Solr/Zookeeper CVE not recognized - why?

[3XC1T3D]

Question

Hi,

we are wondering why following Apache SOLR CVE where not recognized:

• NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2024-45217
  Apache SOLR Statement: https://solr.apache.org/security.html#cve-2024-45217-apache-solr-configsets-created-during-a-backup-restore-command-are-trusted-implicitly

• NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2024-51504
  Zookeeper Statement: https://zookeeper.apache.org/security.html#CVE-2024-51504

Is there a possibility to configure trivy, that such cve where also recognized?

We use the trivy Docker Image.

Best Regards

Target

Container Image

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Operating System

AlmaLinux 9

Version

trivy version
Version: 0.57.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-11-19 06:13:02.20916498 +0000 UTC
  NextUpdate: 2024-11-20 06:13:02.2091647 +0000 UTC
  DownloadedAt: 2024-11-19 09:07:51.10523027 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-11-19 02:51:20.64737438 +0000 UTC
  NextUpdate: 2024-11-22 02:51:20.647374259 +0000 UTC
  DownloadedAt: 2024-11-19 09:08:17.049589191 +0000 UTC

[DmitriyLewen]

Hello @3XC1T3D

CVE-2024-45217 should be detected.
Can you share example of your case?

We use GitHub advisory database for java advisories.
But GH doesn't have package/fixed version for CVE-2024-51504.
That is why Trivy doesn't detect this CVE.

[3XC1T3D]

Hey @DmitriyLewen ,

because of the CVE-2024-45217 just run following command: trivy image solr:8.11.3 -f json -o results.json and you will not find any entry about it.

due to the CVE-2024-51504 before we check our Images, we build our own trivy image like this:

FROM aquasec/trivy:latest

ENV TRIVY_DB_REPOSITORY=ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
ENV TRIVY_JAVA_DB_REPOSITORY=ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db

# update baseimage
RUN apk update \
 && apk upgrade \
 && apk add --upgrade bash \
 && apk add curl \
 && rm -rf /var/cache/apk/*

# Fill Trivy caches
RUN trivy image --download-db-only
RUN trivy image --download-java-db-only


COPY certificates/ca.crt /usr/local/share/ca-certificates/ca-certificates.crt
RUN update-ca-certificates

# overwrite entrypoint to be compatible with pipeline
ENTRYPOINT [""]

maybe there is the issue?

[DmitriyLewen]

due to the GHSA-g93m-8x6h-g5gv before we check our Images, we build our own trivy image like this:

No, problem is related with trivy-db.
As i wrote before - for trivy-db we take java advisories from GitHub Advisory database - https://trivy.dev/v0.57/docs/scanner/vulnerability/#data-sources_1

GitHub DB doesn't have package for this CVE:

Without this field we can't match packages with this CVE.

trivy image solr:8.11.3 -f json -o results.json and you will not find any entry about it.

I checked this and a bit confusing:

1. Trivy correctly detect solr-* packages:

   ➜ trivy -q image solr:8.11.3 -f json --list-all-pkgs | grep ' "Name": "org.apache.solr:'
          "Name": "org.apache.solr:solr-analysis-extras",
          "Name": "org.apache.solr:solr-analytics",
          "Name": "org.apache.solr:solr-cell",
          "Name": "org.apache.solr:solr-core",
          "Name": "org.apache.solr:solr-core",
          "Name": "org.apache.solr:solr-dataimporthandler",
          "Name": "org.apache.solr:solr-dataimporthandler-extras",
          "Name": "org.apache.solr:solr-gcs-repository",
          "Name": "org.apache.solr:solr-jaegertracer-configurator",
          "Name": "org.apache.solr:solr-langid",
          "Name": "org.apache.solr:solr-ltr",
          "Name": "org.apache.solr:solr-prometheus-exporter",
          "Name": "org.apache.solr:solr-s3-repository",
          "Name": "org.apache.solr:solr-solrj",
          "Name": "org.apache.solr:solr-solrj",
          "Name": "org.apache.solr:solr-test-framework",
          "Name": "org.apache.solr:solr-velocity",

   But solr:8.11.3 doesn't have jar file for solr package (e.g. solr-8.11.3.jar):

   solr@4797102414e1:/opt/solr-8.11.3$ find / -name "solr*.*ar"
    find: ‘/etc/ssl/private’: Permission denied
    find: ‘/proc/tty/driver’: Permission denied
    /opt/solr-8.11.3/server/solr-webapp/webapp/WEB-INF/lib/solr-solrj-8.11.3.jar
    /opt/solr-8.11.3/server/solr-webapp/webapp/WEB-INF/lib/solr-core-8.11.3.jar
    /opt/solr-8.11.3/dist/solr-solrj-8.11.3.jar
    /opt/solr-8.11.3/dist/solr-gcs-repository-8.11.3.jar
    /opt/solr-8.11.3/dist/solr-dataimporthandler-8.11.3.jar
    /opt/solr-8.11.3/dist/solr-velocity-8.11.3.jar
    /opt/solr-8.11.3/dist/solr-analysis-extras-8.11.3.jar
    /opt/solr-8.11.3/dist/solr-langid-8.11.3.jar
    /opt/solr-8.11.3/dist/solr-jaegertracer-configurator-8.11.3.jar
    /opt/solr-8.11.3/dist/solr-prometheus-exporter-8.11.3.jar
    /opt/solr-8.11.3/dist/solr-core-8.11.3.jar
    /opt/solr-8.11.3/dist/solr-cell-8.11.3.jar
    /opt/solr-8.11.3/dist/solr-dataimporthandler-extras-8.11.3.jar
    /opt/solr-8.11.3/dist/solr-test-framework-8.11.3.jar
    /opt/solr-8.11.3/dist/solr-ltr-8.11.3.jar
    /opt/solr-8.11.3/dist/solr-analytics-8.11.3.jar
    /opt/solr-8.11.3/dist/solr-s3-repository-8.11.3.jar
    find: ‘/root’: Permission denied
    find: ‘/var/cache/ldconfig’: Permission denied
    find: ‘/var/cache/apt/archives/partial’: Permission denied

2. I thought that perhaps solr uses another file name, but last version for solr in maven central is 4.10.4 - https://mvnrepository.com/artifact/org.apache.solr/solr

[3XC1T3D]

No, problem is related with trivy-db. As i wrote before - for trivy-db we take java advisories from GitHub Advisory database - https://trivy.dev/v0.57/docs/scanner/vulnerability/#data-sources_1

GitHub DB doesn't have package for this CVE:

Without this field we can't match packages with this CVE.

How you configure the GitHub Advisory database for the java advisories? or are these the default settings?

trivy image solr:8.11.3 -f json -o results.json and you will not find any entry about it.

I checked this and a bit confusing:

1. Trivy correctly detect solr-* packages:

   ➜ trivy -q image solr:8.11.3 -f json --list-all-pkgs | grep ' "Name": "org.apache.solr:'
          "Name": "org.apache.solr:solr-analysis-extras",
          "Name": "org.apache.solr:solr-analytics",
          "Name": "org.apache.solr:solr-cell",
          "Name": "org.apache.solr:solr-core",
          "Name": "org.apache.solr:solr-core",
          "Name": "org.apache.solr:solr-dataimporthandler",
          "Name": "org.apache.solr:solr-dataimporthandler-extras",
          "Name": "org.apache.solr:solr-gcs-repository",
          "Name": "org.apache.solr:solr-jaegertracer-configurator",
          "Name": "org.apache.solr:solr-langid",
          "Name": "org.apache.solr:solr-ltr",
          "Name": "org.apache.solr:solr-prometheus-exporter",
          "Name": "org.apache.solr:solr-s3-repository",
          "Name": "org.apache.solr:solr-solrj",
          "Name": "org.apache.solr:solr-solrj",
          "Name": "org.apache.solr:solr-test-framework",
          "Name": "org.apache.solr:solr-velocity",

   But solr:8.11.3 doesn't have jar file for solr package (e.g. solr-8.11.3.jar):

   solr@4797102414e1:/opt/solr-8.11.3$ find / -name "solr*.*ar"
    find: ‘/etc/ssl/private’: Permission denied
    find: ‘/proc/tty/driver’: Permission denied
    /opt/solr-8.11.3/server/solr-webapp/webapp/WEB-INF/lib/solr-solrj-8.11.3.jar
    /opt/solr-8.11.3/server/solr-webapp/webapp/WEB-INF/lib/solr-core-8.11.3.jar
    /opt/solr-8.11.3/dist/solr-solrj-8.11.3.jar
    /opt/solr-8.11.3/dist/solr-gcs-repository-8.11.3.jar
    /opt/solr-8.11.3/dist/solr-dataimporthandler-8.11.3.jar
    /opt/solr-8.11.3/dist/solr-velocity-8.11.3.jar
    /opt/solr-8.11.3/dist/solr-analysis-extras-8.11.3.jar
    /opt/solr-8.11.3/dist/solr-langid-8.11.3.jar
    /opt/solr-8.11.3/dist/solr-jaegertracer-configurator-8.11.3.jar
    /opt/solr-8.11.3/dist/solr-prometheus-exporter-8.11.3.jar
    /opt/solr-8.11.3/dist/solr-core-8.11.3.jar
    /opt/solr-8.11.3/dist/solr-cell-8.11.3.jar
    /opt/solr-8.11.3/dist/solr-dataimporthandler-extras-8.11.3.jar
    /opt/solr-8.11.3/dist/solr-test-framework-8.11.3.jar
    /opt/solr-8.11.3/dist/solr-ltr-8.11.3.jar
    /opt/solr-8.11.3/dist/solr-analytics-8.11.3.jar
    /opt/solr-8.11.3/dist/solr-s3-repository-8.11.3.jar
    find: ‘/root’: Permission denied
    find: ‘/var/cache/ldconfig’: Permission denied
    find: ‘/var/cache/apt/archives/partial’: Permission denied

2. I thought that perhaps solr uses another file name, but last version for solr in maven central is 4.10.4 - https://mvnrepository.com/artifact/org.apache.solr/solr

the central solr file is named solr-core-8.11.3.jar 🙈 - https://mvnrepository.com/artifact/org.apache.solr/solr-core

[DmitriyLewen]

How you configure the GitHub Advisory database for the java advisories? or are these the default settings?

GitHub uses OSV format. So we just read advisories from https://github.com/github/advisory-database and store into trivy-db (https://github.com/aquasecurity/trivy-db/blob/main/pkg/vulnsrc/ghsa/ghsa.go)

the central solr file is named solr-core-8.11.3.jar 🙈 - https://mvnrepository.com/artifact/org.apache.solr/solr-core

hm... there is no information in the documents related to CVE-2024-45217 that the solr-core package is affected.
If you can confirm that solr-core is vulnerable - can you suggest changing package name in GitHub? (https://github.com/advisories/GHSA-h7w9-c5vx-x7j3/improve)

BTW maven central also doesn't mark 8.11.3 as vulnerable: