-
Bug
-
Resolution: Not a Bug
-
Undefined
-
None
-
rhel-8.10, rhel-9.5
-
None
-
No
-
Important
-
rhel-sst-security-compliance
-
ssg_security
-
None
-
False
-
-
None
-
Red Hat Enterprise Linux
-
None
-
None
-
None
-
-
All
-
None
What were you trying to do that didn't work?
During openscap vulnerability scan, the openscap appear to check the version of the rpm installed and see if any RHSA fix available for the package and list whether its a vulnerabilty or not based on whether a new RHSA is available of if the package is fully patched and latest version.
However it does not check or list whether a package which is affected by a CVE but at the time there is no fix available (listed as "Affected" on CVE page) or if its not going to be fixed (listed as "Will not fix" on CVE page).
Due to this, customers does not get a complete view of their package which may be affected by the system.
One of our customer found thus decrepancy where their third party scanning tool detected that Redis is affected by CVE-2022-24834 (https://access.redhat.com/security/cve/CVE-2022-24834)
However its not listed in the Openscap vulnerability scan report. Looking up the CVE page we see that for both RHEL8 and RHEL 9 "redis 6" is affected.
Redis 6 is just an example here as many such packages are not in the report.
What is the impact of this issue to you?
Customer third party scanning tool is often not correctly interpretting the vulnerability and which version its fixed or take into consideration the dnf modules.
Due to this we request customer to not refer to third party scanner and instead consider openscap vulnerability scan to verify the system status.
However because it does not list the packages which are mentioned as "Affected" and "Will not fix" while their third party scanner does, so does not give a clear view of all rpms installed on the system.
Please provide the package NVR for which the bug is seen:
RHEL 8
]# rpm -qa | grep openscap
openscap-scanner-1.3.10-2.el8_9.x86_64
openscap-1.3.10-2.el8_9.x86_64
RHEL 9
- rpm -qa | grep openscap
openscap-1.3.10-2.el9_3.x86_64
openscap-scanner-1.3.10-2.el9_3.x86_64How reproducible is this bug?:
Always
Steps to reproduce
- Install RHEL 8.10/RHEL 9.5 system and patch it to latest version so that it has all the RHSA which Red Hat has released
- Install a package which is still "affected" or set to "will not fix" as per CVE page. In this example we can use redis 6 affected by CVE-2022-24834
RHEL 8 # dnf module install redis:6 RHEL 9 # dnf install redis
- Run the openscap vulnerability scan
RHEL 8 # wget -O - https://www.redhat.com/security/data/oval/v2/RHEL8/rhel-8.oval.xml.bz2 | bzip2 --decompress > rhel-8.oval.xml # oscap oval eval --report vulnerability.html rhel-8.oval.xml RHEL 9 # wget -O - https://www.redhat.com/security/data/oval/v2/RHEL9/rhel-9.oval.xml.bz2 | bzip2 --decompress > rhel-9.oval.xml # # oscap oval eval --report vulnerability.html rhel-9.oval.xml
Expected results
Request for Openscap vulnerability report to contains all of the status of the all known CVE which affect and are still yet to receive updates or are not going to fix.
Actual results
Currently the affected and not fixed CVE are not listed in the openscap vulnerability scan
