[SOLVED] Nginx 1.14.1 false positive

Michael · December 24, 2018, 4:43pm

Hi, all.

We have GVM 7.0.3 and it produces some weird results:

nginx 1.9.5 - 1.15.5 Multiple Vulnerabilities
Installed version: 1.14.1
Fixed version: 1.15.6
CVE: CVE-2018-16843, CVE-2018-16844

But when we look into CVEs it says:

nginx before versions 1.15.6 and 1.14.1 has a vulnerability

There is no 1.14.1 version in the list of affected versions in the CVE description and nginx confirms it.

What should we do here? Report the issue to the developers in some way? Or look for some workaround with overrides?

leoanderson8520 · December 25, 2018, 12:39am

Find the patch and install it?
I always do so while I am working in IT department.
Or install the newer version of the software with vulnerabilities.

_ad · December 28, 2018, 9:15am

Hi,

thanks for pointing it out. A fix will be provided in revision 12890.

Michael · December 28, 2018, 3:38pm

Thanks for good news. But still a couple of questions are here…
What kind of stuff is this «revision»? Should I update some packages or just feeds? How can I know the time is come?

_ad · December 28, 2018, 3:47pm

If you’re using the Greenbone Security Assistant, moving to SecInfo -> NVTs will show you the revision as the NVT’s version number. Everytime a new vulnerability test is added to the feed or an existing one got updated, the revision is being increased.

Normally you should get the newest revision after a daily feed update; so once the tests are being moved from developer stage to the public stage (which should be done by tomorrow), the updated test should appear in your GSA and not recognize a vulnerable version anymore.

Michael · December 28, 2018, 4:10pm

Oh, that’s great! I’ll check it this weekend.

[UPD: 12/29/2018] It’s correct now.