Hi and thanks for your help with this. Unfortunately I now have a follow up question, because even with the updated NVTs I’m unable to see the expected CVE match.
Let me know it you’d prefer this in a new ticket.
I’ve updated and ran another OpenVAS scan against the same server. I did this today 11 Feb (and also did a ‘gvmd --rebuild’ to be sure).
greenbone-nvt-sync --feedversion -> 202202101102
greenbone-feed-sync --type SCAP --feedversion -> 202202090230
greenbone-feed-sync --type CERT --feedversion -> 202202090130
greenbone-feed-sync --type GVMD_DATA --feedversion -> 202201281556
I’m pleased to report the new VTs are registering both the “nginx” and “f5” CPEs. Here’s a small fragment of the results showing this:
<result id="b2b98965-2e3c-438e-8d3c-44ce508d0adb">
<name>CPE Inventory</name>
...
<description>xxx.xxx.xxx.xxx|cpe:/a:f5:nginx:1.18.0
xxx.xxx.xxx.xxx|cpe:/a:nginx:nginx:1.18.0
xxx.xxx.xxx.xxx|cpe:/o:canonical:ubuntu_linux
</description>
Unfortunately subsequent CVE scans still aren’t matching the expected CVE-2021-23017 against cpe:/a:f5:nginx:1.18.0.
I believe I’m using the scanners correctly, e.g. adding results to Assets, and do get CVE matches for other software on other servers.
Further below is another XML fragment with part of the CVE-2021-23017 definition.
I admit I don’t know how to read this, but notice there’s only the one exact NGINX product “cpe:/a:f5:nginx:0.6.18” that’s listed. Other CVE definitions seem to have long lists individual product CPEs (and/or maybe even have ranges?) so I wonder if this is why it’s not matching.
So, my question:
- Are you able to see why the GVM isn’t reporting CVE-2021-23017 against cpe:/a:f5:nginx:1.18.0? E.g. are there other changes to the feed that need to be made, or is it more likely it’s my GVM installation or how I’m using it?
Thanks again for you help (and the usual apologies if I’m doing something daft)!
<get_info_response status="200" status_text="OK">
<info id="CVE-2021-23017">
<owner>
<name/>
</owner>
<name>CVE-2021-23017</name>
<comment/>
<creation_time>2021-06-01T13:15:00Z</creation_time>
<modification_time>2022-02-07T16:15:00Z</modification_time>
<writable>0</writable>
<in_use>0</in_use>
<permissions/>
<update_time>2022-02-09T02:30:00.000+0000</update_time>
<cve>
<severity>9.4</severity>
<cvss_vector>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L</cvss_vector>
<description>A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact.</description>
<products>cpe:/a:f5:nginx:0.6.18 cpe:/a:openresty:openresty:1.19.3.1:rc1 cpe:/o:fedoraproject:fedora:33 cpe:/o:fedoraproject:fedora:34 cpe:/a:netapp:ontap_select_deploy_administration_utility:- cpe:/a:oracle:communications_control_plane_monitor:3.4 cpe:/a:oracle:communications_control_plane_monitor:4.2 cpe:/a:oracle:communications_control_plane_monitor:4.3 cpe:/a:oracle:communications_control_plane_monitor:4.4 cpe:/a:oracle:communications_fraud_monitor:3.4 cpe:/a:oracle:communications_fraud_monitor:4.4 cpe:/a:oracle:communications_operations_monitor:3.4 cpe:/a:oracle:communications_operations_monitor:4.2 cpe:/a:oracle:communications_operations_monitor:4.3 cpe:/a:oracle:communications_operations_monitor:4.4 cpe:/a:oracle:enterprise_telephony_fraud_monitor:3.4 cpe:/a:oracle:enterprise_telephony_fraud_monitor:4.2 cpe:/a:oracle:enterprise_telephony_fraud_monitor:4.3 cpe:/a:oracle:enterprise_telephony_fraud_monitor:4.4 </products>
<nvts>
...
</nvts>
<cert>
...
</cert>
<raw_data><entry xmlns="http://scap.nist.gov/schema/feed/vulnerability/2.0" xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" xmlns:cvss="http://scap.nist.gov/schema/cvss-v2/0.2" xmlns:cvss3="https://www.first.org/cvss/cvss-v3.1.xsd" xmlns:patch="http://scap.nist.gov/schema/patch/0.1" xmlns:scap-core="http://scap.nist.gov/schema/scap-core/0.1" xmlns:vuln="http://scap.nist.gov/schema/vulnerability/0.4" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="CVE-2021-23017">
<vuln:vulnerable-software-list>
<vuln:product>cpe:/a:f5:nginx:0.6.18</vuln:product>
<vuln:product>cpe:/a:openresty:openresty:1.19.3.1:rc1</vuln:product>
<vuln:product>cpe:/o:fedoraproject:fedora:33</vuln:product>
<vuln:product>cpe:/o:fedoraproject:fedora:34</vuln:product>
<vuln:product>cpe:/a:netapp:ontap_select_deploy_administration_utility:-</vuln:product>
<vuln:product>cpe:/a:oracle:communications_control_plane_monitor:3.4</vuln:product>
<vuln:product>cpe:/a:oracle:communications_control_plane_monitor:4.2</vuln:product>
<vuln:product>cpe:/a:oracle:communications_control_plane_monitor:4.3</vuln:product>
<vuln:product>cpe:/a:oracle:communications_control_plane_monitor:4.4</vuln:product>
<vuln:product>cpe:/a:oracle:communications_fraud_monitor:3.4</vuln:product>
<vuln:product>cpe:/a:oracle:communications_fraud_monitor:4.4</vuln:product>
<vuln:product>cpe:/a:oracle:communications_operations_monitor:3.4</vuln:product>
<vuln:product>cpe:/a:oracle:communications_operations_monitor:4.2</vuln:product>
<vuln:product>cpe:/a:oracle:communications_operations_monitor:4.3</vuln:product>
<vuln:product>cpe:/a:oracle:communications_operations_monitor:4.4</vuln:product>
<vuln:product>cpe:/a:oracle:enterprise_telephony_fraud_monitor:3.4</vuln:product>
<vuln:product>cpe:/a:oracle:enterprise_telephony_fraud_monitor:4.2</vuln:product>
<vuln:product>cpe:/a:oracle:enterprise_telephony_fraud_monitor:4.3</vuln:product>
<vuln:product>cpe:/a:oracle:enterprise_telephony_fraud_monitor:4.4</vuln:product>
</vuln:vulnerable-software-list>