False postive on Debian images

[Oneiroi]

IDs

CVE-2001-1534,TEMP-0841856-B18BAF

Description

PHP:8-apache-bookwork false-positives

Within the trivy image php:8-apache-bookworm we see reports for example such as:

CVE-2001-1534 - mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID's and bypass authentication when these session ID's are used for authentication.

On startup it can be observed the image is running Apache 2.4.57 [Wed Jan 24 11:40:26.811835 2024] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.57 (Debian) PHP/8.3.2 configured -- resuming normal operations

ii  apache2                       2.4.57-2                       arm64        Apache HTTP Server
ii  apache2-bin                   2.4.57-2                       arm64        Apache HTTP Server (modules and other binary files)
ii  apache2-data                  2.4.57-2                       all          Apache HTTP Server (common files)
ii  apache2-utils                 2.4.57-2                       arm64        Apache HTTP Server (utility programs for web servers)```

`mod_usertrack` is in the apache mods avaialble, though not enabled itself:

```root@9db737b4e3c4:/var/www/html# cat /etc/apache2/mods-available/usertrack.load 
LoadModule usertrack_module /usr/lib/apache2/modules/mod_usertrack.so
root@9db737b4e3c4:/var/www/html# ls -la /etc/apache2/mods-enabled/ | grep user
lrwxrwxrwx 1 root root   33 Jan 11 03:34 authz_user.load -> ../mods-available/authz_user.load
root@9db737b4e3c4:/var/www/html# apachectl -t -l
Compiled in modules:
  core.c
  mod_so.c
  mod_watchdog.c
  http_core.c
  mod_log_config.c
  mod_logio.c
  mod_version.c
  mod_unixd.c
root@9db737b4e3c4:/var/www/html# apachectl -t -M
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
Loaded Modules:
 core_module (static)
 so_module (static)
 watchdog_module (static)
 http_module (static)
 log_config_module (static)
 logio_module (static)
 version_module (static)
 unixd_module (static)
 access_compat_module (shared)
 alias_module (shared)
 auth_basic_module (shared)
 authn_core_module (shared)
 authn_file_module (shared)
 authz_core_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 filter_module (shared)
 mime_module (shared)
 mpm_prefork_module (shared)
 negotiation_module (shared)
 php_module (shared)
 reqtimeout_module (shared)
 setenvif_module (shared)
 status_module (shared)

Moreover reviewing https://nvd.nist.gov/vuln/detail/CVE-2001-1534 see the statement from RedHat:

OFFICIAL STATEMENT FROM RED HAT (08/30/2006)
This is not a security issue. The mod_usertrack cookies are not designed to be used for authentication.

-f json snippet

"VulnerabilityID": "CVE-2001-1534",
          "PkgID": "[email protected]",
          "PkgName": "apache2",
          "InstalledVersion": "2.4.57-2",
          "Status": "affected",
          "Layer": {
            "Digest": "sha256:ea67ae2bde3303f6e68d4e0f2e641771894224010749cd780d5b602f500d3c81",
            "DiffID": "sha256:144756fc5594794ec34b73106dce806e3e4468c19b809b4501d70ae8bf95a3c2"
          },
          ...
           "References": [
            "http://cert.uni-stuttgart.de/archive/bugtraq/2001/11/msg00084.html",
            "http://www.iss.net/security_center/static/7494.php",
            "http://www.securityfocus.com/bid/3521"
          ],
          "PublishedDate": "2001-12-31T05:00:00Z",
          "LastModifiedDate": "2021-07-15T20:37:56.323Z"

1. apache versions do not match those noted as vulnerable
2. the references noted in the -f json ouput, are unreachable or 404.

Debian false-positives

root@9db737b4e3c4:/var/www/html# cat /etc/debian_version
12.4

Debian version is correctly detected by Trivy: php:8-apache-bookworm (**debian 12.4**)

Vulberability TEMP-0841856-B18BAF prently reports 'not found'

Vulnerability TEMP-0000000-F7A20F notes whilst report from for Linux 2.6 Kernel this does not contain the affected code, admittedly the link notes the main linux package is vulnerable perhaps this accounts for the positive status , seems perhaps upstream debate on this also has not resulted in a positive correction at the time of writing, that and as the Debian tracker link notes the vulnerability as "unimportant" we may never see resolution for this particular issue whether or not this is a false positive seems entirely dependant on the individuals point of view, unsure if we can exclude 'TEMP-' items in the future to account for such ambiguity ?

Vulnerability TEMP-0628843-DB-AD28 presently returns "not found" additionlly it is noted [more related to CVE-2005-4890] seems this may have not been fully merged?

On review of CVE-2005-4890 it is noted this is fixed in the Debian version, for the sudo and shadow packages, which upon review, neither are present within the container.

Additionally Trivy notes that TEMP-0628843-DBAD28 affected passwd the verison of which is installed being: 1:4.13+dfsg1-1+b1 however the CVE-2005-4890 does not passwd as being affected, liekly a case of stale data in this particular case presuming the now unavailable TEMP-0628843-DBAD28 noted passwd as being affected with the CVE-2005-4890 noting instead that shadow is.

TEMP-0517018-A83CE6 appear internal debtae is ongoing on whether or not this is unimportant or low ; maybe not a Trivy issue more an upstream problem showing unpatched and vulnerable at the time of writing.

TEMP-0290435-0B57B5 another case of internal debate, seems the tracker shows as vulnerable whilst notes suggest this is not the case.

Reproduction Steps

1. `trivy image php:8-apache-bookworm`

Target

Container Image

Scanner

Vulnerability

Target OS

debian 12.4

Debug Output

trivy image php:8-apache-bookworm --debug      
2024-01-24T12:46:38.397Z    DEBUG    Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-01-24T12:46:38.397Z        DEBUG    Ignore statuses {"statuses": null}
2024-01-24T12:46:38.402Z        DEBUG    cache dir:  /Users/aegishjalmur/Library/Caches/trivy
2024-01-24T12:46:38.403Z        INFO     Need to update DB
2024-01-24T12:46:38.403Z        INFO     DB Repository: ghcr.io/aquasecurity/trivy-db
2024-01-24T12:46:38.403Z        INFO     Downloading DB...
42.47 MiB / 42.47 MiB [-----------------------------------------------------------------------------------------------------------------] 100.00% 5.12 MiB p/s 8.5s
2024-01-24T12:46:47.808Z        DEBUG    Updating database metadata...
2024-01-24T12:46:47.808Z        DEBUG    DB Schema: 2, UpdatedAt: 2024-01-24 12:13:22.639022174 +0000 UTC, NextUpdate: 2024-01-24 18:13:22.639021844 +0000 UTC, DownloadedAt: 2024-01-24 12:46:47.808163 +0000 UTC
2024-01-24T12:46:47.809Z        INFO     Vulnerability scanning is enabled
2024-01-24T12:46:47.809Z        DEBUG    Vulnerability type:  [os library]
2024-01-24T12:46:47.809Z        INFO     Secret scanning is enabled
2024-01-24T12:46:47.809Z        INFO     If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-01-24T12:46:47.809Z        INFO     Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-01-24T12:46:47.809Z        DEBUG    Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-01-24T12:46:49.025Z        DEBUG    No secret config detected: trivy-secret.yaml
2024-01-24T12:46:49.026Z        DEBUG    The nuget packages directory couldn't be found. License search disabled
2024-01-24T12:46:49.027Z        DEBUG    No secret config detected: trivy-secret.yaml
2024-01-24T12:46:49.291Z        DEBUG    Image ID: sha256:c2ddac79b604051d5f96d102fb7cc40238f53c0d077f0290c9ddc46a9b0157c6
2024-01-24T12:46:49.291Z        DEBUG    Diff IDs: [sha256:571ade696b261f0ff46e3cdac4635afc009c4ed3429950cb95cd7e5f70ba0a07 sha256:40c592e990b3cd7e4b4b72519825c2492dda317073365956bbfb1d961dfa47ca sha256:d26d02e35df24f959af5dcc75184ac3bd62f5f783c70d59bff09992fcfb2e496 sha256:a8e13f02e9db329b4a62a68252a7a8e75f63ade89fca2fa098cb09d5dff494d7 sha256:144756fc5594794ec34b73106dce806e3e4468c19b809b4501d70ae8bf95a3c2 sha256:c0c8d17d49b3ef917b0953a4cfe0b67cef6d89695b486fca680d312794126e13 sha256:b3b06999ffde4d69f039227599a97aac8c4176f5ee05474451ed6f0ec705e0b0 sha256:246485baa8bd281da569cec8c6a613ffead7eeb4a708dd1079da3f643b5f0c7d sha256:67ef36c0d747d282d6a44591a9e6d49a51f06f65dc9f15902c965f9a5194bcac sha256:6ed16f499ec1e233488e257d276ac2e41bd90bb5b2ae59e5faf345dca5909489 sha256:ffc119995b5ce190004bfac060a76ff198bc56de95a2a7eae231661c047fde50 sha256:9964614552c26f1cd2d4263b3b8aae0eb11bf12428eae240a69c8b4f5c762f81 sha256:5959d3d0d9bacb9b99a446feaae4037f2e61283e27db283b4af9261183a85d92]
2024-01-24T12:46:49.291Z        DEBUG    Base Layers: [sha256:571ade696b261f0ff46e3cdac4635afc009c4ed3429950cb95cd7e5f70ba0a07]
2024-01-24T12:46:49.311Z        INFO     Detected OS: debian
2024-01-24T12:46:49.311Z        INFO     Detecting Debian vulnerabilities...
2024-01-24T12:46:49.312Z        DEBUG    debian: os version: 12
2024-01-24T12:46:49.312Z        DEBUG    debian: the number of packages: 187
2024-01-24T12:46:49.338Z        INFO     Number of language-specific files: 0

php:8-apache-bookworm (debian 12.4)

Total: 358 (UNKNOWN: 6, LOW: 256, MEDIUM: 70, HIGH: 25, CRITICAL: 1)
... <truncated for brevity>

Version

trivy --version
Version: 0.48.3
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-01-24 12:13:22.639022174 +0000 UTC
  NextUpdate: 2024-01-24 18:13:22.639021844 +0000 UTC
  DownloadedAt: 2024-01-24 12:46:47.808163 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct