Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2024-53104 (Redhat 9.4) #2446

Open
pkeecom opened this issue Feb 13, 2025 · 9 comments · May be fixed by anchore/vunnel#796 or #2540
Open

CVE-2024-53104 (Redhat 9.4) #2446

pkeecom opened this issue Feb 13, 2025 · 9 comments · May be fixed by anchore/vunnel#796 or #2540
Assignees
@willmurphyscode
Labels
bug Something isn't working

Comments

@pkeecom
Copy link

pkeecom commented Feb 13, 2025
edited by kzantow
Loading

What happened: Redhat has issued a new kernel 5.14.0-427.50.2.el9_4 which fixes the CVE

What you expected to happen: Grype should not report the issue as High on the fixed kernel

How to reproduce it (as minimally and precisely as possible): Install Kernel [kernel-headers-5.14.0-427.50.2.el9_4.x86_64.rpm]

Anything else we need to know?:

kernel                      5.14.0-427.50.2.el9_4  0:5.14.0-503.23.2.el9_5  rpm     CVE-2024-53104       High      
kernel-core                 5.14.0-427.50.2.el9_4  0:5.14.0-503.23.2.el9_5  rpm     CVE-2024-53104       High      
kernel-modules              5.14.0-427.50.2.el9_4  0:5.14.0-503.23.2.el9_5  rpm     CVE-2024-53104       High      
kernel-modules-core         5.14.0-427.50.2.el9_4  0:5.14.0-503.23.2.el9_5  rpm     CVE-2024-53104       High      
kernel-tools                5.14.0-427.50.2.el9_4  0:5.14.0-503.23.2.el9_5  rpm     CVE-2024-53104       High      
kernel-tools-libs           5.14.0-427.50.2.el9_4  0:5.14.0-503.23.2.el9_5  rpm     CVE-2024-53104       High      
kernel-uki-virt             5.14.0-427.50.2.el9_4  0:5.14.0-503.23.2.el9_5  rpm     CVE-2024-53104       High      
python3-perf                5.14.0-427.50.2.el9_4  0:5.14.0-503.23.2.el9_5  rpm     CVE-2024-53104       High      
High or Critical vulnerabilities exist in grype report!

Environment:

  • Output of grype version: Latest Available
  • OS (e.g: cat /etc/os-release or similar): RHEL 9.4
@pkeecom pkeecom added the bug Something isn't working label Feb 13, 2025
@pkeecom
Copy link
Author

pkeecom commented Feb 13, 2025

The package was delivered vis Redhat extended update support EUS.

Image
Image

@willmurphyscode
Copy link
Contributor

Hi @pkeecom thanks for the issue! I'll do some digging and get back to you.

The fixed version showing in grype output is from https://access.redhat.com/errata/RHSA-2025:1262, which is listed as the RHEL 9 fix for the CVE at https://access.redhat.com/security/cve/cve-2024-53104, so I think the issue is that Grype is treating the image as regular RHEL 9, not as RHEL 9.4 EUS.

@willmurphyscode willmurphyscode self-assigned this Mar 3, 2025
@willmurphyscode willmurphyscode moved this to Ready in OSS Mar 3, 2025
@willmurphyscode
Copy link
Contributor

Hi @pkeecom can you give us one bit of additional information about the image you are scanning? What are the contents of /etc/os-release and /etc/redhat-release?

@pkeecom
Copy link
Author

pkeecom commented Mar 7, 2025

@willmurphyscode

`cat /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="9.4 (Plow)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="9.4"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Red Hat Enterprise Linux 9.4 (Plow)"
ANSI_COLOR="0;31"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9"
BUG_REPORT_URL="https://issues.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9"
REDHAT_BUGZILLA_PRODUCT_VERSION=9.4
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.4"

[root@myhost~] $ cat /etc/redhat-release
Red Hat Enterprise Linux release 9.4 (Plow)`

@westonsteimel
Copy link
Contributor

westonsteimel commented Mar 7, 2025
edited
Loading

Yeah @willmurphyscode I'm fairly certain this is going to require querying and surfacing the enabled rpm repos in syft, it isn't going to be in the distro files. https://www.redhat.com/en/blog/how-update-red-hat-enterprise-linux-tvia-minor-releases-and-extended-update-support might help some

I thought we had a syft issue about this. I know @wagoodman and I have discussed it many times. It might be captured some in anchore/syft#2549, but I thought there was a more specific one somewhere

@pkeecom
Copy link
Author

pkeecom commented Mar 7, 2025

@willmurphyscode @westonsteimel I don't think there's a reliable way of determining if it is under EUS or not. We mirror repos - so it may not have the word "eus" in the repo name either.

May be a setting in grype yaml or a command line option for a user to set if it is EUS or not?

@pkeecom
Copy link
Author

pkeecom commented Mar 13, 2025

Any movement on this @willmurphyscode ? It's a bit tedious trying to add CVEs to ignore list as more and more CVEs are being flagged with every run. Is there a workaround?

@willmurphyscode
Copy link
Contributor

Hi @pkeecom,

I'm planning to pick this up next. I like the idea of providing a config option that lets users specify that they're scanning a -eus image. We'll also need to do some data work on the backend to get EUS fix versions into grype's database.

At present, I don't believe there's a great workaround.

@willmurphyscode willmurphyscode linked a pull request Mar 18, 2025 that will close this issue
Draft
@willmurphyscode willmurphyscode moved this from Ready to In Progress in OSS Mar 18, 2025
@willmurphyscode willmurphyscode linked a pull request Mar 18, 2025 that will close this issue
Draft
@pkeecom
Copy link
Author

pkeecom commented Mar 20, 2025

Thanks @willmurphyscode . Looking forward to the fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@willmurphyscode willmurphyscode

Labels
bug Something isn't working
Projects
OSS
Status: In Progress
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

wip: rhel eus support anchore/vunnel
wip: working distro flavors anchore/grype
3 participants
@westonsteimel @willmurphyscode @pkeecom