Trivy incorrectly reports vulnerability for non-affected version of logj4j-core CVE-2020-9488 #6061

levinebw · 2024-02-03T00:41:00Z

levinebw
Feb 3, 2024

Description

[email protected] is not affected by CVE-2020-9488 however Trivy incorrectly reports a vulnerability finding.
The NVD states Fixed in Apache Log4j 2.12.3, however Trivy and Aquasec are reporing a vulnerability for Log4j 2.12.4

This was reported as fixed here (#3884), however it is not fixed. Evidence included shows there is still a bug.

Desired Behavior

There should be no finding reported for CVE-2020-9488 for [email protected]

Actual Behavior

Reproduction example

sh-3.2$ cat test2.cdx.json 
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:35f74310-e003-4841-93d8-6279d4425e49",
  "version": 1,
  "metadata": {
    "tools": [
      {
        "vendor": "aquasecurity",
        "name": "trivy",
        "version": "0.38.3"
      }
    ]
  },
  "components": [
    {
      "type": "library",
      "bom-ref": "pkg:maven/org.apache.logging.log4j/[email protected]?file_path=workspace%2FBOOT-INF%2Flib%2Ftest.jar",
      "name": "org.apache.logging.log4j:log4j-core",
      "version": "2.12.4",
      "purl": "pkg:maven/org.apache.logging.log4j/[email protected]"
    }
  ]
}
sh-3.2$ trivy sbom ./test2.cdx.json 
2024-02-02T17:35:43.326-0700	INFO	Vulnerability scanning is enabled
2024-02-02T17:35:43.326-0700	INFO	Detected SBOM format: cyclonedx-json
2024-02-02T17:35:43.327-0700	WARN	Ignore the OS package as no OS information is found.
2024-02-02T17:35:43.336-0700	INFO	Number of language-specific files: 1
2024-02-02T17:35:43.336-0700	INFO	Detecting jar vulnerabilities...

Java (jar)

Total: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌─────────────────────────────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│               Library               │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├─────────────────────────────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ org.apache.logging.log4j:log4j-core │ CVE-2020-9488 │ LOW      │ fixed  │ 2.12.4            │ 2.13.2        │ log4j: improper validation of certificate with host mismatch │
│                                     │               │          │        │                   │               │ in SMTP appender                                             │
│                                     │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2020-9488                    │
└─────────────────────────────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
sh-3.2$ trivy --version
Version: 0.49.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-02-03 00:16:51.194236762 +0000 UTC
  NextUpdate: 2024-02-03 06:16:51.194236371 +0000 UTC
  DownloadedAt: 2024-02-03 00:23:44.579622 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-01-09 00:47:12.747790854 +0000 UTC
  NextUpdate: 2024-01-12 00:47:12.747790693 +0000 UTC
  DownloadedAt: 2024-01-09 03:36:21.607911 +0000 UTC
sh-3.2$

Reproduction Steps

see above

Target

SBOM

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

sh-3.2$ trivy sbom ./test2.cdx.json --debug
2024-02-02T17:38:16.841-0700	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-02-02T17:38:16.841-0700	DEBUG	Ignore statuses	{"statuses": null}
2024-02-02T17:38:16.853-0700	DEBUG	cache dir:  /Users/brianlevine/Library/Caches/trivy
2024-02-02T17:38:16.853-0700	DEBUG	DB update was skipped because the local DB is the latest
2024-02-02T17:38:16.853-0700	DEBUG	DB Schema: 2, UpdatedAt: 2024-02-03 00:16:51.194236762 +0000 UTC, NextUpdate: 2024-02-03 06:16:51.194236371 +0000 UTC, DownloadedAt: 2024-02-03 00:23:44.579622 +0000 UTC
2024-02-02T17:38:16.853-0700	INFO	Vulnerability scanning is enabled
2024-02-02T17:38:16.853-0700	DEBUG	Vulnerability type:  [os library]
2024-02-02T17:38:16.853-0700	DEBUG	Enabling misconfiguration scanners: []
2024-02-02T17:38:16.853-0700	INFO	Detected SBOM format: cyclonedx-json
2024-02-02T17:38:16.853-0700	DEBUG	Unmarshaling CycloneDX JSON...
2024-02-02T17:38:16.854-0700	WARN	Ignore the OS package as no OS information is found.
2024-02-02T17:38:16.864-0700	DEBUG	OS is not detected.
2024-02-02T17:38:16.864-0700	DEBUG	Detected OS: unknown
2024-02-02T17:38:16.864-0700	INFO	Number of language-specific files: 1
2024-02-02T17:38:16.864-0700	INFO	Detecting jar vulnerabilities...
2024-02-02T17:38:16.864-0700	DEBUG	Detecting library vulnerabilities, type: jar, path: 

Java (jar)

Total: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌─────────────────────────────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│               Library               │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├─────────────────────────────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ org.apache.logging.log4j:log4j-core │ CVE-2020-9488 │ LOW      │ fixed  │ 2.12.4            │ 2.13.2        │ log4j: improper validation of certificate with host mismatch │
│                                     │               │          │        │                   │               │ in SMTP appender                                             │
│                                     │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2020-9488                    │
└─────────────────────────────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
sh-3.2$



### Operating System

MacOS

### Version

```bash
sh-3.2$ trivy --version
Version: 0.49.0

Checklist

Run trivy image --reset
Read the troubleshooting

DmitriyLewen · 2024-02-05T10:26:50Z

DmitriyLewen
Feb 5, 2024
Maintainer

Hello @levinebw
Thanks for your report!

We stopped using GitLab database for Java (we currently use GitHub advisories only).
I created github/advisory-database#3475 to update GitHub advisory for CVE-2020-9488.

Regards, Dmitriy

1 reply

DmitriyLewen Feb 6, 2024
Maintainer

@levinebw FYI - GHSA-vwqq-5vrc-xw9h has been updated.
Update Trivy-db to avoid false detection.

levinebw · 2024-02-06T22:44:23Z

levinebw
Feb 6, 2024
Author

Hi @DmitriyLewen , does this DB update also apply to Aqua Enterprise Platform?

2 replies

DmitriyLewen Feb 7, 2024
Maintainer

Unfortunately, I don't know about this.
@knqyf263 Do you have info about what database Aqua Enterprise uses?

knqyf263 Feb 7, 2024
Maintainer

Yes, I think so. @Moniseeta @srinivasKandukuri @tonaim

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Trivy incorrectly reports vulnerability for non-affected version of logj4j-core CVE-2020-9488 #6061

{{title}}

Replies: 2 comments 3 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Trivy incorrectly reports vulnerability for non-affected version of logj4j-core CVE-2020-9488 #6061

levinebw Feb 3, 2024

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Checklist

Replies: 2 comments · 3 replies

DmitriyLewen Feb 5, 2024 Maintainer

DmitriyLewen Feb 6, 2024 Maintainer

levinebw Feb 6, 2024 Author

DmitriyLewen Feb 7, 2024 Maintainer

knqyf263 Feb 7, 2024 Maintainer

levinebw
Feb 3, 2024

Replies: 2 comments 3 replies

DmitriyLewen
Feb 5, 2024
Maintainer

DmitriyLewen Feb 6, 2024
Maintainer

levinebw
Feb 6, 2024
Author

DmitriyLewen Feb 7, 2024
Maintainer

knqyf263 Feb 7, 2024
Maintainer