v0.19.3
What's new in v0.19.3
TL;DR
How it works
Vulnerable Fedora Environment Setup
Deliberately downgrade the mysql package so that FEDORA-MODULAR-2021-217f84c072 is detected.
- Dockerfile
FROM fedora:35
RUN dnf -y install openssh-server glibc-langpack-en
RUN mkdir /var/run/sshd
RUN sed -i 's/#\?PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
RUN sed -i 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' /etc/pam.d/sshd
ENV NOTVISIBLE "in users profile"
RUN echo "export VISIBLE=now" >> /etc/profile
COPY .ssh/id_rsa.pub /root/authorized_keys
RUN mkdir ~/.ssh && \
mv ~/authorized_keys ~/.ssh/authorized_keys && \
chmod 0600 ~/.ssh/authorized_keys
RUN ssh-keygen -A
RUN rm -rf /run/nologin
EXPOSE 22
# Vuls Setting
RUN dnf -y install dnf-utils which lsof iproute
# FEDORA-MODULAR-2021-217f84c072
RUN dnf module install -y mysql && dnf downgrade -y mysql
CMD ["/usr/sbin/sshd", "-D"]
check community-mysql package version
$ docker build -t vuls-target -f Dockerfile .
$ docker run --rm -itd -p 2222:22 vuls-target
$ ssh -i ~/.ssh/id_rsa -p 2222 [email protected]
[root@615d6b9247ec /]# cat /etc/fedora-release
Fedora release 35 (Thirty Five)
[root@615d6b9247ec /]# rpm -qa | grep community-mysql
community-mysql-common-8.0.26-1.module_f35+12627+b26747dd.x86_64
community-mysql-8.0.26-1.module_f35+12627+b26747dd.x86_64
community-mysql-errmsg-8.0.26-1.module_f35+12627+b26747dd.x86_64
community-mysql-server-8.0.26-1.module_f35+12627+b26747dd.x86_64
Vulnerability Detection (dnf updateinfo --security vs vuls report)
dnf updateinfo --security
The mysql package we just installed is a modular package, so the advisory starting with FEDORA-MODULAR-
should be presented.
However, the actual advisory provided relates to a non-modular package of the same name.
[root@615d6b9247ec /]# dnf updateinfo --security --info
Last metadata expiration check: 0:02:24 ago on Thu Feb 3 04:47:52 2022.
===============================================================================
community-mysql-8.0.27-1.fc35
===============================================================================
Update ID: FEDORA-2021-46dc82116b
Type: security
Updated: 2021-11-10 02:52:52
Bugs: 2015421 - community-mysql-8.0.27 is available
: 2016141 - CVE-2021-2478 CVE-2021-2479 CVE-2021-2481 CVE-2021-35546 CVE-2021-35575 CVE-2021-35577 CVE-2021-35591 CVE-2021-35596 CVE-2021-35597 CVE-2021-35602 CVE-2021-35604 CVE-2021-35607 CVE-2021-35608 CVE-2021-35610 ... community-mysql: various flaws [fedora-all]
Description: **MySQL 8.0.27**
:
: Release notes:
:
: https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-27.html
Severity: Moderate
vuls
vuls report
FixedIn is displayed correctly as module to module!
$ vuls report --format-full-text
...
+----------------+----------------------------------------------------------------------------------+
| CVE-2021-35610 | FIXED |
+----------------+----------------------------------------------------------------------------------+
| Max Score | 7.1 MODERATE (redhat_api) |
| redhat_api | 7.1/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H MODERATE |
| nvd | 7.1/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H HIGH |
| jvn | 7.1/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H HIGH |
| Vendor | 4.0-6.9 MODERATE |
| nvd | 5.5/AV:N/AC:L/Au:S/C:N/I:P/A:P MEDIUM |
| jvn | 5.5/AV:N/AC:L/Au:S/C:N/I:P/A:P MEDIUM |
| Summary | **MySQL 8.0.27** Release notes: |
| | https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-27.html |
| Primary Src | https://www.oracle.com/security-alerts/cpuoct2021.html |
| Primary Src | https://nvd.nist.gov/vuln/detail/CVE-2021-35610 |
| Primary Src | https://bodhi.fedoraproject.org/updates/FEDORA-MODULAR-2021-217f84c072 |
| Patch | https://www.oracle.com/security-alerts/cpuoct2021.html |
| Affected Pkg | community-mysql-8.0.26-1.module_f35+12627+b26747dd |
| | -> 8.0.27-1.module_f35+13269+c9322734 (FixedIn: |
| | 0:8.0.27-1.module_f35+13269+c9322734) (updates-modular) |
| Affected Pkg | community-mysql-common-8.0.26-1.module_f35+12627+b26747dd |
| | -> 8.0.27-1.module_f35+13269+c9322734 (FixedIn: |
| | 0:8.0.27-1.module_f35+13269+c9322734) (updates-modular) |
| Affected Pkg | community-mysql-errmsg-8.0.26-1.module_f35+12627+b26747dd |
| | -> 8.0.27-1.module_f35+13269+c9322734 (FixedIn: |
| | 0:8.0.27-1.module_f35+13269+c9322734) (updates-modular) |
| Affected Pkg | community-mysql-server-8.0.26-1.module_f35+12627+b26747dd |
| | -> 8.0.27-1.module_f35+13269+c9322734 (FixedIn: |
| | 0:8.0.27-1.module_f35+13269+c9322734) (updates-modular) |
| Confidence | 100 / OvalMatch |
| CWE | NVD-CWE-noinfo: (nvd) |
| CWE | https://cwe.mitre.org/data/definitions/NVD-CWE-noinfo.html |
+----------------+----------------------------------------------------------------------------------+
...
vuls tui
Looking at the TUI, we have succeeded in getting the advisory we really want: FEDORA-MODULAR-2021-217f84c072!
What's Changed
- chore: update git submodule for integration test by @kotakanbe in #1364
- fix(scanner/base) export libFile struct by @sadayuki-matsuno in #1365
- fix(scanner/base) export libFile fields by @sadayuki-matsuno in #1366
- feat(libscan): support trivy v0.23.0 by @kotakanbe in #1377
- fix(oval): fix query in PostgreSQL by @MaineK00n in #1372
- feat(alpine): add Alpine 3.14, 3.15 EOL by @MaineK00n in #1359
- fix(gost): add nil check by @MaineK00n in #1379
- fix(centos): identify CentOS and CentOS Stream by @MaineK00n in #1360
- feat(fedora): support fedora by @maito1201 in #1367
- chore(oval): update mod by @MaineK00n in #1385
New Contributors
- @maito1201 made their first contribution in #1367
Full Changelog: v0.19.2...v0.19.3