CVE-2024-6119 not detected

[johnsenong]

Question

CVE-2024-6119
Package: openssl
Ubuntu CVE Tracker mentioned that it's Fixed for 24.04 LTS.
But somehow when I scan using Trivy, it didn't get detected.

When I use another scanning tool, it was detecting this particular CVE.
I'm not sure what is missing here when using Trivy

Target

Container Image

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Operating System

Windows

Version

Version: 0.55.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-09-17 06:11:57.440749107 +0000 UTC
  NextUpdate: 2024-09-17 12:11:57.440748977 +0000 UTC
  DownloadedAt: 2024-09-17 06:56:37.687676243 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-09-17 01:05:13.063235569 +0000 UTC
  NextUpdate: 2024-09-20 01:05:13.063235449 +0000 UTC
  DownloadedAt: 2024-09-17 06:58:26.442649623 +0000 UTC

[DmitriyLewen]

Hello @johnsenong
Thanks for your report.

Latest ubuntu:22.04 image uses 3.0.13-0ubuntu3.3 version:

➜ docker run -it --rm  ubuntu:24.04 cat /var/lib/dpkg/status | grep 'Package: libssl3t64' -A 13 
Package: libssl3t64
Status: install ok installed
Priority: optional
Section: libs
Installed-Size: 6056
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Architecture: arm64
Multi-Arch: same
Source: openssl
Version: 3.0.13-0ubuntu3.3
Replaces: libssl3
Provides: libssl3 (= 3.0.13-0ubuntu3.3)
Depends: libc6 (>= 2.38)
Breaks: libssl3 (<< 3.0.13-0ubuntu3.3)

But fixed version is 3.0.13-0ubuntu3.4:

Regards, Dmitriy

[johnsenong]

Hi @DmitriyLewen

Thank you for checking on this.

Apparently the openssl that I was referring to, looks to be not coming from the OS.
It comes from the application itself. I assume the binary is copied during the image creation.

Will Trivy be able to scan this package?

For clearer context: (Let me know if i should remove this info)
image name: gcr.io/datadoghq/agent:7.56.2
openssl location: /opt/datadog-agent/embedded/bin/openssl
3rd party image scan: Wiz

[DmitriyLewen]

Hello @johnsenong
Sorry for the confusion. I answered the question in my head 😄

Let me just say a few things:

1. about apt packages:
   This image contains installed libssl3t64 and libssl-dev packages. Source of these packages - openssl (see https://packages.debian.org/sid/libssl3t64).
   Trivy finds vulnerabilities by source package, but show package name (to make it easier for you to find and update it via apt).
   So Trivy detects CVE-2024-6119 (you can see full info using -f json --list-all-pkgs flags):

{
        "ID": "libssl-dev@3.0.13-0ubuntu3.3",
        "Name": "libssl-dev",
        "Identifier": {
          "PURL": "pkg:deb/ubuntu/libssl-dev@3.0.13-0ubuntu3.3?arch=arm64\u0026distro=ubuntu-24.04",
          "UID": "5f6d5502a0d64255"
        },
        "Version": "3.0.13",
        "Release": "0ubuntu3.3",
        "Arch": "arm64",
        "SrcName": "openssl",
        "SrcVersion": "3.0.13",
        "SrcRelease": "0ubuntu3.3",
        "Maintainer": "Ubuntu Developers \u003cubuntu-devel-discuss@lists.ubuntu.com\u003e",
 },
 {
        "ID": "libssl3t64@3.0.13-0ubuntu3.3",
        "Name": "libssl3t64",
        "Identifier": {
          "PURL": "pkg:deb/ubuntu/libssl3t64@3.0.13-0ubuntu3.3?arch=arm64\u0026distro=ubuntu-24.04",
          "UID": "d82f2d1c431b7949"
        },
        "Version": "3.0.13",
        "Release": "0ubuntu3.3",
        "Arch": "arm64",
        "SrcName": "openssl",
        "SrcVersion": "3.0.13",
        "SrcRelease": "0ubuntu3.3",
        "Licenses": [
          "Apache-2.0",
          "Artistic",
          "GPL-1.0"
        ],
        "Maintainer": "Ubuntu Developers \u003cubuntu-devel-discuss@lists.ubuntu.com\u003e",
 },

 {
        "VulnerabilityID": "CVE-2024-6119",
        "PkgID": "libssl-dev@3.0.13-0ubuntu3.3",
        "PkgName": "libssl-dev",
        "PkgIdentifier": {
          "PURL": "pkg:deb/ubuntu/libssl-dev@3.0.13-0ubuntu3.3?arch=arm64\u0026distro=ubuntu-24.04",
          "UID": "5f6d5502a0d64255"
        },
 },
 {
        "VulnerabilityID": "CVE-2024-6119",
        "PkgID": "libssl3t64@3.0.13-0ubuntu3.3",
        "PkgName": "libssl3t64",
        "PkgIdentifier": {
          "PURL": "pkg:deb/ubuntu/libssl3t64@3.0.13-0ubuntu3.3?arch=arm64\u0026distro=ubuntu-24.04",
          "UID": "d82f2d1c431b7949"
        },
  }  

2. about /opt/datadog-agent/embedded/bin/openssl binary:
   Trivy supports only Go and Rust binaries - https://aquasecurity.github.io/trivy/v0.55/docs/coverage/language/#supported-languages

[johnsenong]

Thanks @DmitriyLewen

Yes, I can see both libssl3t64 and libssl-dev are detected by Trivy.
What curious me is the file on path /opt/datadog-agent/embedded/bin/openssl in datadog container that is not detected by Trivy.

I have no visibility on how this binary get added,
I can only assume it's from the packages/libraries used by Datadog.

One last question from me (please bear with me :p):
Trivy support only Go and Rust binaries. How about the packages/libraries used by this languages? Will it also be scanned by Trivy?

[DmitriyLewen]

A list of all supported language files can be found here - https://aquasecurity.github.io/trivy/v0.55/docs/coverage/language/#supported-languages

Trivy support only Go and Rust binaries. How about the packages/libraries used by this languages?

The nuances for languages ​​are described on the coverage page:

• https://aquasecurity.github.io/trivy/v0.55/docs/coverage/language/golang/
• https://aquasecurity.github.io/trivy/v0.55/docs/coverage/language/rust/

[johnsenong]

Thanks, @DmitriyLewen

I'll dig further into Datadog to understand the openssl. I'll mark your comment as answer for this discussion
Thanks again