Package: security.debian.org
Severity: important
X-Debbugs-Cc: s...@debian.org
There are two classes of issue with different statuses in the
security-tracker database and JSON feed that are not distinguished in the
OVAL feeds. Consider the following two entries from the bullseye oval
feeds[1]:
CVE-2020-28200:
<definition class="vulnerability" id="oval:org.debian:def:202028200"
version="1">
<metadata>
<title>CVE-2020-28200</title>
<affected family="unix">
<platform>Debian GNU/Linux 11</platform>
<product>dovecot</product>
</affected>
<reference ref_id="CVE-2020-28200"
ref_url="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28200";
source="CVE"/>
<description>The Sieve engine in Dovecot before 2.3.15 allows
Uncontrolled Resource Consumption, as demonstrated by a situation with a
complex regular expression for the regex extension.</description>
<debian>
<date>2021-11-07</date>
<moreinfo></moreinfo>
</debian>
</metadata>
<criteria comment="Release section" operator="AND">
<criterion comment="Debian 11 is installed"
test_ref="oval:org.debian.oval:tst:1"/>
<criteria comment="Architecture section" operator="OR">
<criteria comment="Architecture independent section" operator="AND">
<criterion comment="all architecture"
test_ref="oval:org.debian.oval:tst:2"/>
<criterion comment="dovecot DPKG is earlier than 0"
test_ref="oval:org.debian.oval:tst:20281"/>
</criteria>
</criteria>
</criteria>
</definition>
and CVE-2012-0833:
<definition class="vulnerability" id="oval:org.debian:def:20120833"
version="1">
<metadata>
<title>CVE-2012-0833</title>
<affected family="unix">
<platform>Debian GNU/Linux 11</platform>
<product>389-ds-base</product>
</affected>
<reference ref_id="CVE-2012-0833"
ref_url="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0833";
source="CVE"/>
<description>The acllas__handle_group_entry function in
servers/plugins/acl/acllas.c in 389 Directory Server before 1.2.10 does not
properly handled access control instructions (ACIs) that use certificate
groups, which allows remote authenticated LDAP users with a certificate group
to cause a denial of service (infinite loop and CPU consumption) by binding to
the server.</description>
<debian>
<date>2021-11-07</date>
<moreinfo></moreinfo>
</debian>
</metadata>
<criteria comment="Release section" operator="AND">
<criterion comment="Debian 11 is installed"
test_ref="oval:org.debian.oval:tst:1"/>
<criteria comment="Architecture section" operator="OR">
<criteria comment="Architecture independent section" operator="AND">
<criterion comment="all architecture"
test_ref="oval:org.debian.oval:tst:2"/>
<criterion comment="389-ds-base DPKG is earlier than 0"
test_ref="oval:org.debian.oval:tst:4696"/>
</criteria>
</criteria>
</criteria>
</definition>
These two OVAL definitions list essentially identical criteria, yet their
actual status in bullseye is quite different:
CVE-2020-28200 is still present in bullseye and is a legitimate finding by
any scanner based on these definitions:
https://security-tracker.debian.org/tracker/CVE-2020-28200
CVE-2012-0833 is not present in any bullseye and should not trigger a
finding from a scanner:
https://security-tracker.debian.org/tracker/CVE-2012-0833
If we look at the security-tracker's JSON feed [2], we see some details that
should be reflected in the OVAL feed but aren't, in particular the "status"
field:
"CVE-2012-0833": {
...
"releases": {
...
"bullseye": {
"status": "resolved",
"repositories": {
"bullseye": "1.4.4.11-2"
},
"fixed_version": "0",
"urgency": "unimportant"
},
...
}
and
"CVE-2020-28200": {
"releases": {
...
"bullseye": {
"status": "open",
"repositories": {
"bullseye": "1:2.3.13+dfsg1-2"
},
"urgency": "not yet assigned"
},
...
},
I'm not super familiar with the semantic expectations of OVAL, but I think
logically we want to represent CVE-2012-0833 somewhat differently in OVAL
using logic similar to:
if status == resolved:
if fixed_version == 0:
# All versions of this package in this release's repos are fixed:
OVAL_criterion = "package is earlier than min(values.repositories)"
else
OVAL_criterion = "package is earlier than fixed_version"
In this case the criterion for CVE-2012-0833 would be:
<criterion comment="389-ds-base DPKG is earlier than 1.4.4.11-2"
test_ref="oval:org.debian.oval:tst:4696"/>
Which I believe is correct. If a system is running bullseye and has
1.4.4.11-2 or later installed, then a scanner should determine that this
vulnerability is not present.
There are quite a few CVEs in a similar state to CVE-2012-0833 in the OVAL
feeds, leading to a high false-positive rate, hence the "important"
severity.
Please let me know if I'm missing something with this assessment. Otherwise
I can try to put together a patch to implement the proposed logic as
described above.
noah
1. https://www.debian.org/security/oval/oval-definitions-bullseye.xml
2. https://security-tracker.debian.org/tracker/data/json
