Join Log in
Score:1
fjc avatar Ubuntu

Confused about reported kernel CVE by openscap with OVAL on ubuntu 20.04/22.04 - false positive?

ki flag
fjc

I use extensively openscap with OVAL definitions provided by Canonical for a year now (https://security-metadata.canonical.com/oval/) .

It works well, but I am confused about some results regarding a few CVEs related to kernels, for Ubuntu 20.04 and 22.04.

Let take the example of CVE-2022-43945 : https://ubuntu.com/security/CVE-2022-43945 The kernel version patching this CVE is 5.15.0-56.62 for Ubuntu 22.04.

On this machine, everything is up to date :

fjc@nas:~$ apt list --upgradable
En train de lister... Fait
fjc@nas:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.1 LTS
Release:        22.04
Codename:       jammy
fjc@nas:~$ uname -a
Linux nas 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

I run openscap against latest OVAL definition :

fjc@nas:~$ wget -O com.ubuntu.$(lsb_release -cs).cve.oval.xml.bz2  https://security-metadata.canonical.com/oval/com.ubuntu.$(lsb_release -cs).cve.oval.xml.bz2
--2022-12-10 17:47:11--  https://security-metadata.canonical.com/oval/com.ubuntu.jammy.cve.oval.xml.bz2
Resolving security-metadata.canonical.com (security-metadata.canonical.com)... 185.125.190.29, 185.125.190.20, 185.125.190.21, ...
Connecting to security-metadata.canonical.com (security-metadata.canonical.com)|185.125.190.29|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2121903 (2,0M) [application/x-bzip2]
Saving to: ‘com.ubuntu.jammy.cve.oval.xml.bz2’

com.ubuntu.jammy.cve.oval.xml.bz2                              100%[====================================================================================================================================================>]   2,02M   658KB/s    in 3,1s

2022-12-10 17:47:15 (658 KB/s) - ‘com.ubuntu.jammy.cve.oval.xml.bz2’ saved [2121903/2121903]

fjc@nas:~$ bunzip2 -f com.ubuntu.$(lsb_release -cs).cve.oval.xml.bz2
fjc@nas:~$ oscap oval eval --report report_cve_$(hostname).html com.ubuntu.$(lsb_release -cs).cve.oval.xml | grep 202243945
Definition oval:com.ubuntu.jammy:def:2022439450000000: true

And the result is true for CVE-2022-43945 !

It looks like a false positive to me, am I right ? Is it an error in the OVAL definitions, or is it deliberate because the CVE may not be fully eliminated even if the right kernel version is used ? I noticed this for a few months for some kernel related CVEs. (If I remember correctly, I never experienced this behaviour with 18.04)

115
0 + 1
fjc avatar
ki flag
fjc
I reached a member of the Ubuntu Security Team. He confirmed it was a kind of false positive specifically on my 22.04 machine (not reproducible on all machines). He updated the OVAL definitions to check it correctly.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.