Uploaded image for project: 'Security Data'
  1. Security Data
  2. SECDATA-1141

Inconsistent data in oval vs vex for RHEL_*US OS CPEs

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False
    • Important
    • Very Likely
    • 0

      Current Behavior

      Oval files have data in *US files which lists those os cpes in the affected products for RHSAs for some CVEs but when I look at the product tree for same CVEs in VEX files there is no mention of any *US cpes only enterprise_linux is listed. 

      Oval file : https://security.access.redhat.com/data/oval/v2/RHEL8/rhel-8.4-aus.oval.xml.bz2

      <definition class="patch" id="oval:com.redhat.rhba:def:20193408" version="636"> <metadata>  <title>RHBA-2019:3408: openjpeg2 bug fix and enhancement update (Low)</title>  <affected family="unix">   <platform>Red Hat Enterprise Linux 8</platform>  </affected>  <reference ref_id="RHBA-2019:3408" ref_url="https://access.redhat.com/errata/RHBA-2019:3408" source="RHSA"/>  <reference ref_id="CVE-2018-6616" ref_url="https://access.redhat.com/security/cve/CVE-2018-6616" source="CVE"/>  <description>For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.1 Release Notes linked from the References section.</description>  <advisory from="secalert@redhat.com">   <severity>Low</severity>   <rights>Copyright 2019 Red Hat, Inc.</rights>   <issued date="2019-11-05"/>   <updated date="2019-11-05"/>   <cve cvss3="3.3/CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" cwe="CWE-20" href="https://access.redhat.com/security/cve/CVE-2018-6616" impact="low" public="20180204">CVE-2018-6616</cve>   <bugzilla href="https://bugzilla.redhat.com/1542321" id="1542321">openjpeg2: Excessive iteration in openjp2/t1.c:opj_t1_encode_cblks can allow for denial of service via crafted BMP file</bugzilla>   <affected_cpe_list>    <cpe>cpe:/a:redhat:rhel_aus:8.4</cpe>    <cpe>cpe:/a:redhat:rhel_aus:8.4::appstream</cpe>    <cpe>cpe:/a:redhat:rhel_aus:8.4::highavailability</cpe>    <cpe>cpe:/o:redhat:rhel_aus:8.4</cpe>    <cpe>cpe:/o:redhat:rhel_aus:8.4::baseos</cpe>   </affected_cpe_list>  </advisory> </metadata>

      VEX File: security.access.redhat.com/data/csaf/v2/advisories/2019/rhba-2019_3408.json

      "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat CodeReady Linux Builder (v. 8)",
                "product": {
                  "name": "Red Hat CodeReady Linux Builder (v. 8)",
                  "product_id": "CRB-8.1.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:enterprise_linux:8::crb"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux AppStream (v. 8)",
                "product": {
                  "name": "Red Hat Enterprise Linux AppStream (v. 8)",
                  "product_id": "AppStream-8.1.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:enterprise_linux:8::appstream"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux"
          },

      No AUS product family?

      Expected Behavior

      Shouldn't the products in VEX files list entries for both enterprise_linux and rhel_aus in this example.

       

      Steps to reproduce

      • Explained above.

       

      Impact Statement

      Impact is that when moving from oval to vex there will be inconsistent data.

       

       

              Unassigned Unassigned
              atbagga Atul Bagga
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: