>2022-12-15T14:55:46</oval:timestamp> | 16:31 |
Guest38 | fjc@nas:~$ oscap oval eval --report report_cve_$(hostname).html com.ubuntu.jammy.cve.oval.xml | grep 202243945 | 16:31 |
Guest38 | Definition oval:com.ubuntu.jammy:def:2022439450000000: true | 16:31 |
ebarretto | Guest38, https://pastebin.ubuntu.com/p/JhQ228p7P8/ I cannot reproduce it | 16:40 |
ebarretto | Guest38, could you run oscap with: oscap oval eval --report report_cve_$(hostname).html --results results.xml --verbose INFO --verbose-log-file log.txt com.ubuntu.jammy.cve.oval.xml | grep 202243945 | 16:41 |
ebarretto | and then share the results.xml and log.txt | 16:41 |
Guest38 | https://file.io/mmuAwwxRt9YB | 17:05 |
Guest38 | one download allowed :/ | 17:05 |
ebarretto | Guest38, do you have linux-image-extra-virtual or linux-image-generic or linux-image-virtual installed? | 17:20 |
Guest38 | fjc@nas:~$ sudo apt list --installed | grep linux-image | 17:22 |
Guest38 | WARNING: apt does not have a stable CLI interface. Use with caution in scripts. | 17:22 |
Guest38 | linux-image-5.15.0-53-generic/jammy-updates,jammy-security,now 5.15.0-53.59 amd64 [installé, automatique] | 17:22 |
Guest38 | linux-image-5.15.0-56-generic/jammy-updates,jammy-security,now 5.15.0-56.62 amd64 [installé, automatique] | 17:22 |
Guest38 | linux-image-generic/jammy-updates,jammy-security,now 5.15.0.56.54 amd64 [installé, automatique] | 17:22 |
Guest38 | it is a 22.04 machine migrated from a 20.04. does it raise some problems ? | 17:22 |
Guest38 | I also have tens of (freshly installed) 20.04 machines which have the same symptoms | 17:35 |
ebarretto | Guest38, so it is giving you 'true' result because it is matching the linux-image-generic binary package as part of the linux-meta-riscv source package. And that source package apparently didn't receive the CVE fix, so they will for sure trigger the true. I need to check with the kernel team more about it | 17:37 |
Guest38 | thank you for the explanation | 19:05 |
ebarretto | Guest38, I will take a look tomorrow on how to avoid this. This is a kind of false positive, but for a reason that shouldn't happen. I won't promise that the fix will be published tomorrow as we are about to leave for holidays, so it might have to wait until first week of January | 19:11 |
ebarretto | and thanks for reporting it and providing the logs | 19:11 |
Guest38 | thanks, no hurry. I think I noticed this problem for 6 months or something, for 20.04 and 22.04. Not for 18.04. | 20:22 |
Guest38 | another example : oscap oval eval com.ubuntu.jammy.cve.oval.xml | grep 202242703 | 20:24 |
Guest38 | Definition oval:com.ubuntu.jammy:def:2022427030000000: true | 20:24 |
Guest38 | https://ubuntu.com/security/CVE-2022-42703 | 20:24 |
-ubottu:#ubuntu-security- mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to leaf anon_vma double reuse. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42703> | 20:24 | |
Guest38 | thanks, no hurry. I think I noticed this problem for 6 months or something, for 20.04 and 22.04. Not for 18.04. | 20:55 |
Guest38 | another example : oscap oval eval com.ubuntu.jammy.cve.oval.xml | grep 202242703 | 20:56 |
Guest38 | Definition oval:com.ubuntu.jammy:def:2022427030000000: true | 20:56 |
Guest38 | https://ubuntu.com/security/CVE-2022-42703 | 20:56 |
-ubottu:#ubuntu-security- mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to leaf anon_vma double reuse. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42703> | 20:56 | |
Guest38 | another kind of false positive, but probably with another root cause as it is a special case of rejected CVE : https://ubuntu.com/security/CVE-2022-2209 | 20:56 |
-ubottu:#ubuntu-security- ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This CVE has been rejected as it was incorrectly assigned. All references and descriptions in this candidate have been removed to prevent accidental usage. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2209> | 20:56 | |
Guest38 | oscap oval eval com.ubuntu.jammy.cve.oval.xml | grep 20222209 | 20:57 |
Guest38 | Definition oval:com.ubuntu.jammy:def:202222090000000: true | 20:57 |
=== Guest38 is now known as fjc |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!