Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Possible FP - CVE-2019-10222 ceph in ec2 linux #1956

Open
tomersein opened this issue Jun 24, 2024 · 5 comments
Open

Possible FP - CVE-2019-10222 ceph in ec2 linux #1956

tomersein opened this issue Jun 24, 2024 · 5 comments
Labels
bug Something isn't working

Comments

@tomersein
Copy link
Contributor

What happened:
I am scanning ec2 with newest grype, and get the CVE-2019-10222 on ceph package.
however, I did a little research and I think it might be a FP, since the vulnerability doesn't seem to be related to the kernel.
In the SBOM I see the below information:

[      "artifact": {
        "id": "4c09ac4b6900071d",
        "name": "ceph",
        "version": "",
        "type": "linux-kernel-module",
        "locations": [
          {
            "path": "/modules/5.10.217-205.860.amzn2.aarch64/kernel/fs/ceph/ceph.ko"
          }
        ],
        "language": "",
        "licenses": [
          "GPL"
        ],
        "cpes": [
          "cpe:2.3:a:ceph:ceph:*:*:*:*:*:*:*:*"
        ],
        "purl": "pkg:generic/ceph",
        "upstreams": []
      }
    },](https://checkpoint.zoom.us/j/95513550573?pwd=epMql8VomdFJEyfhyibdqCv9huwllm.1)

In Grype I see:

ceph                              linux-kernel-module  CVE-2019-10222       High
ceph                              linux-kernel-module  CVE-2020-1700        Medium
ceph                              linux-kernel-module  CVE-2017-7519        Medium
ceph                              linux-kernel-module  CVE-2017-12155       Medium

and in json:

"matchDetails": [
        {
          "type": "cpe-match",
          "matcher": "stock-matcher",
          "searchedBy": {
            "namespace": "nvd:cpe",
            "cpes": [
              "cpe:2.3:a:ceph:ceph:*:*:*:*:*:*:*:*"
            ],
            "package": {
              "name": "ceph",
              "version": ""
            }
          },
          "found": {
            "vulnerabilityID": "CVE-2019-10222",
            "versionConstraint": "none (unknown)",
            "cpes": [
              "cpe:2.3:a:ceph:ceph:-:*:*:*:*:*:*:*"
            ]
          }
        }
      ],
      "artifact": {
        "id": "4c09ac4b6900071d",
        "name": "ceph",
        "version": "",
        "type": "linux-kernel-module",
        "locations": [
          {
            "path": "/modules/5.10.217-205.860.amzn2.aarch64/kernel/fs/ceph/ceph.ko"
          }
        ],
        "language": "",
        "licenses": [
          "GPL"
        ],
        "cpes": [
          "cpe:2.3:a:ceph:ceph:*:*:*:*:*:*:*:*"
        ],
        "purl": "pkg:generic/ceph",
        "upstreams": []
      }
    },

What you expected to happen:
I think this CVE is not related to the kernel, maybe to the application.
How to reproduce it (as minimally and precisely as possible):

  • create an ec2 instanse
  • scan with grype
    Anything else we need to know?:
    In general I don't understand exactly how this cataloger works, how it knows the difference between kernel package and application, does NVD contain any prefix of kernel?
    Environment:
  • Output of grype version: 0.79.1
  • OS (e.g: cat /etc/os-release or similar): linux arm (ec2)
@tomersein tomersein added the bug Something isn't working label Jun 24, 2024
@tomersein tomersein changed the title Possible FP - CVE-2019-10222 in ec2 linux Possible FP - CVE-2019-10222 ceph in ec2 linux Jun 24, 2024
@barnuri
Copy link
Contributor

barnuri commented Jun 30, 2024

any ETA for this bug ? got the same issue

@Ghostbxz
Copy link

Having the same issue, is there any solution in the horizon?

@kzantow kzantow mentioned this issue Jul 1, 2024
Open
@kzantow
Copy link
Contributor

kzantow commented Jul 1, 2024
edited
Loading

I left some notes on the Syft issue, but at least part of the problem is that the version is not included in the modinfo for this package (and many other kernel module packages).

I'm inclined to say the solution is to modify Grype such that packages with unknown versions are not matched by default, with an option to include them. I have a gut feeling that matching package vulnerabilities against packages with no versions would lead to more FPs than FNs, but don't have data to confirm this.

We have some other options such as excluding these packages altogether at the Syft level, but I think regardless of making that change, a generally useful behavior for Grype would be to omit these types of packages from vuln matching by default.

Thoughts?

@tomersein
Copy link
Contributor Author

I think removing vulnerabilities of packages as a default behavior might be confusing.
i have few ideas:

  • use a custom flag which removes vulnerabilities found on packages without versions
  • a flag in the json itself, which specifies the package is without version might be a FP

However, I would investigate why so many packages from the linux-kernel-moudle doesn't have version or even package name sometimes.

@willmurphyscode
Copy link
Contributor

This might be fixed in https://github.com/anchore/grype/releases/tag/v0.80.2 by anchore/syft#3257.

I don't have an example system handy with this kernel module. Is someone able to re-test and let us know whether this issue still affects grype version v0.80.2 and late?

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Status: No status
Milestone
No milestone
Development

No branches or pull requests
5 participants
@kzantow @willmurphyscode @barnuri @Ghostbxz @tomersein