trivy
trivy copied to clipboard
Published
1 month ago
•
aquasecurity
aquasecurity
CVE-2022-3358 has wrong fix version
Checklist
- [x] I've read the documentation regarding wrong detection.
- [x] I've confirmed that a security advisory in data sources was correct.
- Run Trivy with
-f jsonthat shows data sources and make sure that the security advisory is correct.
- Run Trivy with
Description
Trivy reports that my image (alpine:edge with latest updates) has CVE-2022-3358 for 2 packages. But also reports that FixedVersion is 3.0.6-r0.
The problem is that OpenSSL 3.0.6 was withdrawn due to regressions and therefore cannot be installed anymore.
JSON Output of run with -debug:
2022-11-01T10:07:50.161+0200 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-11-01T10:07:50.163+0200 DEBUG cache dir: /home/asm/.cache/trivy
2022-11-01T10:07:50.163+0200 DEBUG DB update was skipped because the local DB is the latest
2022-11-01T10:07:50.163+0200 DEBUG DB Schema: 2, UpdatedAt: 2022-11-01 06:13:18.418196768 +0000 UTC, NextUpdate: 2022-11-01 12:13:18.418196368 +0000 UTC, DownloadedAt: 2022-11-01 08:01:35.767569731 +0000 UTC
2022-11-01T10:07:50.163+0200 INFO Vulnerability scanning is enabled
2022-11-01T10:07:50.163+0200 DEBUG Vulnerability type: [os library]
2022-11-01T10:07:50.163+0200 INFO Secret scanning is enabled
2022-11-01T10:07:50.163+0200 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-11-01T10:07:50.163+0200 INFO Please see also https://aquasecurity.github.io/trivy/v0.31.3/docs/secret/scanning/#recommendation for faster secret detection
2022-11-01T10:07:50.516+0200 DEBUG No secret config detected: trivy-secret.yaml
2022-11-01T10:07:50.527+0200 DEBUG Image ID: sha256:5b5e28fe8282fa7aafecd690e4b7adfe5de36aa1a09a97213496e95996c44cca
2022-11-01T10:07:50.527+0200 DEBUG Diff IDs: [sha256:6c5c31bb76935f83c5cdbd50d183ef6b916765542ceb6cd6fd5f3cebd2779542]
2022-11-01T10:07:50.527+0200 DEBUG Base Layers: []
2022-11-01T10:07:50.528+0200 INFO Detected OS: alpine
2022-11-01T10:07:50.528+0200 INFO This OS version is not on the EOL list: alpine 3.17_alpha20220715
2022-11-01T10:07:50.528+0200 INFO Detecting Alpine vulnerabilities...
2022-11-01T10:07:50.528+0200 DEBUG alpine: os version: 3.17_alpha20220715
2022-11-01T10:07:50.528+0200 DEBUG alpine: package repository: edge
2022-11-01T10:07:50.528+0200 DEBUG alpine: the number of packages: 15
2022-11-01T10:07:50.529+0200 INFO Number of language-specific files: 0
{
"SchemaVersion": 2,
"ArtifactName": "kio.ee/base/abi:edge",
"ArtifactType": "container_image",
"Metadata": {
"OS": {
"Family": "alpine",
"Name": "3.17_alpha20220715"
},
"ImageID": "sha256:5b5e28fe8282fa7aafecd690e4b7adfe5de36aa1a09a97213496e95996c44cca",
"DiffIDs": [
"sha256:6c5c31bb76935f83c5cdbd50d183ef6b916765542ceb6cd6fd5f3cebd2779542"
],
"RepoTags": [
"kio.ee/base/abi:edge"
],
"RepoDigests": [
"kio.ee/base/abi@sha256:12746c7421c468849bea0d8a5ab5d038e28832f1a82742a903c30f83d087af15"
],
"ImageConfig": {
"architecture": "amd64",
"created": "2022-11-01T04:26:22.222525645Z",
"docker_version": "20.10.21",
"history": [
{
"created": "2022-11-01T04:26:22.222525645Z",
"created_by": "/bin/sh -c #(nop) COPY dir:f210a50b990b00a12620fdb3a6d9b5683193a56f733c6173cb8e39e4e0b21e3a in / "
}
],
"os": "linux",
"rootfs": {
"type": "layers",
"diff_ids": [
"sha256:6c5c31bb76935f83c5cdbd50d183ef6b916765542ceb6cd6fd5f3cebd2779542"
]
},
"config": {
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
]
}
}
},
"Results": [
{
"Target": "kio.ee/base/abi:edge (alpine 3.17_alpha20220715)",
"Class": "os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2022-3358",
"PkgName": "libcrypto3",
"InstalledVersion": "3.0.5-r3",
"FixedVersion": "3.0.6-r0",
"Layer": {
"Digest": "sha256:1c6ad5a91d1f60b7be800e55414044575f5c8c0fe6eeda78caf9ca01db7d555a",
"DiffID": "sha256:6c5c31bb76935f83c5cdbd50d183ef6b916765542ceb6cd6fd5f3cebd2779542"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-3358",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
"Title": "openssl: Using a Custom Cipher with NID_undef may lead to NULL encryption",
"Description": "OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_meth_new() function and associated function calls. This function was deprecated in OpenSSL 3.0 and application authors are instead encouraged to use the new provider mechanism in order to implement custom ciphers. OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() functions (as well as other similarly named encryption and decryption initialisation functions). Instead of using the custom cipher directly it incorrectly tries to fetch an equivalent cipher from the available providers. An equivalent cipher is found based on the NID passed to EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID for a given cipher. However it is possible for an application to incorrectly pass NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef is used in this way the OpenSSL encryption/decryption initialisation function will match the NULL cipher as being equivalent and will fetch this from the available providers. This will succeed if the default provider has been loaded (or if a third party provider has been loaded that offers this cipher). Using the NULL cipher means that the plaintext is emitted as the ciphertext. Applications are only affected by this issue if they call EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an encryption/decryption initialisation function. Applications that only use SSL/TLS are not impacted by this issue. Fixed in OpenSSL 3.0.6 (Affected 3.0.0-3.0.5).",
"Severity": "HIGH",
"CweIDs": [
"CWE-476"
],
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 7.5
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 7.5
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2022-3358",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3358",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5485c56679d7c49b96e8fc8ca708b0b7e7c03c4b",
"https://github.com/advisories/GHSA-4f63-89w9-3jjv",
"https://nvd.nist.gov/vuln/detail/CVE-2022-3358",
"https://rustsec.org/advisories/RUSTSEC-2022-0059.html",
"https://security.netapp.com/advisory/ntap-20221028-0014/",
"https://www.openssl.org/news/secadv/20221011.txt"
],
"PublishedDate": "2022-10-11T15:15:00Z",
"LastModifiedDate": "2022-10-28T17:15:00Z"
},
{
"VulnerabilityID": "CVE-2022-3358",
"PkgName": "libssl3",
"InstalledVersion": "3.0.5-r3",
"FixedVersion": "3.0.6-r0",
"Layer": {
"Digest": "sha256:1c6ad5a91d1f60b7be800e55414044575f5c8c0fe6eeda78caf9ca01db7d555a",
"DiffID": "sha256:6c5c31bb76935f83c5cdbd50d183ef6b916765542ceb6cd6fd5f3cebd2779542"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-3358",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
"Title": "openssl: Using a Custom Cipher with NID_undef may lead to NULL encryption",
"Description": "OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_meth_new() function and associated function calls. This function was deprecated in OpenSSL 3.0 and application authors are instead encouraged to use the new provider mechanism in order to implement custom ciphers. OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() functions (as well as other similarly named encryption and decryption initialisation functions). Instead of using the custom cipher directly it incorrectly tries to fetch an equivalent cipher from the available providers. An equivalent cipher is found based on the NID passed to EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID for a given cipher. However it is possible for an application to incorrectly pass NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef is used in this way the OpenSSL encryption/decryption initialisation function will match the NULL cipher as being equivalent and will fetch this from the available providers. This will succeed if the default provider has been loaded (or if a third party provider has been loaded that offers this cipher). Using the NULL cipher means that the plaintext is emitted as the ciphertext. Applications are only affected by this issue if they call EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an encryption/decryption initialisation function. Applications that only use SSL/TLS are not impacted by this issue. Fixed in OpenSSL 3.0.6 (Affected 3.0.0-3.0.5).",
"Severity": "HIGH",
"CweIDs": [
"CWE-476"
],
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 7.5
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 7.5
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2022-3358",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3358",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5485c56679d7c49b96e8fc8ca708b0b7e7c03c4b",
"https://github.com/advisories/GHSA-4f63-89w9-3jjv",
"https://nvd.nist.gov/vuln/detail/CVE-2022-3358",
"https://rustsec.org/advisories/RUSTSEC-2022-0059.html",
"https://security.netapp.com/advisory/ntap-20221028-0014/",
"https://www.openssl.org/news/secadv/20221011.txt"
],
"PublishedDate": "2022-10-11T15:15:00Z",
"LastModifiedDate": "2022-10-28T17:15:00Z"
}
]
}
]
}
Output of trivy -v:
Version: 0.31.3
Vulnerability DB:
Version: 2
UpdatedAt: 2022-11-01 06:13:18.418196768 +0000 UTC
NextUpdate: 2022-11-01 12:13:18.418196368 +0000 UTC
DownloadedAt: 2022-11-01 08:01:35.767569731 +0000 UTC
Additional details (base image name, container registry info...):
- Base image:
alpine:edgewith latest updates applied. - Container registry:
kio.ee
Hello @kyberorg Thanks for your report!
Alpine security database currently contains 3.0.6-r0 as fixed version.
When Alpine updates this, you will receive new fixed version.
Regards, Dmitriy
This issue is stale because it has been labeled with inactivity.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}