Wrong xz-libs 5.4.6 version showing as vulnerable

[fhielpos]

IDs

CVE-2024-3094

Description

The xz-libs version 5.4.6 should not be vulnerable to the CVE-2024-3094. The vulnerable versions are 5.6.0 and 5.6.1.

Here Trivy shows the following library as vulnerable:

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ xz-libs             │ CVE-2024-3094  │ CRITICAL │        │ 5.4.6-r0          │ 5.6.1-r2      │ xz: malicious code in distributed source                     │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-3094                    │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

Here is the json for the CVE:

        {
          "VulnerabilityID": "CVE-2024-3094",
          "PkgID": "[email protected]",
          "PkgName": "xz-libs",
          "PkgIdentifier": {
            "PURL": "pkg:apk/alpine/[email protected]?arch=x86_64\u0026distro=3.19.0"
          },
          "InstalledVersion": "5.4.6-r0",
          "FixedVersion": "5.6.1-r2",
          "Status": "fixed",
          "Layer": {
            "Digest": "sha256:995df079f4e4403e9c5654042334d4c4b70926701c754e1f18f4a1e21bf44206",
            "DiffID": "sha256:04c6fd2803baee333d2e628bee819904d804e8ffa1b28397d6dc77ec2311c2d6"
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-3094",
          "DataSource": {
            "ID": "alpine",
            "Name": "Alpine Secdb",
            "URL": "https://secdb.alpinelinux.org/"
          },
          "Title": "xz: malicious code in distributed source",
          "Description": "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. \r\nThrough a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.",
          "Severity": "CRITICAL",
          "CweIDs": [
            "CWE-506"
          ],
          "VendorSeverity": {
            "nvd": 4,
            "redhat": 4
          },
          "CVSS": {
            "nvd": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
              "V3Score": 10
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
              "V3Score": 10
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2024-3094",
            "https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/",
            "https://aws.amazon.com/security/security-bulletins/AWS-2024-002/",
            "https://boehs.org/node/everything-i-know-about-the-xz-backdoor",
            "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024",
            "https://bugs.gentoo.org/928134",
            "https://bugzilla.redhat.com/show_bug.cgi?id=2272210",
            "https://bugzilla.suse.com/show_bug.cgi?id=1222124",
            "https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405",
            "https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27",
            "https://github.com/advisories/GHSA-rxwq-x6h5-x525",
            "https://github.com/amlweems/xzbot",
            "https://github.com/karcherm/xz-malware",
            "https://gynvael.coldwind.pl/?lang=en\u0026id=782",
            "https://lists.debian.org/debian-security-announce/2024/msg00057.html",
            "https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html",
            "https://lwn.net/Articles/967180/",
            "https://news.ycombinator.com/item?id=39865810",
            "https://news.ycombinator.com/item?id=39877267",
            "https://news.ycombinator.com/item?id=39895344",
            "https://nvd.nist.gov/vuln/detail/CVE-2024-3094",
            "https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/",
            "https://security-tracker.debian.org/tracker/CVE-2024-3094",
            "https://security.alpinelinux.org/vuln/CVE-2024-3094",
            "https://security.archlinux.org/CVE-2024-3094",
            "https://tukaani.org/xz-backdoor/",
            "https://twitter.com/LetsDefendIO/status/1774804387417751958",
            "https://twitter.com/debian/status/1774219194638409898",
            "https://twitter.com/infosecb/status/1774595540233167206",
            "https://twitter.com/infosecb/status/1774597228864139400",
            "https://ubuntu.com/security/CVE-2024-3094",
            "https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094",
            "https://www.cve.org/CVERecord?id=CVE-2024-3094",
            "https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils",
            "https://www.openwall.com/lists/oss-security/2024/03/29/4",
            "https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users",
            "https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils",
            "https://www.theregister.com/2024/03/29/malicious_backdoor_xz/",
            "https://www.vicarius.io/vsociety/vulnerabilities/cve-2024-3094",
            "https://xeiaso.net/notes/2024/xz-vuln/"
          ],
          "PublishedDate": "2024-03-29T17:15:21.15Z",
          "LastModifiedDate": "2024-04-01T18:15:08.13Z"
        }

Reproduction Steps

1. Scan any image with xz 5.4.6-rc0

Target

Container Image

Scanner

Vulnerability

Target OS

alpine 3.19

Debug Output

2024-04-02T11:50:34.459-0300	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-04-02T11:50:34.460-0300	DEBUG	Ignore statuses	{"statuses": null}
2024-04-02T11:50:34.473-0300	DEBUG	cache dir:  /Users/franco/Library/Caches/trivy
2024-04-02T11:50:34.474-0300	DEBUG	DB update was skipped because the local DB is the latest
2024-04-02T11:50:34.474-0300	DEBUG	DB Schema: 2, UpdatedAt: 2024-04-02 12:13:13.846333543 +0000 UTC, NextUpdate: 2024-04-02 18:13:13.846332622 +0000 UTC, DownloadedAt: 2024-04-02 13:29:07.942354 +0000 UTC
2024-04-02T11:50:34.475-0300	INFO	Vulnerability scanning is enabled
2024-04-02T11:50:34.475-0300	DEBUG	Vulnerability type:  [os library]
2024-04-02T11:50:34.475-0300	INFO	Secret scanning is enabled
2024-04-02T11:50:34.475-0300	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-04-02T11:50:34.475-0300	INFO	Please see also https://aquasecurity.github.io/trivy/v0.50/docs/scanner/secret/#recommendation for faster secret detection
2024-04-02T11:50:34.475-0300	DEBUG	Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-04-02T11:50:37.166-0300	DEBUG	No secret config detected: trivy-secret.yaml
2024-04-02T11:50:37.168-0300	DEBUG	The nuget packages directory couldn't be found. License search disabled
2024-04-02T11:50:37.171-0300	DEBUG	No secret config detected: trivy-secret.yaml
2024-04-02T11:50:37.794-0300	DEBUG	Image ID: sha256:81744d0a7f2497a4d7843348f1d43f7147ed5443e08cde04d2059ce1e2abde86
2024-04-02T11:50:37.794-0300	DEBUG	Diff IDs: [sha256:5af4f8f59b764c64c6def53f52ada809fe38d528441d08d01c206dfb3fc3b691 sha256:04c6fd2803baee333d2e628bee819904d804e8ffa1b28397d6dc77ec2311c2d6 sha256:8e070b720ca038838764c9d6113ed1015e1a73babe2a1e7b1b73ffd23fcfb49d sha256:570ed891c8f22e9268b1a77ac15b16e7a7e602afadf2fb8077562a63786c0b0d sha256:dce121370fdde79bfa83e54e61695f765b13518e07c9c1389a09000e870ebcfa sha256:2ab995cb9221d1748d95962bd3c6d37edf7f882155183f3581b4f2a5bba5e6f1 sha256:4a5a387884f87833ae30453bc44073dac1d6abdb17be84ae181100f87944bb8f sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef sha256:55ecc19964fabb0a9c5ed6d313cd86da8a7545f07d104afe8992e6ade62aed6a sha256:18283020e5646a942e5c52fd81a9368a411c5d75679bb7cd5371d61df05350df sha256:8fb86ce8c42d13cbe2ac989e604d7d07143117553fb72387678c974bee61cc3a sha256:1983617d2115935a5d0c9625298791745a1d35531d3eb589c367b38bdc76411a sha256:cd4c28687179ad8eed38c79044f7a6337c40c771c3cdbf202562a9974b7005de sha256:0ea8355dd359f14953dfda109ae9522115ffd24614d96eeea89fd516661e8c2d sha256:196e0cb88eb9e3d2c884a197b4ab638d5280e57250f9738381276a825245f3b4]
2024-04-02T11:50:37.794-0300	DEBUG	Base Layers: [sha256:5af4f8f59b764c64c6def53f52ada809fe38d528441d08d01c206dfb3fc3b691]
2024-04-02T11:50:37.839-0300	INFO	Detected OS: alpine
2024-04-02T11:50:37.840-0300	INFO	Detecting Alpine vulnerabilities...
2024-04-02T11:50:37.840-0300	DEBUG	alpine: os version: 3.19
2024-04-02T11:50:37.840-0300	DEBUG	alpine: package repository: edge
2024-04-02T11:50:37.840-0300	DEBUG	alpine: the number of packages: 273
2024-04-02T11:50:37.860-0300	INFO	Number of language-specific files: 5
2024-04-02T11:50:37.860-0300	INFO	Detecting gobinary vulnerabilities...
2024-04-02T11:50:37.860-0300	DEBUG	Detecting library vulnerabilities, type: gobinary, path: usr/local/bin/grpcurl
2024-04-02T11:50:37.862-0300	DEBUG	Detecting library vulnerabilities, type: gobinary, path: usr/local/bin/fortio
2024-04-02T11:50:37.862-0300	DEBUG	Detecting library vulnerabilities, type: gobinary, path: usr/local/bin/ctop
2024-04-02T11:50:37.864-0300	DEBUG	Detecting library vulnerabilities, type: gobinary, path: usr/local/bin/calicoctl
2024-04-02T11:50:37.866-0300	DEBUG	Detecting library vulnerabilities, type: gobinary, path: usr/local/bin/termshark

Version

❯ trivy --version
Version: 0.50.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-04-02 12:13:13.846333543 +0000 UTC
  NextUpdate: 2024-04-02 18:13:13.846332622 +0000 UTC
  DownloadedAt: 2024-04-02 13:29:07.942354 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[knqyf263]

Alpine advisories define fixed versions only as below.
https://secdb.alpinelinux.org/edge/

- pkg:
    name: xz
    secfixes:
      5.2.5-r1:
      - CVE-2022-1271
      5.6.1-r2:
      - CVE-2024-3094

This means that older versions rather than fixed version are considered vulnerable. Trivy relies on public advisories. We cannot handle this kind of case.

[fhielpos]

So anything not 5.6.1-r2 would show as vulnerable? That doesn't seem right.

[knqyf263]

Unfortunately, yes, but it happens only for edge. Your image installs packages from the edge repository, while the OS version is 3.19. Mixing versions is not a recommended usage. In this case, Trivy uses security advisories for edge as the packages actually come from edge. If you switch the repository to 3.19, the vulnerability will not be detected.

2024-04-02T11:50:37.840-0300	DEBUG	alpine: os version: 3.19
2024-04-02T11:50:37.840-0300	DEBUG	alpine: package repository: edge

[fhielpos]

Alright, that works for me. Thanks for the information, this can be closed in that case.

[prshoper]

#6442
I reported it yesterday :)