[ubuntu-hardened] OVAL shows vulnerabilities when software is not installed
Jesus Linares
jesus at wazuh.com
Fri Oct 28 09:19:21 UTC 2016
Hi all,
the files have the correct syntax. But, I still getting "vulnerabilities"
related to software that I do not have installed.
Example:
-----------
<definition class="vulnerability" id="oval:com.ubuntu.xenial:def:20148111000"
version="1">
<metadata>
<title>CVE-2014-8111 on Ubuntu 16.04 LTS (xenial) - medium.</title>
<description>Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores
JkUnmount rules for subtrees of previous JkMount rules, which allows remote
attackers to access otherwise restricted artifacts via unspecified
vectors.</description>
<affected family="unix">
<platform>Ubuntu 16.04 LTS</platform>
</affected>
<reference source="CVE" ref_id="CVE-2014-8111" ref_url="
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8111" />
<advisory>
<severity>Medium</severity>
<rights>Copyright (C) 2015 Canonical Ltd.</rights>
<public_date>2015-04-21</public_date>
<ref>http://people.canonical.com/~ubuntu-security/cve/2014/C
VE-2014-8111.html</ref>
<ref>http://rhn.redhat.com/errata/RHSA-2015-0849.html</ref>
<ref>http://rhn.redhat.com/errata/RHSA-2015-0848.html</ref>
<ref>http://rhn.redhat.com/errata/RHSA-2015-0847.html</ref>
<ref>http://rhn.redhat.com/errata/RHSA-2015-0846.html</ref>
</advisory>
</metadata>
<criteria>
<extend_definition definition_ref="oval:com.ubuntu.xenial:def:100"
comment="Ubuntu 16.04 LTS (xenial) is installed."
applicability_check="true" />
<criterion test_ref="oval:com.ubuntu.xenial:tst:20148111000" comment="While
related to the CVE in some way, the 'libapache-mod-jk' package in xenial is
not affected (note: '1:1.2.40+svn150520-1')." />
</criteria>
</definition>
<linux-def:dpkginfo_test id="oval:com.ubuntu.xenial:tst:20148111000"
version="1" check_existence="any_exist" check="all" comment="Returns true
whether or not the 'libapache-mod-jk' package exists.">
<linux-def:object object_ref="oval:com.ubuntu.xenial:obj:20148111000"/>
</linux-def:dpkginfo_test>
<linux-def:dpkginfo_object id="oval:com.ubuntu.xenial:obj:20148111000"
version="1" comment="The 'libapache-mod-jk' package.">
<linux-def:name>libapache-mod-jk</linux-def:name>
</linux-def:dpkginfo_object>
---------------
Openscap shows that my system has that vulnerability, but I do not have
installed "libapache-mod-jk" (I tested it with dpkg -l | grep -i apache).
I think this test should have the "negate" due to the comment "While
related to the CVE in some way, the 'libapache-mod-jk' package in* xenial
is not affected*". So, maybe the input of the script is wrong?. Where is
the input?.
Thanks.
On Tue, Oct 25, 2016 at 6:51 PM, Steve Beattie <sbeattie at ubuntu.com> wrote:
> On Tue, Oct 25, 2016 at 01:12:15PM +0200, Jesus Linares wrote:
> > OVAL files are failing again. It is due to the following error:
> >
> > > File 'com.ubuntu.xenial.cve.oval.xml' line 65535: Element '{
> > > http://oval.mitre.org/XMLSchema/oval-definitions-5}criterion',
> attribute
> > > 'negate': 'True' is not a valid value of the atomic type 'xs:boolean'.
> >
> >
> > I think it could be fixed by changing "*T*rue" for "*t*rue".
>
> Ah nice catch. I've fixed it and caused the OVAL files to be
> regenerated, and verified them with "oscap oval validate".
>
> Thanks!
>
> --
> Steve Beattie
> <sbeattie at ubuntu.com>
> http://NxNW.org/~steve/
>
> --
> ubuntu-hardened mailing list
> ubuntu-hardened at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>
>
--
*Jesus Linares*
*IT Security Engineer*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20161028/8c2c90e9/attachment.html>
More information about the ubuntu-hardened
mailing list