vulnerability-detector: NVD feed update stuck at "inserting NVD vulnerabilities"
585 views
Skip to first unread message
Soren
Apr 22, 2021, 9:11:19 AM4/22/21
to Wazuh mailing list
Hi team,
13:52:46 correlates with the previously running Debian Stretch provider update that completed without any issues:
since yesterday, my Wazuh Manager instance gets stuck at "Inserting NVD vulnerabilities section" while performing a vulnerability-detector provider update:
2021/04/22 14:00:17 wazuh-modulesd[5213] url.c:346 at wurl_request_uncompress_bz2_gz(): DEBUG: File from URL 'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2021.json.gz' was successfully uncompressed into 'tmp/vuln-temp-fitted'
2021/04/22 14:00:18 wazuh-modulesd:vulnerability-detector[5213] wm_vuln_detector.c:3722 at wm_vuldet_index_feed(): DEBUG: (5414): Refreshing 'National Vulnerability Database' databases.
2021/04/22 14:00:18 wazuh-modulesd:vulnerability-detector[5213] wm_vuln_detector.c:2467 at wm_vuldet_insert(): DEBUG: (5415): Inserting vulnerabilities.
2021/04/22 14:00:18 wazuh-modulesd:vulnerability-detector[5213] wm_vuln_detector.c:2502 at wm_vuldet_insert(): DEBUG: (5419): Inserting NVD vulnerabilities section.
2021/04/22 14:00:18 wazuh-modulesd:vulnerability-detector[5213] wm_vuln_detector.c:3722 at wm_vuldet_index_feed(): DEBUG: (5414): Refreshing 'National Vulnerability Database' databases.
2021/04/22 14:00:18 wazuh-modulesd:vulnerability-detector[5213] wm_vuln_detector.c:2467 at wm_vuldet_insert(): DEBUG: (5415): Inserting vulnerabilities.
2021/04/22 14:00:18 wazuh-modulesd:vulnerability-detector[5213] wm_vuln_detector.c:2502 at wm_vuldet_insert(): DEBUG: (5419): Inserting NVD vulnerabilities section.
It appears that the CVE database isn't being modified during this:
[root@host]# stat -c %y /var/ossec/queue/vulnerabilities/cve.db
2021-04-22 13:52:46.970668760 +0200
[root@host]# stat -c %y /var/ossec/queue/vulnerabilities/cve.db
2021-04-22 13:52:46.970668760 +0200
13:52:46 correlates with the previously running Debian Stretch provider update that completed without any issues:
2021/04/22 13:52:46 wazuh-modulesd:vulnerability-detector[4373] wm_vuln_detector.c:2756 at wm_vuldet_insert(): DEBUG: (5426): Inserting 'Debian Stretch' vulnerabilities information.
I have (unsuccessfully) attempted the following to fix this:
- Deleted ossec/queue/vulnerabilities/cve.db and contents of the ossec/tmp folder and restarted wazuh-manager
- Performed an offline update as described in: https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/offline_update.html#national-vulnerability-database
- Enabled verbose debug output to look for related errors - none appeared, other than probably unrelated errors that pop up during Agent sync after restarting the service ([...] "wdb_agent.c:106 at wdb_insert_agent(): DEBUG: Global DB Error reported in the result of the query")
- Restricted update_from_year for the NVD provider to the year 2021
- Disabled all providers but NVD
- Checked available disk space
Wazuh manager: Version 4.1.4 x86_64
OS: RHEL 7.9 Maipo
ossec.conf excerpt:
<vulnerability-detector>
<enabled>yes</enabled>
<interval>15m</interval>
<ignore_time>6h</ignore_time>
<run_on_start>yes</run_on_start>
<provider name="debian">
<enabled>yes</enabled>
<os>stretch</os>
<update_interval>1h</update_interval>
</provider>
<provider name="nvd">
<enabled>yes</enabled>
<update_from_year>2021</update_from_year>
<update_interval>1h</update_interval>
</provider>
<provider name="msu">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
Please let me know if I can provide any additional info.
Best regards
Soren
Soren
Apr 22, 2021, 9:17:47 AM4/22/21
to Wazuh mailing list
More log context:
2021/04/22 14:00:15 wazuh-modulesd:vulnerability-detector[5213] wm_vuln_detector.c:4017 at wm_vuldet_check_feed(): INFO: (5400): Starting 'National Vulnerability Database' database update.
2021/04/22 14:00:15 wazuh-modulesd:vulnerability-detector[5213] wm_vuln_detector.c:2197 at wm_vuldet_update_feed(): DEBUG: (5401): Synchronizing the year '2021' of the vulnerability database.
2021/04/22 14:00:15 wazuh-modulesd:download[5213] wm_download.c:226 at wm_download_dispatch(): DEBUG: Downloading 'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2021.meta' to '/var/ossec/tmp/vuln-temp'
2021/04/22 14:00:16 wazuh-modulesd:download[5213] wm_download.c:246 at wm_download_dispatch(): DEBUG: Download of 'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2021.meta' finished.
2021/04/22 14:00:16 wazuh-modulesd:vulnerability-detector[5213] wm_vuln_detector_nvd.c:924 at wm_vuldet_fetch_nvd_cve(): DEBUG: (5407): The feed 'National Vulnerability Database (2021)' is outdated. Fetching the last version.
2021/04/22 14:00:16 wazuh-modulesd:download[5213] wm_download.c:226 at wm_download_dispatch(): DEBUG: Downloading 'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2021.json.gz' to '/var/ossec/tmp/req-540555080'
2021/04/22 14:00:17 wazuh-modulesd:download[5213] wm_download.c:246 at wm_download_dispatch(): DEBUG: Download of 'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2021.json.gz' finished.
2021/04/22 14:00:17 wazuh-modulesd[5213] url.c:346 at wurl_request_uncompress_bz2_gz(): DEBUG: File from URL 'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2021.json.gz' was successfully uncompressed into 'tmp/vuln-temp-fitted'
2021/04/22 14:00:18 wazuh-modulesd:vulnerability-detector[5213] wm_vuln_detector.c:3722 at wm_vuldet_index_feed(): DEBUG: (5414): Refreshing 'National Vulnerability Database' databases.
2021/04/22 14:00:18 wazuh-modulesd:vulnerability-detector[5213] wm_vuln_detector.c:2467 at wm_vuldet_insert(): DEBUG: (5415): Inserting vulnerabilities.
2021/04/22 14:00:18 wazuh-modulesd:vulnerability-detector[5213] wm_vuln_detector.c:2502 at wm_vuldet_insert(): DEBUG: (5419): Inserting NVD vulnerabilities section.
Alberto Rodriguez
Apr 22, 2021, 9:23:28 AM4/22/21
to Wazuh mailing list
Hello Soren
Unfortunately, there is a critical bug that causes the Wazuh manager processes to crash (Wazuh agents are not affected). More specifically, it affects Wazuh managers 3.13 and later versions.
<provider name="nvd">
<enabled>no</enabled>
<update_from_year>2010</update_from_year>
<update_interval>1h</update_interval>
</provider>
systemctl restart wazuh-manager
ps aux | grep -i wazuh-modulesd
This bug is caused by a problem in the Vulnerability Detection module. It can temporarily be solved by disabling the NVD provider on the manager configuration file. Vulnerability Detector won’t work, but the rest of the manager capabilities will work normally.
To apply the temporary fix, on the Wazuh manager system, you need to edit your /var/ossec/etc/ossec.conf file and disable the NVD provider. This needs to be done inside the <vulnerability-detection> section of the file:
<enabled>no</enabled>
<update_from_year>2010</update_from_year>
<update_interval>1h</update_interval>
</provider>
Then, to apply changes, you will need to restart your Wazuh manager:
Please make sure the manager is properly working afterward, by checking that the wazuh-modulesd process is up and running in your system:
We will be releasing a patched version (4.1.5) within the next 24 hours. With this patch the Vulnerability Detector module will work well again.
Apologies for the inconvenience. Let us know if you have any questions.
Regards.
Soren
Apr 22, 2021, 9:37:39 AM4/22/21
to Wazuh mailing list
Thank you for the quick reply! I'll disable the NVD provider for now.
Alberto Rodriguez
Apr 23, 2021, 2:20:40 PM4/23/21
to Wazuh mailing list
Hello Soren
Wazuh v4.1.5 has been released. Please consider an upgrade and restore your configuration, enabling the NVD provider again.
Sorry for the inconvenience.
Regards,
Sorry for the inconvenience.
Regards,
Alberto R
Reply all
Reply to author
Forward
0 new messages