Apache Tomcat vulnerability detection
480 views
Skip to first unread message
Vedran
Jan 22, 2023, 5:01:22 AM1/22/23
to Wazuh mailing list
Hi,
I'm new so, please understand if I miss something...
Anyhow, I got Apache Tomcat running as service on Windows 2019 server. Tomcat is not installed in as other apps, it runs as a service from folder where is extracted.
Wazuh (4.3) successfully detects it as running process, however, it does not scan for its vulnerabilities. I assume that's because it's not installed.
For testing purposes I'm using Tomcat version that has some CVSS published.
Is there a way for wazuh to scan tomcat (or any other app for that matter that is not installed on the system but running anyway) for vulnerabilities and report it?
Did I miss to mention something of importance, please let me know.
Thanks.
Miguel Angel Cazajous
Jan 22, 2023, 5:48:18 PM1/22/23
to Wazuh mailing list
Hello Vedran,
I'm not quite familiar with Apache Tomcat, but as Vulnerability Detector works today, it relies completely on the system packages inventory.
If you do something like this sqlite3 /var/ossec/queue/db/<agent_id> 'select * from sys_programs where name like "%tomcat%" collate nocase' and tomcat is not listed there,
the vulnerability detector is not able to detect vulnerabilities for that package.
I'm not quite familiar with Apache Tomcat, but as Vulnerability Detector works today, it relies completely on the system packages inventory.
If you do something like this sqlite3 /var/ossec/queue/db/<agent_id> 'select * from sys_programs where name like "%tomcat%" collate nocase' and tomcat is not listed there,
the vulnerability detector is not able to detect vulnerabilities for that package.
Vedran
Jan 23, 2023, 3:04:29 AM1/23/23
to Wazuh mailing list
Curious,
I've installed older vulnerable version 7.x. It is shown under Packages in Wazuh gui and your query, returns ok result.
However, I've restarted wazuh-manager service, and initiated partial vuln.scan, but it did not detect Tomcat version 7.x as vulnerable.
0|2023/01/23 07:29:50|win|Apache Tomcat 7.0 Tomcat7 (remove only)|||0|The Apache Software Foundation||7.0.99|i686|||||1|||a0e3ef8f7ee183d83bc739d2aee362c842a279b2|f40d318822c8dcb91fb830230b06dbcd3ede34a1
Do I need to add some "source" to ossec.conf to check for it or perhaps wait for full scan to go through?
Thanks.
Miguel Angel Cazajous
Jan 23, 2023, 8:04:10 AM1/23/23
to Wazuh mailing list
I see that your agent is Windows, which makes me think that the name present in the inventory does not match the one registered in the NVD.
Please take a look at this https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/cpe-helper.html
It's a JSON document that performs the translation from the system inventory name to the NVD name.
Please take a look at this https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/cpe-helper.html
It's a JSON document that performs the translation from the system inventory name to the NVD name.
Vedran
Jan 23, 2023, 9:33:53 AM1/23/23
to Wazuh mailing list
Hello,
thanks for feedback. Let me try and understand if I get that correct.
Now my inventory of packages looks like this:
0|2023/01/23 13:47:36|win|Apache Tomcat 7.0.99|||0|The Apache Software Foundation||7.0.99|i686|||||1|||b3ba9eb81e43d8d2ac26ad127393f0faff773d41|04f133f79fa8aee2d55257cad8a6196ed1457b4b
If I understand you correctly, this part is searched and compared to NVD: Apache Tomcat 7.0.99
If that's the case, I get 3 hits on manual search through NVD.
If something else is used for search through NVD, please correct me.
Additional, ossec.log while restarting wazuh-manager service, for that agent (id: 014) gives me following error:
wazuh-modulesd:database: WARNING: Strange file found: 'queue/db/014'
Can I manually remove 014.db and let it re-create itself after restarting wazuh-manager or?
Thank you.
Miguel Angel Cazajous
Jan 23, 2023, 2:47:01 PM1/23/23
to Wazuh mailing list
Yes, the comparison is an SQLite query with JOIN clauses between the reported information for NVD and the information you get from the system inventory. If the name, version, and vendor doesn't match vulnerability detector won't be detected. As you can see in this example https://nvd.nist.gov/vuln/detail/CVE-2022-42252 the configuration is all in lowercase.
On the other hand, about the second question, do you have a 014 file? without its .db extension? because that error should raise in a case like that. If you have a 014.db it shouldn't be reporting that warning.
On the other hand, about the second question, do you have a 014 file? without its .db extension? because that error should raise in a case like that. If you have a 014.db it shouldn't be reporting that warning.
Vedran
Jan 26, 2023, 9:47:52 AM1/26/23
to Wazuh mailing list
So,
{
"target": "windows",
"source": {
"vendor": [],
"product": [
"^Apache Tomcat.*"
],
"version": [
"^Apache Tomcat ([0-9]+\\.*[0-9]*\\.*[0-9]*-*[0-9]*)"
]
},
"translation": {
"vendor": [
"apache"
],
"product": [
"tomcat"
],
"version": []
},
"action": [
"replace_product",
"set_version_if_product_matches"
]
}
],
here's the latest info.
This is what I have now in agents db:
0|2023/01/26 13:47:03|win|Apache Tomcat 7.0|||0|The Apache Software Foundation||7.0.59|i686|||||1|||c3a562664fc137ad36cbc109fc69085bd16b619e|93f49695977680e3095b6a69b921b1a5f0e12f6b
I added this to cpe-helper.json:
{
"target": "windows",
"source": {
"vendor": [],
"product": [
"^Apache Tomcat.*"
],
"version": [
"^Apache Tomcat ([0-9]+\\.*[0-9]*\\.*[0-9]*-*[0-9]*)"
]
},
"translation": {
"vendor": [
"apache"
],
"product": [
"tomcat"
],
"version": []
},
"action": [
"replace_product",
"set_version_if_product_matches"
]
}
],
NVD search for Apache Tomcat 7.0 gives me following:
Still get nothing in Vuln detection for 014 agent.
What am I missing?
Thank you.
Vedran
Feb 7, 2023, 7:19:19 AM2/7/23
to Wazuh mailing list
Update.
},
"translation": {
"vendor": [
"apache"
],
"product": [
"tomcat"
],
"version": []
},
"action": [
I've changed cpe-helper.json a little bit and now is detecting Apache Tomcat properly and it shows up in Vulnerability detector too.
{
"target": "windows",
"source": {
"vendor": [],
"product": [
"target": "windows",
"source": {
"vendor": [],
"product": [
"^Apache Tomcat ([0-9].*)"
],
"version": []
],
"version": []
},
"translation": {
"vendor": [
"apache"
],
"product": [
"tomcat"
],
"version": []
},
"action": [
"replace_vendor",
"replace_product"
]
}
"replace_product"
]
}
Thanks.
Miguel Angel Cazajous
Feb 7, 2023, 8:34:19 AM2/7/23
to Wazuh mailing list
Hi Vedran,
I overlook entirely your previous message, I apologize for that, didn't see it. Glad to know you could make it work! As additional information, there're some cases with old tomcat versions that the translation you perform does not work due to a missing vendor and version. There's already a fix for that but is targeted for 4.5 https://github.com/wazuh/wazuh/issues/13434.
Regards!
I overlook entirely your previous message, I apologize for that, didn't see it. Glad to know you could make it work! As additional information, there're some cases with old tomcat versions that the translation you perform does not work due to a missing vendor and version. There's already a fix for that but is targeted for 4.5 https://github.com/wazuh/wazuh/issues/13434.
Regards!
Vedran
Feb 7, 2023, 3:27:00 PM2/7/23
to Wazuh mailing list
Hi,
I can see now Apache Tomcat being translated ok, and its there in that table in both vendor and product types, however I can't make Notepad++ to show up in that table or gets detected by VS.
],
"version": []
},
"action": [
"replace_product"
no worries.
Still struggling with cpe-helper translations and stuff.
Now I can't get Notepad++ to be detected.
Question: Will cve.db, table CPE_HELPER_TRANSLATION be populated after editing cpe-helper.json and restarting manager service?
I can see now Apache Tomcat being translated ok, and its there in that table in both vendor and product types, however I can't make Notepad++ to show up in that table or gets detected by VS.
This is my cpe-helper.json part with Notepad++ entry:
{
"target": "windows",
"source": {
"vendor": [],
"product": [
"target": "windows",
"source": {
"vendor": [],
"product": [
"^Notepad(\++)*"
],
"version": []
},
"translation": {
"vendor": [],
"product": [
"notepad\+\+"
],
"version": []
},
"translation": {
"vendor": [],
"product": [
"notepad\+\+"
],
"version": []
},
"action": [
"replace_product"
]
}
}
Thanks.
Miguel Angel Cazajous
Feb 7, 2023, 4:00:26 PM2/7/23
to Wazuh mailing list
Hi Vedran,
What is the package name in Syscollector?
sqlite3 /var/ossec/queue/db/<agent_id> 'select * from sys_programs where name like "%notepad%" collate nocase'
Taking this CVE as an example
https://nvd.nist.gov/vuln/detail/CVE-2022-32168
The values
- notepad-plus-plus
- notepad\+\+
Should be in the translation object in the CPE JSON file as vendor and product respectively. I think we also need to escape the backslashes.
],
"product": [
"notepad\\+\\+"
],
"version": []
},
What is the package name in Syscollector?
sqlite3 /var/ossec/queue/db/<agent_id> 'select * from sys_programs where name like "%notepad%" collate nocase'
Taking this CVE as an example
https://nvd.nist.gov/vuln/detail/CVE-2022-32168
The values
- notepad-plus-plus
- notepad\+\+
Should be in the translation object in the CPE JSON file as vendor and product respectively. I think we also need to escape the backslashes.
"translation": {
"vendor": [
"notepad-plus-plus"
"vendor": [
"notepad-plus-plus"
],
"product": [
"notepad\\+\\+"
],
"version": []
},
Miguel Angel Cazajous
Feb 7, 2023, 4:06:34 PM2/7/23
to Wazuh mailing list
With respect to the question, I'm afraid not. We have an issue related to this, and the cpe_helper changes are not detected automatically. https://github.com/wazuh/wazuh/issues/10631. Also, any change performed in the cpe_helper will be lost after an upgrade. We are working in parallel to improve the content of the vulnerabilities with the intention to mitigate all these limitations.
Reply all
Reply to author
Forward
0 new messages