[ubuntu-hardened] OVAL shows vulnerabilities when software is not installed

Jesus Linares jesus at wazuh.com
Thu Oct 20 10:48:04 UTC 2016 

Hi all,

I'm running the OVAL files found in
https://people.canonical.com/~ubuntu-security/oval/. When I run
*com.ubuntu.xenial.cve.oval.xml*, openscap shows that I have a lot of
vulnerabilities in my system, but the software related to the
vulnerabilities is *not installed* in my system. So, what is happening?.

Example:
CVE-2013-2071 on Ubuntu 16.04 LTS (xenial) - medium

java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x
before 7.0.40 does not properly handle the throwing of a RuntimeException
in an AsyncListener in an application, which allows context-dependent
attackers to obtain sensitive request information intended for other
applications in opportunistic circumstances via an application that records
the requests that it processes.

If we see the oval file:
-----
<criteria>
 <extend_definition definition_ref="oval:com.ubuntu.xenial:def:100"
comment="Ubuntu 16.04 LTS (xenial) is installed."
applicability_check="true" />
 <criteria operator="OR">
 <criterion test_ref="oval:com.ubuntu.xenial:tst:*20132071000*"
comment="While related to the CVE in some way, the 'tomcat6' package in
xenial is not affected." />
 <criterion test_ref="oval:com.ubuntu.xenial:tst:20132071010"
comment="While related to the CVE in some way, the 'tomcat7' package in
xenial is not affected (note: '7.0.40-1')." />
 </criteria>
</criteria>

<linux-def:dpkginfo_test id="oval:com.ubuntu.xenial:tst:*20132071000*"
version="1" *check_existence="any_exist" check="all" comment="Returns true
whether or not the 'tomcat6' package exists."*>
<linux-def:object object_ref="oval:com.ubuntu.xenial:obj:*20123544000*"/>
</linux-def:dpkginfo_test>

<linux-def:*dpkginfo_objec*t id="oval:com.ubuntu.xenial:obj:*20123544000*"
version="1" comment="The 'tomcat6' package.">
<linux-def:name>*tomcat6*</linux-def:name>
</linux-def:dpkginfo_object>
----

The oval is checking if I have installed tomcat 6 or 7. It is not installed
in my system, but the check returns always *true*. It is due to the
attribute *check_existence="any_exist" (*
http://oval.mitre.org/language/version5.4/ovaldefinition/documentation/oval-common-schema.html
).

Is it a bug?

Thanks.


-- 
*Jesus Linares*
*IT Security Engineer*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20161020/1c08d8b4/attachment.html>

More information about the ubuntu-hardened mailing list