Could not load the CVE OVAL for BIONIC

[Srikar Naramsetty]

Hi,

I am using wazuh 3.11.1, I had a problem with a wazuh daemon(wazuh-modulesd), it was not running. I tried to restart the wazuh-manager, still no luck.

I have been using wazuh for over 4months and suddenly after the ossec.conf change it started failing. I tried to revert the ossec.conf to the earlier one, still the daemon starts failing.

When I go to the logs, I see this error

2020/04/10 06:31:47 wazuh-modulesd:vulnerability-detector: ERROR: (5402): Could not load the CVE OVAL for BIONIC. XMLERR: Attribute '<93>' has no value.

2020/04/10 06:31:47 wazuh-modulesd:vulnerability-detector: ERROR: (5426): CVE database could not be updated.

2020/04/10 06:31:47 wazuh-modulesd:vulnerability-detector: INFO: (5452): Starting vulnerability scanning.

2020/04/10 06:31:49 wazuh-modulesd:syscollector: INFO: Evaluation finished.

2020/04/10 03:39:26 wazuh-modulesd:vulnerability-detector: ERROR: (5402): Could not load the CVE OVAL for XENIAL. XMLERR: Attribute '^G^Pê<9d>æÇ^_Ô²­!jNC<8d>a <88>ÓÓ *^R;íÞ<8d><87><93>4Ã!^X'<8b><98>Z»ôà' has no value.

2020/04/10 03:39:26 wazuh-modulesd:vulnerability-detector: ERROR: (5426): CVE database could not be updated.

2020/04/10 03:39:30 wazuh-modulesd:vulnerability-detector: ERROR: (5402): Could not load the CVE OVAL for TRUSTY. XMLERR: Attribute 'H.{Ð:êw­U^]rª{^Nú®o´.¼(<91>ŸF' has no value.

2020/04/10 03:39:30 wazuh-modulesd:vulnerability-detector: ERROR: (5426): CVE database could not be updated.

So I went and disabled the vulnerability-detector for now, and now the daemon is running. Below is the part from ossec.conf, 

<vulnerability-detector>
    <enabled>no</enabled>
    <interval>5m</interval>
    <ignore_time>6h</ignore_time>
    <run_on_start>yes</run_on_start>
    <provider name="canonical">
      <enabled>yes</enabled>
      <os>precise</os>
      <os>trusty</os>
      <os>xenial</os>
      <os>bionic</os>
      <update_interval>1h</update_interval>
    </provider>
    <provider name="debian">
      <enabled>yes</enabled>
      <os>wheezy</os>
      <os>stretch</os>
      <os>jessie</os>
      <os>buster</os>
      <update_interval>1h</update_interval>
    </provider>
    <provider name="redhat">
      <enabled>yes</enabled>
      <update_from_year>2010</update_from_year>
      <update_interval>1h</update_interval>
    </provider>
    <provider name="nvd">
      <enabled>yes</enabled>
      <update_from_year>2010</update_from_year>
      <update_interval>1h</update_interval>
    </provider>
  </vulnerability-detector>

can you let me know why the daemon is failing to start when vulnerability detector is enabled?

[Jose Luis Ruiz]

Hi Srikar

is a issue fixed in the last release.

https://github.com/wazuh/wazuh/releases

On Apr 10, 2020, at 09:49, Srikar Naramsetty <srikarna...@gmail.com> wrote:



--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/95410806-7168-497a-854c-b3d53ba7c5fb%40googlegroups.com.

[Miguel Casares]

Hello Srikar,

As Jose commented, the problem may be related to a bug in vulnerability detector, the Redhat feed database made a change and that caused the error in our module.

To detect it you may check if the wazuh-modulesd process is running:

ps aux | grep ossec

Otherwise, you need to edit your /var/ossec/etc/ossec.conf file on the Wazuh manager side. For Wazuh versions prior to 3.11 inside your vulnerability configuration do this for the RedHat feed:
<feed name="redhat">
<disabled>yes</disabled>
</feed>

For Wazuh versions after 3.11 inside your vulnerability configuration do this for the RedHat feed:
<provider name="redhat">
<enabled>no</enabled>
</provider>

Then restart your Wazuh manager:

systemctl restart wazuh-manager

Please make sure the manager is properly working afterward.

We released the fix in a new version yesterday, you may check it out here: https://documentation.wazuh.com/3.12/release-notes/index.html

Apologies for the inconvenience and do not hesitate to contact us if you have further problems.

Regards,

Miguel Casares

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/01D09A8A-5741-4FC8-8F7A-9A1BC85513DF%40gmail.com.

[Srikar Naramsetty]

Thanks Miguel & Jose for the quick response.

The bug you mentioned is from RHEL, but from the logs the errors are for other OS. Do you think they could be related?

2020/04/10 06:31:47 wazuh-modulesd:vulnerability-detector: ERROR: (5402): Could not load the CVE OVAL for BIONIC. XMLERR: Attribute '<93>' has no value.

2020/04/10 06:31:47 wazuh-modulesd:vulnerability-detector: ERROR: (5426): CVE database could not be updated.

2020/04/10 06:31:47 wazuh-modulesd:vulnerability-detector: INFO: (5452): Starting vulnerability scanning.

2020/04/10 06:31:49 wazuh-modulesd:syscollector: INFO: Evaluation finished.

Regards,

Srikar

On Friday, 10 April 2020 14:27:10 UTC+5:30, Miguel Casares wrote:

Hello Srikar,

As Jose commented, the problem may be related to a bug in vulnerability detector, the Redhat feed database made a change and that caused the error in our module.

To detect it you may check if the wazuh-modulesd process is running:

ps aux | grep ossec

Otherwise, you need to edit your /var/ossec/etc/ossec.conf file on the Wazuh manager side. For Wazuh versions prior to 3.11 inside your vulnerability configuration do this for the RedHat feed:
<feed name="redhat">
<disabled>yes</disabled>
</feed>

For Wazuh versions after 3.11 inside your vulnerability configuration do this for the RedHat feed:
<provider name="redhat">
<enabled>no</enabled>
</provider>

Then restart your Wazuh manager:

systemctl restart wazuh-manager

Please make sure the manager is properly working afterward.

We released the fix in a new version yesterday, you may check it out here: https://documentation.wazuh.com/3.12/release-notes/index.html

Apologies for the inconvenience and do not hesitate to contact us if you have further problems.

Regards,

Miguel Casares



To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/95410806-7168-497a-854c-b3d53ba7c5fb%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

[Miguel Casares]

Hello Srikar,

The error seems to be only related to the RedHat module because of a NULL pointer.

Reference: https://github.com/wazuh/wazuh/issues/4884

Let me know if you have any questions.

Regards,

Miguel Casares

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/95410806-7168-497a-854c-b3d53ba7c5fb%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/01D09A8A-5741-4FC8-8F7A-9A1BC85513DF%40gmail.com.

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9395889e-8729-4526-8995-00d87362daad%40googlegroups.com.