-
Ticket
-
Resolution: Not a Bug
-
Major
-
None
-
None
-
None
-
False
-
-
False
-
CY24Q4-S1
NVD https://nvd.nist.gov/vuln/detail/CVE-2024-29736 shows the cxf jar 3.2.2 (anything below 3.5.9) to be affected. Our scanner is flagging this as present in the following image openshift-logging/elasticsearch6-rhel9@sha256:0022ac204d647a69ccdcaf9fd0fbee94e24ca057549ec12796c4e6f32771239b due to scanner logic relying on name of the package and available data.
| 2 Suggestions on how this can be fixed |
| 1. The Red Hat VEX file can update the "known_not_affected" array to include the Red Hat products which aren't affected such as RHEL8, RHEL9, etc |
| 2. If the cxf jar is not the same as the cxf jar from Maven or other publicly available files, then it should be renamed to something unique, then it won't match any CVEs |
Earlier analysis and discussion for context:
| Update Nov 14 2024 |
| As reviewed, CVE-2024-29736 affects only fuse-7 and rhint-camel-spring-boot-3.20. |
| The vulnerable component is cxf-rt-rs-service-description: |
| https://mvnrepository.com/artifact/org.apache.cxf/cxf-rt-rs-service-description. |
| The JARs you mentioned are unrelated to CVE-2024-29736, as they are entirely different components: |
| cxf-rt-rs-security-jose (3.2.2):https://mvnrepository.com/artifact/org.apache.cxf/cxf-rt-rs-security-jose/3.2.2 |
| cxf-rt-security (3.2.2): https://mvnrepository.com/artifact/org.apache.cxf/cxf-rt-security/3.2.2 |
| cxf-core (3.2.2): https://mvnrepository.com/artifact/org.apache.cxf/cxf-core/3.2.2 |
| cxf-rt-rs-json-basic (3.2.2): https://mvnrepository.com/artifact/org.apache.cxf/cxf-rt-rs-json-basic/3.2.2 |
| 11/14/24 PANW - Shams |
| is your prod team saying the cxf jar 3.2.2 is not affected at all or just the RH version isn't affected? According to NVD 3.2.2 is affected https://nvd.nist.gov/vuln/detail/CVE-2024-29736 . So we would need NVD to update their vulnerability schema. But if they're saying only the RH version is unaffected, then the VEX file needs to be updated, specifically the "known_not_affected" array, which currently only lists some jboss products. It should include the other products which aren't affected. Then our intelligence stream will absorb that change automatically. Currently, I don't believe there is anything for PANW to do on this since the data is taken from upstream. Let me know if I missed anything |
| 11/15/24 Red Hat - David |
| Red Hat Product Security replied: "The vulnerable component is not shipped at all, I don't think it should be necessary to include in VEX". Let me know what you think. |
Please share, comment, and update with appropriate teams as needed. Thank you.
