False Positive: CVE-2018-8088 in the context of JBOSS EAP eco-system #1613

sekveaja · 2023-11-21T19:19:02Z

What happened:
Scanning on container that has Redhat IBOSS EAP which include this jar file slf4j-ext-1.7.22.redhat-2.jar.

Grype locate this file:
<custom_path>..../3pp/jboss/modules/system/layers/base/org/slf4j/ext/main/slf4j-ext-1.7.22.redhat-2.jar

grype ./slf4j-ext-1.7.22.redhat-2.jar
 ✔ Vulnerability DB                [no update available]
 ✔ Indexed file system                                                         /tmp/eric-enmsg-access-control
 ✔ Cataloged packages              [1 packages]
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 1 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   1 fixed, 0 not-fixed, 0 ignored
NAME       INSTALLED        FIXED-IN  TYPE          VULNERABILITY        SEVERITY
slf4j-ext  1.7.22.redhat-2  1.7.26    java-archive  GHSA-w77p-8cfg-2x43  Critical

This is a false positive since Jboss Eap 1.7.22 which include slf4-ext, has already a fix for CVE-2018-8088.

What you expected to happen:

According to Red hat Errata, for Jboss EAP the issue is already fixed with this fix:
https://access.redhat.com/errata/RHSA-2018:0628

However, Grype list all Red Hat errata from NVD.
Not all errata is applied to JBoss EAP eco-system.

  https://access.redhat.com/errata/RHSA-2018:0582,
  https://access.redhat.com/errata/RHSA-2018:0592,
  https://access.redhat.com/errata/RHSA-2018:0627,
  https://access.redhat.com/errata/RHSA-2018:0628,    * * This one addressed the specific JBOSS Eap issue.
  https://access.redhat.com/errata/RHSA-2018:0629,          
  https://access.redhat.com/errata/RHSA-2018:0630,
  https://access.redhat.com/errata/RHSA-2018:1247,
  https://access.redhat.com/errata/RHSA-2018:1248,
  https://access.redhat.com/errata/RHSA-2018:1249,
  https://access.redhat.com/errata/RHSA-2018:1251,
  https://access.redhat.com/errata/RHSA-2018:1323,
  https://access.redhat.com/errata/RHSA-2018:1447,
  https://access.redhat.com/errata/RHSA-2018:1448,
  https://access.redhat.com/errata/RHSA-2018:1449,
  https://access.redhat.com/errata/RHSA-2018:1450,
  https://access.redhat.com/errata/RHSA-2018:1451,
  https://access.redhat.com/errata/RHSA-2018:1525,
  https://access.redhat.com/errata/RHSA-2018:1575,
  https://access.redhat.com/errata/RHSA-2018:2143,
  https://access.redhat.com/errata/RHSA-2018:2419,
  https://access.redhat.com/errata/RHSA-2018:2420,
  https://access.redhat.com/errata/RHSA-2018:2669,
  https://access.redhat.com/errata/RHSA-2018:2930,
  https://access.redhat.com/errata/RHSA-2019:2413,
  https://access.redhat.com/errata/RHSA-2019:3140

How to reproduce it (as minimally and precisely as possible):

grype ./slf4j-ext-1.7.22.redhat-2.jar
 ✔ Vulnerability DB                [no update available]
 ✔ Indexed file system                                                         /tmp/eric-enmsg-access-control
 ✔ Cataloged packages              [1 packages]
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 1 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   1 fixed, 0 not-fixed, 0 ignored
NAME       INSTALLED        FIXED-IN  TYPE          VULNERABILITY        SEVERITY
slf4j-ext  1.7.22.redhat-2  1.7.26    java-archive  GHSA-w77p-8cfg-2x43  Critical

In the context of Red Hat JBOSS EAP version 1.7.22 fixed CVE-2018-8088.

Environment:

Output of grype version:
$ grype version
Application: grype
Version: 0.73.3
BuildDate: 2023-11-19T00:41:38Z
GitCommit: dbe2a95
GitDescription: v0.73.3
Platform: linux/amd64
GoVersion: go1.21.1
Compiler: gc
Syft Version: v0.97.1
Supported DB Schema: 5
OS (e.g: cat /etc/os-release or similar):

CentOS Stream release 8
NAME="CentOS Stream"
VERSION="8"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="8"
PLATFORM_ID="platform:el8"
PRETTY_NAME="CentOS Stream 8"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:8"
HOME_URL="https://centos.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_SUPPORT_PRODUCT_VERSION="CentOS Stream"
CentOS Stream release 8
CentOS Stream release 8
cpe:/o:centos:centos:8

The text was updated successfully, but these errors were encountered:

tgerla · 2023-12-07T21:49:24Z

Hey @sekveaja, we have taken a look at this issue and I think we need a little more information. Grype will treat files owned by an RPM differently than a "bare" jar file, so we should be seeing different behavior between scanning the container image and the jar file itself. We specifically look for OS packages that overlap with non-OS packages, such as your Java jar. We don't match against Java jars that are owned by RPMs.

Is there a publicly-accessible container image that exhibits this behavior that we can use to reproduce this problem? We'd be happy to keep looking. Thank you.

sekveaja · 2024-02-16T04:27:49Z

Hi @tgerla,
I found a public repo that get access the same jar file.
https://maven.repository.redhat.com/ga/org/slf4j/slf4j-ext/1.7.22.redhat-2/

Download: slf4j-ext-1.7.22.redhat-2.jar

Hope you'll catch it.

sekveaja added the bug Something isn't working label Nov 21, 2023

wagoodman added the false-positive label Dec 7, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

False Positive: CVE-2018-8088 in the context of JBOSS EAP eco-system #1613

False Positive: CVE-2018-8088 in the context of JBOSS EAP eco-system #1613

sekveaja commented Nov 21, 2023 •

edited by wagoodman

Loading

tgerla commented Dec 7, 2023

sekveaja commented Feb 16, 2024

False Positive: CVE-2018-8088 in the context of JBOSS EAP eco-system #1613

False Positive: CVE-2018-8088 in the context of JBOSS EAP eco-system #1613

Comments

sekveaja commented Nov 21, 2023 • edited by wagoodman Loading

tgerla commented Dec 7, 2023

sekveaja commented Feb 16, 2024

sekveaja commented Nov 21, 2023 •

edited by wagoodman

Loading