Ubuntu: Add as a Vulnerability Specification Source

[gh-greg]

Ubuntu: Add as a Vulnerability Specification Source:

As Ubuntu seems to have the largest Linux market share, proposed to
directly include Canonical "OVAL/Security-Notices", as a Grype Vulnerability source.

In 2022, Ubuntu seemed to be the largest Linux Market Share:
https://www.enterpriseappstoday.com/stats/linux-statistics.html

Thus, Ubuntu based Docker containers are deployed in lots of microservices.
Once working, long term Ubuntu releases may stay in product deployment
for an extended period ... gathering discovered defects.

Today, Ubuntu issues "Security Notices" , through a service known as OVAL.

https://ubuntu.com/security/oval # oscap oval eval --report report.html oci.com.ubuntu.focal.usn.oval.xml
https://ubuntu.com/security/notices
https://ubuntu.com/security/notices/USN-5675-1

Why is this needed:

Tenable, Grype's competition, seems to be using Ubuntu's security feed, as a data source.
What are other vendors besides Tenable, doing ?
https://www.tenable.com/

(1) Example: Is Ubuntu publishing Vulns, that Mitre is not listing ?

(1.a) Ubuntu : Flags "Heimdal vulnerabilities"

https://ubuntu.com/security/notices?order=newest&release=xenial&details=Heimdal+

(1.b) Mitre CVE : By way of contrast, these Ubuntu "Heimdal vulnerabilities",
do not seem to be clearly noted , or even found, here in the CVE/Mitre Vulnerability feed:

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=heimdal+ubuntu

Additional context:

(a) Possibly Related Issues:

• Distro matchers should be guided by package type not detected distro #86
• reporting the relevant CVE number when GHSA is reported #204
• next issue

(b) Is there already a Grype enhancement, to suggest using Canonical Ubuntu as a Vulnerability Source ?

https://github.com/anchore/grype/issues?page=1&q=is%3Aissue+is%3Aopen++ubuntu

---

(c) What are the existing Data Sources , of Grype Vulnerability specifications ?

Using this source file, Grype seems to use these things as Vulnerability Data Sources:

https://github.com/anchore/grype/blob/a000a69b84211b9d928aff676d0b44b9ae83f7dc/schema/cyclonedx/vulnerability.xsd

List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability.: 
For example 399 (of https://cwe.mitre.org/data/definitions/399.html)

metric values used to score the vulnerability: see attack vector in 
https://www.first.org/cvss/v3.1/specification-document

vulnerability as defined by the risk scoring methodology: 
For example CVE-2019-15842 (of https://nvd.nist.gov/vuln/detail/CVE-2019-15842)

based on CVSS v2 standard: 
https://www.first.org/cvss/v2/guide

based on CVSS v3 standard: 
https://www.first.org/cvss/v3.1/specification-document

based on OWASP Risk Rating: 
https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology

based on Open FAIR specification: 
http://www.opengroup.org/subjectareas/security/risk

vulnerability documentation as provided by the source: For example 
https://nvd.nist.gov/vuln/detail/CVE-2019-15842

[kzantow]

Hi @gh-greg -- we are already using Canonical's vulnerability feeds when matching Ubuntu packages! Is there a specific reason to use OVAL otherwise?

If you'd like to see the data source for each vulnerability, you could run something like:

grype -o json ubuntu:latest | jq '.matches[].vulnerability.dataSource'

This is what we see, which is from Canonical:

"http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-29458"
"http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-3219"
"http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-3358"
"http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-37434"

[gh-greg]

@kzantow : Let's close this. I must have gone off "half-cocked", and today cannot fully reproduce, what I was talking about when I filed this.

---

[PRISMACLOUD]

---

|       CVE       | SEV   |  CVSS| PACKAGE   | VERSION                | STATUS  |            DESCRIPTION        |
+---------------------------------------------------------------------------------------------------------------+
| CVE-2019-12098  | low   |  7.40|  heimdal  |  7.5.0+dfsg-1ubuntu0.1 |  needed |  In the client side of Heimd  |
|                 |       |      |           |                        |         | failure to verify anonymous   |
|                 |       |      |           |                        |         | key exchange permits a man-i  |
|                 |       |      |           |                        |         | This issu...                  |
+-----------------+-------+------+-----------+------------------------+---------+-------------------------------+
| CVE-2021-3671   | low   |  6.50|  heimdal  |  7.5.0+dfsg-1ubuntu0.1 |  needed |  A null pointer de-reference  |
|                 |       |      |           |                        |         | samba kerberos server handle  |
|                 |       |      |           |                        |         | TGS-REQ (Ticket Granting Ser  |
|                 |       |      |           |                        |         | authent...                    |
+-----------------+-------+------+-----------+------------------------+---------+-------------------------------+

---

GRYPE:

---

NAME:                INSTALLED:     FIXED-IN :               VULNERABILITY:    SEVERITY:   
libgssapi3-heimdal   7.5.0+dfsg-1   7.5.0+dfsg-1ubuntu0.1    CVE-2022-3116     Medium      
libgssapi3-heimdal   7.5.0+dfsg-1   7.5.0+dfsg-1ubuntu0.1 a->CVE-2021-3671     Low         
libgssapi3-heimdal   7.5.0+dfsg-1   7.5.0+dfsg-1ubuntu0.1 b->CVE-2019-12098    Low         
libgssapi3-heimdal   7.5.0+dfsg-1   7.5.0+dfsg-1ubuntu0.1    CVE-2018-16860    Medium      
libhcrypto4-heimdal  7.5.0+dfsg-1   7.5.0+dfsg-1ubuntu0.1    CVE-2022-3116     Medium      
libhcrypto4-heimdal  7.5.0+dfsg-1   7.5.0+dfsg-1ubuntu0.1 a->CVE-2021-3671     Low         
libhcrypto4-heimdal  7.5.0+dfsg-1   7.5.0+dfsg-1ubuntu0.1 b->CVE-2019-12098    Low         
libhcrypto4-heimdal  7.5.0+dfsg-1   7.5.0+dfsg-1ubuntu0.1    CVE-2018-16860    Medium      
libheimbase1-heimdal 7.5.0+dfsg-1   7.5.0+dfsg-1ubuntu0.1    CVE-2022-3116     Medium      
libheimbase1-heimdal 7.5.0+dfsg-1   7.5.0+dfsg-1ubuntu0.1 a->CVE-2021-3671     Low         
libheimbase1-heimdal 7.5.0+dfsg-1   7.5.0+dfsg-1ubuntu0.1 b->CVE-2019-12098    Low         
libheimbase1-heimdal 7.5.0+dfsg-1   7.5.0+dfsg-1ubuntu0.1    CVE-2018-16860    Medium      
libheimntlm0-heimdal 7.5.0+dfsg-1   7.5.0+dfsg-1ubuntu0.1    CVE-2022-3116     Medium      
libheimntlm0-heimdal 7.5.0+dfsg-1   7.5.0+dfsg-1ubuntu0.1 a->CVE-2021-3671     Low         
libheimntlm0-heimdal 7.5.0+dfsg-1   7.5.0+dfsg-1ubuntu0.1 b->CVE-2019-12098    Low         
libheimntlm0-heimdal 7.5.0+dfsg-1   7.5.0+dfsg-1ubuntu0.1    CVE-2018-16860    Medium      
libhx509-5-heimdal   7.5.0+dfsg-1   7.5.0+dfsg-1ubuntu0.1    CVE-2022-3116     Medium      
libhx509-5-heimdal   7.5.0+dfsg-1   7.5.0+dfsg-1ubuntu0.1 a->CVE-2021-3671     Low         
libhx509-5-heimdal   7.5.0+dfsg-1   7.5.0+dfsg-1ubuntu0.1 b->CVE-2019-12098    Low         
libhx509-5-heimdal   7.5.0+dfsg-1   7.5.0+dfsg-1ubuntu0.1    CVE-2018-16860    Medium    
libkrb5-26-heimdal   7.5.0+dfsg-1   7.5.0+dfsg-1ubuntu0.1    CVE-2022-3116     Medium      
libkrb5-26-heimdal   7.5.0+dfsg-1   7.5.0+dfsg-1ubuntu0.1 a->CVE-2021-3671     Low         
libkrb5-26-heimdal   7.5.0+dfsg-1   7.5.0+dfsg-1ubuntu0.1 b->CVE-2019-12098    Low         
libkrb5-26-heimdal   7.5.0+dfsg-1   7.5.0+dfsg-1ubuntu0.1    CVE-2018-16860    Medium   
libroken18-heimdal   7.5.0+dfsg-1   7.5.0+dfsg-1ubuntu0.1    CVE-2022-3116     Medium      
libroken18-heimdal   7.5.0+dfsg-1   7.5.0+dfsg-1ubuntu0.1 a->CVE-2021-3671     Low         
libroken18-heimdal   7.5.0+dfsg-1   7.5.0+dfsg-1ubuntu0.1 b->CVE-2019-12098    Low         
libroken18-heimdal   7.5.0+dfsg-1   7.5.0+dfsg-1ubuntu0.1    CVE-2018-16860    Medium    
libwind0-heimdal     7.5.0+dfsg-1   7.5.0+dfsg-1ubuntu0.1    CVE-2022-3116     Medium      
libwind0-heimdal     7.5.0+dfsg-1   7.5.0+dfsg-1ubuntu0.1 a->CVE-2021-3671     Low         
libwind0-heimdal     7.5.0+dfsg-1   7.5.0+dfsg-1ubuntu0.1 b->CVE-2019-12098    Low         
libwind0-heimdal     7.5.0+dfsg-1   7.5.0+dfsg-1ubuntu0.1    CVE-2018-16860    Medium 

---

UBUNTU:
https://ubuntu.com/security/cves?q=Heimdal&package=&priority=&version=&status=
https://ubuntu.com/security/notices?order=newest&release=xenial&details=Heimdal+

---

ID:                PRI:    PKG:    14.04 ESM  16.04 ESM  18.04 LTS  20.04 LTS  22.04 LTS  22.10
CVE-2021-25216     Medium  bind9  Needs triage  Released  Released  Released  Released  —
b->CVE-2019-12098  Low  heimdal  Released  Released  Released  Not vulnerable  Not vulnerable  —
CVE-2018-16860     Medium  samba  Released  Released  Released  Released  Released  —
CVE-2018-16860     heimdal  Released  Released  Released  Not vulnerable  Not vulnerable  —
CVE-2017-17439     Medium  heimdal  Not vulnerable  Not vulnerable  Not vulnerable  —  —  —
CVE-2017-6594      Low  heimdal  Ignored  Ignored  Not vulnerable  Not vulnerable  Not vulnerable  —
CVE-2017-11103      Medium  samba  Released  Released  —  —  —  —
CVE-2017-11103      Medium  heimdal  Released  Released  —  —  —  —
CVE-2015-5913      Medium  heimdal  Not vulnerable  Not vulnerable  —  —  —  —
CVE-2011-4862      Medium  inetutils  Not vulnerable  Not vulnerable  —  —  —  —
CVE-2011-4862      heimdal  Not vulnerable  Not vulnerable  —  —  —  —
CVE-2011-4862      krb5  Not vulnerable  Not vulnerable  —  —  —  —
CVE-2011-4862      krb5-appl  Does not exist  Does not exist  —  —  —  —
CVE-2009-0361      Low  libpam-heimdal  —  —  —  —  —  —

[kzantow]

Thanks for following up @gh-greg !