kernel-headers shows up in report with trivy image scan #8132

ktzsolt · 2024-12-18T19:36:08Z

ktzsolt
Dec 18, 2024

IDs

CVE-2024-41071, CVE-2024-41090, CVE-2024-41091, CVE-2024-47701, CVE-2024-47745, CVE-2024-53122

Description

For scanning container images with trivy the kernel-headers should be excluded, they are false positive based on this #1596

Reproduction Steps

trivy image registry.access.redhat.com/ubi9/ruby-33:9.5-1734452070 --exit-code 1 --severity HIGH,CRITICAL 

2024-12-18T20:19:52+01:00       INFO    [vuln] Vulnerability scanning is enabled
2024-12-18T20:19:52+01:00       INFO    [secret] Secret scanning is enabled
2024-12-18T20:19:52+01:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-18T20:19:52+01:00       INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2024-12-18T20:19:54+01:00       INFO    Detected OS     family="redhat" version="9.5"
2024-12-18T20:19:54+01:00       INFO    [redhat] Detecting RHEL/CentOS vulnerabilities...       os_version="9" pkg_num=432
2024-12-18T20:19:54+01:00       INFO    Number of language-specific files       num=0
2024-12-18T20:19:54+01:00       WARN    Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.58/docs/scanner/vulnerability#severity-selection for details.

registry.access.redhat.com/ubi9/ruby-33:9.5-1734452070 (redhat 9.5)

Total: 6 (HIGH: 6, CRITICAL: 0)

┌────────────────┬────────────────┬──────────┬──────────────┬───────────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│    Library     │ Vulnerability  │ Severity │    Status    │   Installed Version   │ Fixed Version │                           Title                            │
├────────────────┼────────────────┼──────────┼──────────────┼───────────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ kernel-headers │ CVE-2024-41071 │ HIGH     │ affected     │ 5.14.0-503.16.1.el9_5 │               │ kernel: wifi: mac80211: Avoid address calculations via out │
│                │                │          │              │                       │               │ of bounds array indexing...                                │
│                │                │          │              │                       │               │ https://avd.aquasec.com/nvd/cve-2024-41071                 │
│                ├────────────────┤          │              │                       ├───────────────┼────────────────────────────────────────────────────────────┤
│                │ CVE-2024-41090 │          │              │                       │               │ kernel: virtio-net: tap: mlx5_core short frame denial of   │
│                │                │          │              │                       │               │ service                                                    │
│                │                │          │              │                       │               │ https://avd.aquasec.com/nvd/cve-2024-41090                 │
│                ├────────────────┤          │              │                       ├───────────────┼────────────────────────────────────────────────────────────┤
│                │ CVE-2024-41091 │          │              │                       │               │ kernel: virtio-net: tun: mlx5_core short frame denial of   │
│                │                │          │              │                       │               │ service                                                    │
│                │                │          │              │                       │               │ https://avd.aquasec.com/nvd/cve-2024-41091                 │
│                ├────────────────┤          ├──────────────┤                       ├───────────────┼────────────────────────────────────────────────────────────┤
│                │ CVE-2024-47701 │          │ will_not_fix │                       │               │ kernel: ext4: avoid OOB when system.data xattr changes     │
│                │                │          │              │                       │               │ underneath the filesystem                                  │
│                │                │          │              │                       │               │ https://avd.aquasec.com/nvd/cve-2024-47701                 │
│                ├────────────────┤          │              │                       ├───────────────┼────────────────────────────────────────────────────────────┤
│                │ CVE-2024-47745 │          │              │                       │               │ kernel: mm: call the security_mmap_file() LSM hook in      │
│                │                │          │              │                       │               │ remap_file_pages()                                         │
│                │                │          │              │                       │               │ https://avd.aquasec.com/nvd/cve-2024-47745                 │
│                ├────────────────┤          ├──────────────┤                       ├───────────────┼────────────────────────────────────────────────────────────┤
│                │ CVE-2024-53122 │          │ affected     │                       │               │ kernel: mptcp: cope racing subflow creation in             │
│                │                │          │              │                       │               │ mptcp_rcv_space_adjust                                     │
│                │                │          │              │                       │               │ https://avd.aquasec.com/nvd/cve-2024-53122                 │
└────────────────┴────────────────┴──────────┴──────────────┴───────────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

Target

Container Image

Scanner

Vulnerability

Target OS

No response

Debug Output

trivy image registry.access.redhat.com/ubi9/ruby-33:9.5-1734452070 --exit-code 1 --severity HIGH,CRITICAL --debug

2024-12-18T20:31:15+01:00       DEBUG   No plugins loaded
2024-12-18T20:31:15+01:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2024-12-18T20:31:15+01:00       DEBUG   Cache dir       dir="/home/kataizsolt/.cache/trivy"
2024-12-18T20:31:15+01:00       DEBUG   Cache dir       dir="/home/kataizsolt/.cache/trivy"
2024-12-18T20:31:15+01:00       DEBUG   Parsed severities       severities=[HIGH CRITICAL]
2024-12-18T20:31:15+01:00       DEBUG   Ignore statuses statuses=[]
2024-12-18T20:31:15+01:00       DEBUG   DB update was skipped because the local DB is the latest
2024-12-18T20:31:15+01:00       DEBUG   DB info schema=2 updated_at=2024-12-18T06:16:34.626564473Z next_update=2024-12-19T06:16:34.626564122Z downloaded_at=2024-12-18T09:48:03.479730289Z
2024-12-18T20:31:15+01:00       DEBUG   [pkg] Package types     types=[os library]
2024-12-18T20:31:15+01:00       DEBUG   [pkg] Package relationships     relationships=[unknown root workspace direct indirect]
2024-12-18T20:31:15+01:00       INFO    [vuln] Vulnerability scanning is enabled
2024-12-18T20:31:15+01:00       INFO    [secret] Secret scanning is enabled
2024-12-18T20:31:15+01:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-18T20:31:15+01:00       INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2024-12-18T20:31:15+01:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-12-18T20:31:15+01:00       DEBUG   Initializing scan cache...      type="fs"
2024-12-18T20:31:17+01:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2024-12-18T20:31:17+01:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2024-12-18T20:31:17+01:00       DEBUG   [image] Detected image ID       image_id="sha256:964d340b8b41093f549251e5b94212e4f28bf50701e7ecf3c9187e030245e94d"
2024-12-18T20:31:17+01:00       DEBUG   [image] Detected diff ID        diff_ids=[sha256:58d758855680df4d674d1628687710f51041e72bc4511410ef589f7aa5261dfe sha256:70d9d020a5ef2d96e10b71029b645c46af2dd106a926faa7f902b2f9c1fc66af sha256:727cfdfb277f69d8aa711cf7a94a36393b9c75ac7fbc85dc22fbe4b819063f0e sha256:7602babbece395773107d79b18ce97f4e2bfb45d8f1fc8c77c18ad5561a2120d]
2024-12-18T20:31:17+01:00       DEBUG   [image] Detected base layers    diff_ids=[]
2024-12-18T20:31:17+01:00       INFO    Detected OS     family="redhat" version="9.5"
2024-12-18T20:31:17+01:00       INFO    [redhat] Detecting RHEL/CentOS vulnerabilities...       os_version="9" pkg_num=432
2024-12-18T20:31:17+01:00       INFO    Number of language-specific files       num=0
2024-12-18T20:31:17+01:00       WARN    Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.58/docs/scanner/vulnerability#severity-selection for details.
2024-12-18T20:31:17+01:00       DEBUG   Specified ignore file does not exist    file=".trivyignore"
2024-12-18T20:31:17+01:00       DEBUG   [vex] VEX filtering is disabled

registry.access.redhat.com/ubi9/ruby-33:9.5-1734452070 (redhat 9.5)

Total: 6 (HIGH: 6, CRITICAL: 0)

┌────────────────┬────────────────┬──────────┬──────────────┬───────────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│    Library     │ Vulnerability  │ Severity │    Status    │   Installed Version   │ Fixed Version │                           Title                            │
├────────────────┼────────────────┼──────────┼──────────────┼───────────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ kernel-headers │ CVE-2024-41071 │ HIGH     │ affected     │ 5.14.0-503.16.1.el9_5 │               │ kernel: wifi: mac80211: Avoid address calculations via out │
│                │                │          │              │                       │               │ of bounds array indexing...                                │
│                │                │          │              │                       │               │ https://avd.aquasec.com/nvd/cve-2024-41071                 │
│                ├────────────────┤          │              │                       ├───────────────┼────────────────────────────────────────────────────────────┤
│                │ CVE-2024-41090 │          │              │                       │               │ kernel: virtio-net: tap: mlx5_core short frame denial of   │
│                │                │          │              │                       │               │ service                                                    │
│                │                │          │              │                       │               │ https://avd.aquasec.com/nvd/cve-2024-41090                 │
│                ├────────────────┤          │              │                       ├───────────────┼────────────────────────────────────────────────────────────┤
│                │ CVE-2024-41091 │          │              │                       │               │ kernel: virtio-net: tun: mlx5_core short frame denial of   │
│                │                │          │              │                       │               │ service                                                    │
│                │                │          │              │                       │               │ https://avd.aquasec.com/nvd/cve-2024-41091                 │
│                ├────────────────┤          ├──────────────┤                       ├───────────────┼────────────────────────────────────────────────────────────┤
│                │ CVE-2024-47701 │          │ will_not_fix │                       │               │ kernel: ext4: avoid OOB when system.data xattr changes     │
│                │                │          │              │                       │               │ underneath the filesystem                                  │
│                │                │          │              │                       │               │ https://avd.aquasec.com/nvd/cve-2024-47701                 │
│                ├────────────────┤          │              │                       ├───────────────┼────────────────────────────────────────────────────────────┤
│                │ CVE-2024-47745 │          │              │                       │               │ kernel: mm: call the security_mmap_file() LSM hook in      │
│                │                │          │              │                       │               │ remap_file_pages()                                         │
│                │                │          │              │                       │               │ https://avd.aquasec.com/nvd/cve-2024-47745                 │
│                ├────────────────┤          ├──────────────┤                       ├───────────────┼────────────────────────────────────────────────────────────┤
│                │ CVE-2024-53122 │          │ affected     │                       │               │ kernel: mptcp: cope racing subflow creation in             │
│                │                │          │              │                       │               │ mptcp_rcv_space_adjust                                     │
│                │                │          │              │                       │               │ https://avd.aquasec.com/nvd/cve-2024-53122                 │
└────────────────┴────────────────┴──────────┴──────────────┴───────────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

Version

trivy --version

Version: 0.58.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-12-18 06:16:34.626564473 +0000 UTC
  NextUpdate: 2024-12-19 06:16:34.626564122 +0000 UTC
  DownloadedAt: 2024-12-18 09:48:03.479730289 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-12-18 02:53:19.193069252 +0000 UTC
  NextUpdate: 2024-12-21 02:53:19.193069092 +0000 UTC
  DownloadedAt: 2024-12-18 09:49:16.674613285 +0000 UTC
Check Bundle:
  Digest: sha256:ef2d9ad4fce0f933b20a662004d7e55bf200987c180e7f2cd531af631f408bb3
  DownloadedAt: 2024-10-21 10:11:49.681072627 +0000 UTC

Checklist

Read the documentation regarding wrong detection
Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

DmitriyLewen · 2024-12-20T08:06:21Z

DmitriyLewen
Dec 20, 2024
Maintainer

@knqyf263 You have more experience - what do you think about this case?
OVAL/VEX databases contain advisories for kernel-headers.
But the CVE page doesn't have information about kernel-headers (e.g. https://access.redhat.com/security/cve/CVE-2024-41090).

Should we skip them because it can be noisy?
Or should users filter these vulnerabilities themselves?

1 reply

knqyf263 Dec 23, 2024
Maintainer

We discussed it many times and never concluded.
#6562

If someone familiar with Linux can assure us that Linux-headers is only a header and, therefore, not 100% affected by any vulnerabilities, we can ignore it.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

kernel-headers shows up in report with trivy image scan #8132

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

kernel-headers shows up in report with trivy image scan #8132

ktzsolt Dec 18, 2024

IDs

Description

Reproduction Steps

Target

Scanner

Target OS

Debug Output

Version

Checklist

Replies: 1 comment · 1 reply

DmitriyLewen Dec 20, 2024 Maintainer

knqyf263 Dec 23, 2024 Maintainer

ktzsolt
Dec 18, 2024

Replies: 1 comment 1 reply

DmitriyLewen
Dec 20, 2024
Maintainer

knqyf263 Dec 23, 2024
Maintainer