Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Packages vulnerability remediations do not work #23066

Closed
Dwordcito opened this issue Apr 22, 2024 · 3 comments · Fixed by #23225
Closed

Packages vulnerability remediations do not work #23066

Dwordcito opened this issue Apr 22, 2024 · 3 comments · Fixed by #23225
Assignees
@sebasfalcone @pereyra-m
Labels
level/task type/enhancement New feature or request

Comments

@Dwordcito
Copy link
Member

Dwordcito commented Apr 22, 2024
edited

Description

This issue aims to add the capacity to detect remediations in CVEs during the package scanner.

For example, some Windows applications have associated some hotfixes.
Ex: Microsoft Office 2016 and 2019 have the associated CVE-2024-21413 that have the "KB5002467", "KB5002519", "KB5002522", "KB5002537" as remediations.

Current Behavior

Expected

  • CVE-2024-21413 is discarded because you have some of the "KB5002467", "KB5002519", "KB5002522", "KB5002537"

Steps
@Dwordcito Dwordcito added type/enhancement New feature or request level/task labels Apr 22, 2024
@Dwordcito Dwordcito assigned Dwordcito and sebasfalcone and unassigned Dwordcito Apr 22, 2024
@Dwordcito
Copy link
Member Author

Dwordcito commented Apr 23, 2024
edited by sebasfalcone

Use case: Reactive scanning of packages.

sequenceDiagram
    packageScanner->>packageScanner: Regular and known scan.
alt If the platform is windows and the candidate is affected.
    packageScanner->>databaseFeedManager: Get hotfixes for the current CVE.
    databaseFeedManager->>packageScanner: Return flatbuffer with the list of remediation/hotfix for the current CVE
alt If the remediation list (on the CVE entry) is not empty
    packageScanner->>hotfixLRUCache: Get hotfix list for the current scanner.
alt Not exists agent information in LRUCache
   hotfixLRUCache->>WDB: Get Hotfix list for the requested agent
end
   hotfixLRUCache-->packageScanner: Return hotfix list
end
   packageScanner->>packageScanner: Check if exist any match between both lists(CVE remediation / Agent hotfixes).
   Note right of packageScanner: If match, mark the scanning as not affected
end

@Dwordcito
Copy link
Member Author

Dwordcito commented Apr 23, 2024
edited by sebasfalcone

Use case: Reactive hotfix insert.

Database model change

For this change, it's necessary to have another column family in the model. In this case, the expected key value is
Key -> HOTFIX
Values -> [CVE LIST]

Column family name: hotfixes_applications

Hotfixes orchestration

sequenceDiagram

remoted->>vdScanner: Hotfix event come
vdScanner->>hotFixOrchestration: Parse and execute orchestration
hotFixOrchestration->>hotfixInventoryLRUCache: Insert element.
alt Not exists agent information in LRUCache
   hotfixInventoryLRUCache->>WDB: Get Hotfix list for the requested agent
end
hotfixLRUCache-->> hotFixOrchestration: ack
hotFixOrchestration->>databaseFeedManager: Get vulnerabilities remediated by the received hotfix.
databaseFeedManager->>hotFixOrchestration: Return list of CVEs.
hotFixOrchestration->>localInventory: Get Inventory
localInventory-->>hotFixOrchestration: return list
alt If element match
hotFixOrchestration->>localInventory: Remove element
localInventory-->hotFixOrchestration: ack
end

@havidarou havidarou changed the title Packages vulnerability remediations does not work Packages vulnerability remediations do not work Apr 30, 2024
@pereyra-m pereyra-m self-assigned this May 2, 2024
@pereyra-m pereyra-m mentioned this issue May 3, 2024
Merged
4 tasks
@Dwordcito Dwordcito removed their assignment May 3, 2024
@sebasfalcone sebasfalcone linked a pull request May 3, 2024 that will close this issue
Consider remediations for packages' vulnerabilities scan #23225
Merged
4 tasks
@sebasfalcone
Copy link
Member

sebasfalcone commented May 9, 2024
edited

ETA cycles justification

  1. Delays due to release testing issues
  2. First design needed changes due to high degradation in performance
  3. Functional testing
  4. Some efficacy tests were failing due to an unexpected reason

@Rebits Rebits mentioned this issue Jun 5, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sebasfalcone sebasfalcone

@pereyra-m pereyra-m

Labels
level/task type/enhancement New feature or request
Projects
Release 4.8.0
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Consider remediations for packages' vulnerabilities scan wazuh/wazuh
3 participants
@Dwordcito @sebasfalcone @pereyra-m