Amazon Inspectorで対象の脆弱性を検出できるOSであるかは Vulnerability database search の Detection platforms を確認しよう
Amazon Inspectorで検出できる脆弱性は標準リポジトリからインストールされたもののみなのかな
こんにちは、のんピ(@non____97)です。
皆さんはAmazon Inspectorで検出できる脆弱性に何があるか気になったことはありますか? 私はあります。
最近、Amazon InspectorにVulnerability database searchという機能が追加され、Amazon Inspectorで検出できるCVEの情報を確認できるようになりました。
AWS公式ドキュメントによると、こちらにはAmazon Inspectorで検出できるプラットフォームの情報が記載されているとのことでした。
Details
Contains the description of the CVE, This includes platforms it can be detected on, related vulnerabilities, associated Common Weakness Enumeration (CWE), and dates the CVE was created and last updated. In this section you can also review various scoring and severity data for the SVE such as: National Vulnerability Database (NVD) severity, Common Vulnerability Scoring System (CVSS) score, and Exploit Prediction Scoring System (EPSS) score.
Amazon Inspector Vulnerability database search - Amazon Inspector
逆に言えば、検出できるプラットフォームに表記されていないOSでは脆弱性を検出できないということでしょうか。
実際に試してみます。
いきなりまとめ
- Amazon Inspectorで対象の脆弱性を検出できるOSであるかは Vulnerability database search の Detection platformsを確認する
- 標準リポジトリからインストールしたものであってもDetection platformsに含まれていなければ、検出できない
- 標準リポジトリ外からインストールしてもDetection platformsに含まれていれば検出される
- バイナリを置いただけであったり、ソースからコンパイルしてインストールしたものは検出されない
- Amazon Inspector v2はSSMインベントリに収集されたアプリケーションの情報を元に脆弱性を検出している
- Linuxの場合、SSMインベントリのアプリケーションとして情報が収集されるのは
rpmやdpkg-query、snapで認識できるもの
やってみた
Vulnerability database search を眺める
Vulnerability database search を眺めてみます。
まず、Wiresharkの脆弱性CVE-2023-1161を検出できるプラットフォームを確認します。
こちらの脆弱性はWiresharkのバージョンが4.0.0から4.0.3、または3.6.0から3.6.11の場合に検出されます。
検出可能なプラットフォームは以下の通りです。
- DEBIAN_10
- AMAZON_LINUX_2023
- OPEN_SUSE_15_4
- SUSE_SERVER_15_4
WiresharkはAmazon Linux 2023の標準リポジトリでインストール可能です。Amazon Linux 2023の標準リポジトリでインストールできるパッケージは以下をご覧ください。
次にMySQLの脆弱性CVE-2023-21912を検出できるプラットフォームを確認します。
こちらの脆弱性はMySQLサーバーのバージョンが5.7.41以前、または8.0.30以前の場合に検出されます。
脆弱性が検出可能なプラットフォームは以下の通りです。
- ALMALINUX_9
- ALMALINUX_8
- ORACLE_LINUX_9
- UBUNTU_22_10
- UBUNTU_18_04
- UBUNTU_20_04
- UBUNTU_22_04
- UBUNTU_16_04
- RHEL_8
- RHEL_9
Amazon Linux 2023の標準リポジトリにはMySQLは存在しないため、この一覧にはないですね。
最後にMySQLの脆弱性CVE-2023-21980を検出できるプラットフォームを確認します。
こちらの脆弱性はMySQLサーバーのバージョンが5.7.41以前、または8.0.32以前の場合に検出されます。
脆弱性が検出可能なプラットフォームは以下の通りです。
- UBUNTU_22_10
- UBUNTU_18_04
- UBUNTU_20_04
- UBUNTU_22_04
- UBUNTU_16_04
こちらはUbuntuのみのようです。
しかし、Red Hatのドキュメントを確認すると、こちらの脆弱性についてRHEL 9 のmysqlがAffectedになっているため、影響はありそうです。
そのため、「標準リポジトリからインストールしたパッケージだからAmazon Inspectorで検出できる」という訳ではないように思えます。
脆弱性があるWiresharkをAmazon Linux 2023に標準リポジトリからdnfでインストール
それでは、まず脆弱性があるWiresharkをAmazon Linux 2023に標準リポジトリからdnfでインストールして、Inspectorで検出されるのかを確認します。
Wireshark 4.0.3をインストールします。
$ sudo dnf install wireshark --releasever=2023.0.20230315 -y
Amazon Linux 2023 repository 21 MB/s | 11 MB 00:00
Last metadata expiration check: 0:00:02 ago on Thu May 18 01:27:53 2023.
Dependencies resolved.
==========================================================================================================================================================
Package Architecture Version Repository Size
==========================================================================================================================================================
Installing:
wireshark-cli x86_64 1:4.0.3-1.amzn2023.0.1 amazonlinux 23 M
Installing dependencies:
libsmi x86_64 0.4.8-28.amzn2023.0.2 amazonlinux 2.1 M
libssh x86_64 0.10.4-3.amzn2023.0.3 amazonlinux 212 k
libssh-config noarch 0.10.4-3.amzn2023.0.3 amazonlinux 10 k
Transaction Summary
==========================================================================================================================================================
Install 4 Packages
Total download size: 25 M
Installed size: 135 M
Downloading Packages:
(1/4): libssh-0.10.4-3.amzn2023.0.3.x86_64.rpm 2.0 MB/s | 212 kB 00:00
(2/4): libssh-config-0.10.4-3.amzn2023.0.3.noarch.rpm 367 kB/s | 10 kB 00:00
(3/4): libsmi-0.4.8-28.amzn2023.0.2.x86_64.rpm 13 MB/s | 2.1 MB 00:00
(4/4): wireshark-cli-4.0.3-1.amzn2023.0.1.x86_64.rpm 42 MB/s | 23 MB 00:00
----------------------------------------------------------------------------------------------------------------------------------------------------------
Total 41 MB/s | 25 MB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : libssh-config-0.10.4-3.amzn2023.0.3.noarch 1/4
Installing : libssh-0.10.4-3.amzn2023.0.3.x86_64 2/4
Installing : libsmi-0.4.8-28.amzn2023.0.2.x86_64 3/4
Running scriptlet: wireshark-cli-1:4.0.3-1.amzn2023.0.1.x86_64 4/4
Installing : wireshark-cli-1:4.0.3-1.amzn2023.0.1.x86_64 4/4
Running scriptlet: wireshark-cli-1:4.0.3-1.amzn2023.0.1.x86_64 4/4
Verifying : wireshark-cli-1:4.0.3-1.amzn2023.0.1.x86_64 1/4
Verifying : libsmi-0.4.8-28.amzn2023.0.2.x86_64 2/4
Verifying : libssh-0.10.4-3.amzn2023.0.3.x86_64 3/4
Verifying : libssh-config-0.10.4-3.amzn2023.0.3.noarch 4/4
==========================================================================================================================================================
WARNING:
A newer release of "Amazon Linux" is available.
Available Versions:
Version 2023.0.20230503:
Run the following command to upgrade to 2023.0.20230503:
dnf upgrade --releasever=2023.0.20230503
Release notes:
https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes.html
==========================================================================================================================================================
Installed:
libsmi-0.4.8-28.amzn2023.0.2.x86_64 libssh-0.10.4-3.amzn2023.0.3.x86_64 libssh-config-0.10.4-3.amzn2023.0.3.noarch
wireshark-cli-1:4.0.3-1.amzn2023.0.1.x86_64
Complete!
インストール後、すぐに検出してもらいたいためSSMステートマネージャーのInspectorInventoryCollection-do-not-deleteを手動で関連付けします。
Amazon Inspector v2のスキャン要件の詳細を知りたい方は以下記事をご参照ください。
しばらくするとWiresharkの脆弱性が検出されました。
脆弱性があるMySQLサーバーをAmazon Linux 2023に追加したリポジトリからdnfでインストール
次に脆弱性があるMySQLサーバーをAmazon Linux 2023に追加したリポジトリからdnfでインストールして、Inspectorで検出されるのかを確認します。
# リポジトリの追加 $ sudo dnf install https://dev.mysql.com/get/mysql80-community-release-el9-1.noarch.rpm -y Last metadata expiration check: 1:18:30 ago on Thu May 18 01:21:53 2023. mysql80-community-release-el9-1.noarch.rpm 23 kB/s | 10 kB 00:00 Dependencies resolved. ====================================================================================================== Package Architecture Version Repository Size ====================================================================================================== Installing: mysql80-community-release noarch el9-1 @commandline 10 k Transaction Summary ====================================================================================================== Install 1 Package Total size: 10 k Installed size: 5.7 k Downloading Packages: Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : mysql80-community-release-el9-1.noarch 1/1 Verifying : mysql80-community-release-el9-1.noarch 1/1 Installed: mysql80-community-release-el9-1.noarch Complete! # リポジトリが追加されたことを確認 $ dnf repolistrepo id repo name amazonlinux Amazon Linux 2023 repository kernel-livepatch Amazon Linux 2023 Kernel Livepatch repository mysql-connectors-community MySQL Connectors Community mysql-tools-community MySQL Tools Community mysql80-community MySQL 8.0 Community Server # MySQLサーバーとクライアントをインストール $ sudo dnf install mysql-community-server-8.0.30-1.el9.x86_64 mysql-community-client-8.0.30-1.el9.x86_64 -y Last metadata expiration check: 0:01:02 ago on Thu May 18 02:43:43 2023. Dependencies resolved. ====================================================================================================== Package Architecture Version Repository Size ====================================================================================================== Installing: mysql-community-client x86_64 8.0.30-1.el9 mysql80-community 3.7 M mysql-community-server x86_64 8.0.30-1.el9 mysql80-community 48 M Installing dependencies: mysql-community-client-plugins x86_64 8.0.30-1.el9 mysql80-community 1.4 M mysql-community-common x86_64 8.0.30-1.el9 mysql80-community 534 k mysql-community-icu-data-files x86_64 8.0.30-1.el9 mysql80-community 2.2 M mysql-community-libs x86_64 8.0.30-1.el9 mysql80-community 1.5 M Transaction Summary ====================================================================================================== Install 6 Packages Total download size: 57 M Installed size: 331 M Is this ok [y/N]: y Downloading Packages: (1/6): mysql-community-client-8.0.30-1.el9.x86_64.rpm 31 MB/s | 3.7 MB 00:00 (2/6): mysql-community-client-plugins-8.0.30-1.el9.x86_64.rpm 10 MB/s | 1.4 MB 00:00 (3/6): mysql-community-common-8.0.30-1.el9.x86_64.rpm 3.8 MB/s | 534 kB 00:00 (4/6): mysql-community-libs-8.0.30-1.el9.x86_64.rpm 28 MB/s | 1.5 MB 00:00 (5/6): mysql-community-icu-data-files-8.0.30-1.el9.x86_64.rpm 3.9 MB/s | 2.2 MB 00:00 (6/6): mysql-community-server-8.0.30-1.el9.x86_64.rpm 14 MB/s | 48 MB 00:03 ------------------------------------------------------------------------------------------------------ Total 16 MB/s | 57 MB 00:03 MySQL 8.0 Community Server 3.0 MB/s | 3.1 kB 00:00 Importing GPG key 0x3A79BD29: Userid : "MySQL Release Engineering <mysql-build@oss.oracle.com>" Fingerprint: 859B E8D7 C586 F538 430B 19C2 467B 942D 3A79 BD29 From : /etc/pki/rpm-gpg/RPM-GPG-KEY-mysql-2022 Is this ok [y/N]: y Key imported successfully Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : mysql-community-common-8.0.30-1.el9.x86_64 1/6 Installing : mysql-community-client-plugins-8.0.30-1.el9.x86_64 2/6 Installing : mysql-community-libs-8.0.30-1.el9.x86_64 3/6 Running scriptlet: mysql-community-libs-8.0.30-1.el9.x86_64 3/6 Installing : mysql-community-client-8.0.30-1.el9.x86_64 4/6 Installing : mysql-community-icu-data-files-8.0.30-1.el9.x86_64 5/6 Running scriptlet: mysql-community-server-8.0.30-1.el9.x86_64 6/6 Installing : mysql-community-server-8.0.30-1.el9.x86_64 6/6 Running scriptlet: mysql-community-server-8.0.30-1.el9.x86_64 6/6 Verifying : mysql-community-client-8.0.30-1.el9.x86_64 1/6 Verifying : mysql-community-client-plugins-8.0.30-1.el9.x86_64 2/6 Verifying : mysql-community-common-8.0.30-1.el9.x86_64 3/6 Verifying : mysql-community-icu-data-files-8.0.30-1.el9.x86_64 4/6 Verifying : mysql-community-libs-8.0.30-1.el9.x86_64 5/6 Verifying : mysql-community-server-8.0.30-1.el9.x86_64 6/6 Installed: mysql-community-client-8.0.30-1.el9.x86_64 mysql-community-client-plugins-8.0.30-1.el9.x86_64 mysql-community-common-8.0.30-1.el9.x86_64 mysql-community-icu-data-files-8.0.30-1.el9.x86_64 mysql-community-libs-8.0.30-1.el9.x86_64 mysql-community-server-8.0.30-1.el9.x86_64 Complete!
脆弱性があるMySQLサーバー(おまけでクライアント)をインストールしました。
インストール後、SSMステートマネージャーのInspectorInventoryCollection-do-not-deleteを手動で関連付けします。
しかし、1時間待っても検出されません。
CVE-2023-21980とCVE-2023-21912どちらもVulnerability database searchのDetection platformsにはAmazon Linux 2023は含まれていません。
やはりDetection platformsに含まれないと検出されないのでしょうか。
脆弱性があるMySQLサーバーをRHEL 9に標準リポジトリからdnfでインストール
次に、脆弱性があるMySQLサーバーをRHEL 9に標準リポジトリからdnfでインストールして、Inspectorで検出されるのかを確認します。
# 標準リポジトリからインストール可能なMySQLのバージョンを確認
$ sudo dnf search mysql --showduplicates
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use subscription-manager to register.
Last metadata expiration check: 0:01:04 ago on Wed 24 May 2023 08:13:52 AM UTC.
=========================================================================== Name & Summary Matched: mysql ===========================================================================
mysql-8.0.28-1.el9.x86_64 : MySQL client programs and shared libraries
mysql-8.0.30-3.el9_0.x86_64 : MySQL client programs and shared libraries
mysql-8.0.32-1.el9_2.x86_64 : MySQL client programs and shared libraries
apr-util-mysql-1.6.1-20.el9.x86_64 : APR utility library MySQL DBD driver
apr-util-mysql-1.6.1-20.el9_2.1.x86_64 : APR utility library MySQL DBD driver
dovecot-mysql-1:2.3.16-3.el9.x86_64 : MySQL back end for dovecot
dovecot-mysql-1:2.3.16-7.el9.x86_64 : MySQL back end for dovecot
dovecot-mysql-1:2.3.16-8.el9.x86_64 : MySQL back end for dovecot
mysql-common-8.0.28-1.el9.x86_64 : The shared files required for MySQL server and client
mysql-common-8.0.30-3.el9_0.x86_64 : The shared files required for MySQL server and client
mysql-common-8.0.32-1.el9_2.x86_64 : The shared files required for MySQL server and client
mysql-errmsg-8.0.28-1.el9.x86_64 : The error messages files required by MySQL server
mysql-errmsg-8.0.30-3.el9_0.x86_64 : The error messages files required by MySQL server
mysql-errmsg-8.0.32-1.el9_2.x86_64 : The error messages files required by MySQL server
mysql-selinux-1.0.4-2.el9.noarch : SELinux policy modules for MySQL and MariaDB packages
mysql-selinux-1.0.5-1.el9_0.noarch : SELinux policy modules for MySQL and MariaDB packages
mysql-server-8.0.28-1.el9.x86_64 : The MySQL server and related files
mysql-server-8.0.30-3.el9_0.x86_64 : The MySQL server and related files
mysql-server-8.0.32-1.el9_2.x86_64 : The MySQL server and related files
pcp-pmda-mysql-5.3.5-8.el9.x86_64 : Performance Co-Pilot (PCP) metrics for MySQL
pcp-pmda-mysql-5.3.7-7.el9.x86_64 : Performance Co-Pilot (PCP) metrics for MySQL
pcp-pmda-mysql-6.0.1-4.el9.x86_64 : Performance Co-Pilot (PCP) metrics for MySQL
perl-DBD-MySQL-4.050-13.el9.x86_64 : A MySQL interface for Perl
php-mysqlnd-8.0.13-1.el9.x86_64 : A module for PHP applications that use MySQL databases
php-mysqlnd-8.0.13-2.el9_0.x86_64 : A module for PHP applications that use MySQL databases
php-mysqlnd-8.0.20-3.el9.x86_64 : A module for PHP applications that use MySQL databases
php-mysqlnd-8.0.27-1.el9_1.x86_64 : A module for PHP applications that use MySQL databases
postfix-mysql-2:3.5.9-18.el9.x86_64 : Postfix MySQL map support
postfix-mysql-2:3.5.9-19.el9.x86_64 : Postfix MySQL map support
python3-PyMySQL-0.10.1-6.el9.noarch : Pure-Python MySQL client library
python3.11-PyMySQL-1.0.2-1.el9.noarch : Pure-Python MySQL client library
python3.11-PyMySQL+rsa-1.0.2-1.el9.noarch : Metapackage for python3.11-PyMySQL: rsa extras
qt5-qtbase-mysql-5.15.2-29.el9.x86_64 : MySQL driver for Qt5's SQL classes
qt5-qtbase-mysql-5.15.2-29.el9.i686 : MySQL driver for Qt5's SQL classes
qt5-qtbase-mysql-5.15.3-1.el9.x86_64 : MySQL driver for Qt5's SQL classes
qt5-qtbase-mysql-5.15.3-1.el9.i686 : MySQL driver for Qt5's SQL classes
rsyslog-mysql-8.2102.0-101.el9.x86_64 : MySQL support for rsyslog
rsyslog-mysql-8.2102.0-101.el9_0.1.x86_64 : MySQL support for rsyslog
rsyslog-mysql-8.2102.0-105.el9.x86_64 : MySQL support for rsyslog
rsyslog-mysql-8.2102.0-111.el9.x86_64 : MySQL support for rsyslog
rsyslog-mysql-8.2102.0-113.el9_2.x86_64 : MySQL support for rsyslog
rubygem-mysql2-0.5.3-11.el9_0.x86_64 : A simple, fast Mysql library for Ruby, binding to libmysql
============================================================================== Summary Matched: mysql ===============================================================================
mariadb-java-client-3.0.3-1.el9.noarch : Connects applications developed in Java to MariaDB and MySQL databases
mariadb-server-utils-3:10.5.13-2.el9.x86_64 : Non-essential server utilities for MariaDB/MySQL applications
mariadb-server-utils-3:10.5.16-2.el9_0.x86_64 : Non-essential server utilities for MariaDB/MySQL applications
perl-DBD-MariaDB-1.21-16.el9_0.x86_64 : MariaDB and MySQL driver for the Perl5 Database Interface (DBI)
# MySQL 8.0.30をインストール
$ sudo dnf install mysql-8.0.30-3.el9_0.x86_64
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use subscription-manager to register.
Last metadata expiration check: 0:02:33 ago on Wed 24 May 2023 08:13:52 AM UTC.
Dependencies resolved.
=====================================================================================================================================================================================
Package Architecture Version Repository Size
=====================================================================================================================================================================================
Installing:
mysql x86_64 8.0.30-3.el9_0 rhel-9-appstream-rhui-rpms 2.8 M
Installing dependencies:
mariadb-connector-c-config noarch 3.2.6-1.el9_0 rhel-9-appstream-rhui-rpms 11 k
mysql-common x86_64 8.0.30-3.el9_0 rhel-9-appstream-rhui-rpms 80 k
Transaction Summary
=====================================================================================================================================================================================
Install 3 Packages
Total download size: 2.9 M
Installed size: 60 M
Is this ok [y/N]: y
Downloading Packages:
(1/3): mysql-common-8.0.30-3.el9_0.x86_64.rpm 1.2 MB/s | 80 kB 00:00
(2/3): mariadb-connector-c-config-3.2.6-1.el9_0.noarch.rpm 172 kB/s | 11 kB 00:00
(3/3): mysql-8.0.30-3.el9_0.x86_64.rpm 21 MB/s | 2.8 MB 00:00
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 18 MB/s | 2.9 MB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : mariadb-connector-c-config-3.2.6-1.el9_0.noarch 1/3
Installing : mysql-common-8.0.30-3.el9_0.x86_64 2/3
Installing : mysql-8.0.30-3.el9_0.x86_64 3/3
Running scriptlet: mysql-8.0.30-3.el9_0.x86_64 3/3
Verifying : mariadb-connector-c-config-3.2.6-1.el9_0.noarch 1/3
Verifying : mysql-8.0.30-3.el9_0.x86_64 2/3
Verifying : mysql-common-8.0.30-3.el9_0.x86_64 3/3
Installed products updated.
Installed:
mariadb-connector-c-config-3.2.6-1.el9_0.noarch mysql-8.0.30-3.el9_0.x86_64 mysql-common-8.0.30-3.el9_0.x86_64
Complete!
# MySQL 8.0.30がインストールされてたことを確認
$ sudo dnf info mysql
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use subscription-manager to register.
Last metadata expiration check: 0:02:45 ago on Wed 24 May 2023 08:13:52 AM UTC.
Installed Packages
Name : mysql
Version : 8.0.30
Release : 3.el9_0
Architecture : x86_64
Size : 60 M
Source : mysql-8.0.30-3.el9_0.src.rpm
Repository : @System
From repo : rhel-9-appstream-rhui-rpms
Summary : MySQL client programs and shared libraries
URL : http://www.mysql.com
License : GPLv2 with exceptions and LGPLv2 and BSD
Description : MySQL is a multi-user, multi-threaded SQL database server. MySQL is a
: client/server implementation consisting of a server daemon (mysqld)
: and many different client programs and libraries. The base package
: contains the standard MySQL client programs and generic MySQL files.
Available Packages
Name : mysql
Version : 8.0.32
Release : 1.el9_2
Architecture : x86_64
Size : 2.8 M
Source : mysql-8.0.32-1.el9_2.src.rpm
Repository : rhel-9-appstream-rhui-rpms
Summary : MySQL client programs and shared libraries
URL : http://www.mysql.com
License : GPLv2 with exceptions and LGPLv2 and BSD
Description : MySQL is a multi-user, multi-threaded SQL database server. MySQL is a
: client/server implementation consisting of a server daemon (mysqld)
: and many different client programs and libraries. The base package
: contains the standard MySQL client programs and generic MySQL files.
インストール後、SSMステートマネージャーのInspectorInventoryCollection-do-not-deleteを手動で関連付けします。
すると、MySQLの脆弱性が複数検出されました。
事前に確認していた脆弱性CVE-2023-21912も検出されていますね。
参考までにこちらの検出結果のJSONは以下の通りです。
{
"awsAccountId": "<AWSアカウントID>",
"description": "Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 5.7.41 and prior and 8.0.30 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).",
"exploitAvailable": "NO",
"findingArn": "arn:aws:inspector2:us-east-1:<AWSアカウントID>:finding/623ad6f914f2d641ddee2da8af92dbd6",
"firstObservedAt": "2023-05-24T08:44:43.849Z",
"fixAvailable": "YES",
"inspectorScore": 7.5,
"inspectorScoreDetails": {
"adjustedCvss": {
"adjustments": [],
"cvssSource": "NVD",
"score": 7.5,
"scoreSource": "NVD",
"scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"lastObservedAt": "2023-05-24T08:44:43.849Z",
"packageVulnerabilityDetails": {
"cvss": [
{
"baseScore": 7.5,
"scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"source": "NVD",
"version": "3.1"
}
],
"referenceUrls": [
"https://www.oracle.com/security-alerts/cpuapr2023.html"
],
"relatedVulnerabilities": [
"RHSA-2023:2621"
],
"source": "NVD",
"sourceUrl": "https://nvd.nist.gov/vuln/detail/CVE-2023-21912",
"vendorCreatedAt": "2023-04-18T20:15:00.000Z",
"vendorSeverity": "HIGH",
"vendorUpdatedAt": "2023-04-27T15:15:00.000Z",
"vulnerabilityId": "CVE-2023-21912",
"vulnerablePackages": [
{
"arch": "X86_64",
"epoch": 0,
"fixedInVersion": "0:8.0.32-1.el9_2",
"name": "mysql",
"packageManager": "OS",
"release": "3.el9_0",
"remediation": "dnf update mysql",
"version": "8.0.30"
},
{
"arch": "X86_64",
"epoch": 0,
"fixedInVersion": "0:8.0.32-1.el9_2",
"name": "mysql-common",
"packageManager": "OS",
"release": "3.el9_0",
"remediation": "dnf update mysql-common",
"version": "8.0.30"
}
]
},
"remediation": {
"recommendation": {
"text": "None Provided"
}
},
"resources": [
{
"details": {
"awsEc2Instance": {
"iamInstanceProfileArn": "arn:aws:iam::<AWSアカウントID>:instance-profile/AmazonSSMRoleForInstancesQuickSetup",
"imageId": "ami-026ebd4cfe2c043b2",
"ipV4Addresses": [
"3.94.168.116",
"172.31.25.81"
],
"ipV6Addresses": [],
"keyName": "<キーペア名>",
"launchedAt": "2023-05-24T08:13:17.000Z",
"platform": "RHEL_9",
"subnetId": "subnet-01f3c5098eafd93e7",
"type": "t3.micro",
"vpcId": "vpc-0e0796981cea634c1"
}
},
"id": "i-0ee462c00b2b0bdc3",
"partition": "aws",
"region": "us-east-1",
"tags": {
"Name": "rhel9"
},
"type": "AWS_EC2_INSTANCE"
}
],
"severity": "HIGH",
"status": "ACTIVE",
"title": "CVE-2023-21912 - mysql, mysql-common",
"type": "PACKAGE_VULNERABILITY",
"updatedAt": "2023-05-24T08:44:43.849Z"
}
他にも多数脆弱性が検出されていますが、MySQLサーバー8.0.32以前に含まれるCVE-2023-21980は検出されませんでした。
こちらの脆弱性についてもVulnerability database searchのDetection platformsにはRHEL 9は含まれていません。
やはりDetection platformsに含まれないと検出されなさそうですね。
脆弱性があるBINDをAmazon Linux 2023にrpmでインストール
次に、脆弱性があるBINDをAmazon Linux 2023にrpmでインストールして、Inspectorで検出されるのかを確認します。
# BINDのrpmのダウンロード
$ wget https://rpmfind.net/linux/centos-stream/9-stream/AppStream/x86_64/os/Packages/bind-9.16.23-11.el9.x86_64.rpm
--2023-05-26 09:40:21-- https://rpmfind.net/linux/centos-stream/9-stream/AppStream/x86_64/os/Packages/bind-9.16.23-11.el9.x86_64.rpm
Resolving rpmfind.net (rpmfind.net)... 195.220.108.108
Connecting to rpmfind.net (rpmfind.net)|195.220.108.108|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 514707 (503K) [application/x-rpm]
Saving to: ‘bind-9.16.23-11.el9.x86_64.rpm’
bind-9.16.23-11.el9.x86_64.rpm 100%[=================================================================================================>] 502.64K 1000KB/s in 0.5s
2023-05-26 09:40:22 (1000 KB/s) - ‘bind-9.16.23-11.el9.x86_64.rpm’ saved [514707/514707]
# BINDのインストール
$ sudo rpm -ivh bind-9.16.23-11.el9.x86_64.rpm
warning: bind-9.16.23-11.el9.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 8483c65d: NOKEY
error: Failed dependencies:
bind-libs(x86-64) = 32:9.16.23-11.el9 is needed by bind-32:9.16.23-11.el9.x86_64
libbind9-9.16.23-RH.so()(64bit) is needed by bind-32:9.16.23-11.el9.x86_64
libdns-9.16.23-RH.so()(64bit) is needed by bind-32:9.16.23-11.el9.x86_64
libisc-9.16.23-RH.so()(64bit) is needed by bind-32:9.16.23-11.el9.x86_64
libisccc-9.16.23-RH.so()(64bit) is needed by bind-32:9.16.23-11.el9.x86_64
libisccfg-9.16.23-RH.so()(64bit) is needed by bind-32:9.16.23-11.el9.x86_64
libjson-c.so.5(JSONC_0.14)(64bit) is needed by bind-32:9.16.23-11.el9.x86_64
libns-9.16.23-RH.so()(64bit) is needed by bind-32:9.16.23-11.el9.x86_64
# 依存関係を無視してBINDをインストール
$ sudo rpm -ivh bind-9.16.23-11.el9.x86_64.rpm --nodeps
warning: bind-9.16.23-11.el9.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 8483c65d: NOKEY
Verifying... ################################# [100%]
Preparing... ################################# [100%]
Updating / installing...
1:bind-32:9.16.23-11.el9 ################################# [100%]
uavc: op=setenforce lsm=selinux enforcing=0 res=1uavc: op=load_policy lsm=selinux seqno=3 res=1
# インストールされたBINDの情報を確認
$ rpm -qi bind
Name : bind
Epoch : 32
Version : 9.16.23
Release : 11.el9
Architecture: x86_64
Install Date: Fri May 26 09:41:08 2023
Group : Unspecified
Size : 1506772
License : MPLv2.0
Signature : RSA/SHA256, Mon Feb 27 22:07:49 2023, Key ID 05b555b38483c65d
Source RPM : bind-9.16.23-11.el9.src.rpm
Build Date : Mon Feb 27 14:23:06 2023
Build Host : x86-02.stream.rdu2.redhat.com
Packager : builder@centos.org
Vendor : CentOS
URL : https://www.isc.org/downloads/bind/
Summary : The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
Description :
BIND (Berkeley Internet Name Domain) is an implementation of the DNS
(Domain Name System) protocols. BIND includes a DNS server (named),
which resolves host names to IP addresses; a resolver library
(routines for applications to use when interfacing with DNS); and
tools for verifying that the DNS server is operating properly.
インストール後、SSMステートマネージャーのInspectorInventoryCollection-do-not-deleteを手動で関連付けします。
すると、BINDについての脆弱性を検出することができました。
こちらで検出された脆弱性をVulnerability database searchで確認します。CVE-2021-25220のDetection platformsを確認するとAmazon Linux 2023が含まれています。
- AMAZON_LINUX_2023
- CENTOS_7
- ORACLE_LINUX_8
- ORACLE_LINUX_9
- ORACLE_LINUX_7
- AMAZON_LINUX_2
- AMAZON_LINUX_2022
- FEDORA_34
- ALMALINUX_9
- ALMALINUX_8
- DEBIAN_10
- DEBIAN_9
- DEBIAN_11
- DEBIAN_12
- UBUNTU_21_10
- UBUNTU_14_04
- UBUNTU_18_04
- UBUNTU_20_04
- UBUNTU_16_04
- OPEN_SUSE_15_4
- OPEN_SUSE_15_3
- SUSE_SERVER_15_3
- SUSE_SERVER_12_5
- SUSE_SERVER_15_4
- ROCKY_8
- RHEL_7
- RHEL_8
- RHEL_9
- ALPINE_LINUX_3_17
- ALPINE_LINUX_3_16
- ALPINE_LINUX_3_15
- ALPINE_LINUX_3_14
- ALPINE_LINUX_3_13
- ALPINE_LINUX_3_12
そのため、Inspectorの脆弱性検出の条件に標準リポジトリからインストールしたかは関係なさそうです。
脆弱性があるApache TomcatをAmazon Linux 2023でバイナリをダウンロード
最後に、脆弱性があるApache TomcatをAmazon Linux 2023でバイナリをダウンロードして、Inspectorで検出されるのかを確認します。
CVE-2021-43980が検出されるようにApache Tomcat 10.0.18のバイナリをダウンロードします。
CVE-2021-43980はAmazon Linux 2023で検出可能な脆弱性です。
それではバイナリのダウンロードをします。
# 依存関係で必要なJavaのインストール $ sudo dnf install java Last metadata expiration check: 0:28:38 ago on Mon May 29 00:45:44 2023. Dependencies resolved. ================================================================================================================================================================================= Package Architecture Version Repository Size ================================================================================================================================================================================= Installing: java-17-amazon-corretto x86_64 1:17.0.7+7-1.amzn2023.1 amazonlinux 188 k Installing dependencies: alsa-lib x86_64 1.2.7.2-1.amzn2023.0.2 amazonlinux 504 k cairo x86_64 1.17.4-3.amzn2023.0.2 amazonlinux 674 k dejavu-sans-fonts noarch 2.37-16.amzn2023.0.2 amazonlinux 1.3 M dejavu-sans-mono-fonts noarch 2.37-16.amzn2023.0.2 amazonlinux 467 k dejavu-serif-fonts noarch 2.37-16.amzn2023.0.2 amazonlinux 1.0 M fontconfig x86_64 2.13.94-2.amzn2023.0.2 amazonlinux 273 k fonts-filesystem noarch 1:2.0.5-5.amzn2023.0.2 amazonlinux 8.7 k freetype x86_64 2.12.1-3.amzn2023.0.1 amazonlinux 418 k giflib x86_64 5.2.1-9.amzn2023 amazonlinux 49 k google-noto-fonts-common noarch 20201206-2.amzn2023.0.2 amazonlinux 15 k google-noto-sans-vf-fonts noarch 20201206-2.amzn2023.0.2 amazonlinux 492 k graphite2 x86_64 1.3.14-7.amzn2023.0.2 amazonlinux 97 k harfbuzz x86_64 7.0.0-2.amzn2023.0.1 amazonlinux 868 k java-17-amazon-corretto-headless x86_64 1:17.0.7+7-1.amzn2023.1 amazonlinux 91 M javapackages-filesystem noarch 6.0.0-7.amzn2023.0.5 amazonlinux 13 k langpacks-core-font-en noarch 3.0-21.amzn2023.0.4 amazonlinux 10 k libICE x86_64 1.0.10-6.amzn2023.0.2 amazonlinux 71 k libSM x86_64 1.2.3-8.amzn2023.0.2 amazonlinux 42 k libX11 x86_64 1.7.2-3.amzn2023.0.2 amazonlinux 657 k libX11-common noarch 1.7.2-3.amzn2023.0.2 amazonlinux 152 k libXau x86_64 1.0.9-6.amzn2023.0.2 amazonlinux 31 k libXext x86_64 1.3.4-6.amzn2023.0.2 amazonlinux 41 k libXi x86_64 1.7.10-6.amzn2023.0.2 amazonlinux 40 k libXinerama x86_64 1.1.4-8.amzn2023.0.2 amazonlinux 15 k libXrandr x86_64 1.5.2-6.amzn2023.0.2 amazonlinux 28 k libXrender x86_64 0.9.10-14.amzn2023.0.2 amazonlinux 28 k libXt x86_64 1.2.0-4.amzn2023.0.2 amazonlinux 181 k libXtst x86_64 1.2.3-14.amzn2023.0.2 amazonlinux 21 k libbrotli x86_64 1.0.9-4.amzn2023.0.2 amazonlinux 315 k libjpeg-turbo x86_64 2.1.4-2.amzn2023.0.2 amazonlinux 190 k libpng x86_64 2:1.6.37-10.amzn2023.0.2 amazonlinux 128 k libxcb x86_64 1.13.1-7.amzn2023.0.2 amazonlinux 230 k pixman x86_64 0.40.0-3.amzn2023.0.3 amazonlinux 295 k xml-common noarch 0.6.3-56.amzn2023.0.2 amazonlinux 32 k Transaction Summary ================================================================================================================================================================================= Install 35 Packages Total download size: 100 M Installed size: 261 M Is this ok [y/N]: y Downloading Packages: (1/35): libXext-1.3.4-6.amzn2023.0.2.x86_64.rpm 668 kB/s | 41 kB 00:00 (2/35): libXrender-0.9.10-14.amzn2023.0.2.x86_64.rpm 317 kB/s | 28 kB 00:00 (3/35): freetype-2.12.1-3.amzn2023.0.1.x86_64.rpm 3.3 MB/s | 418 kB 00:00 . . (中略) . . Verifying : google-noto-fonts-common-20201206-2.amzn2023.0.2.noarch 33/35 Verifying : google-noto-sans-vf-fonts-20201206-2.amzn2023.0.2.noarch 34/35 Verifying : javapackages-filesystem-6.0.0-7.amzn2023.0.5.noarch 35/35 Installed: alsa-lib-1.2.7.2-1.amzn2023.0.2.x86_64 cairo-1.17.4-3.amzn2023.0.2.x86_64 dejavu-sans-fonts-2.37-16.amzn2023.0.2.noarch dejavu-sans-mono-fonts-2.37-16.amzn2023.0.2.noarch dejavu-serif-fonts-2.37-16.amzn2023.0.2.noarch fontconfig-2.13.94-2.amzn2023.0.2.x86_64 fonts-filesystem-1:2.0.5-5.amzn2023.0.2.noarch freetype-2.12.1-3.amzn2023.0.1.x86_64 giflib-5.2.1-9.amzn2023.x86_64 google-noto-fonts-common-20201206-2.amzn2023.0.2.noarch google-noto-sans-vf-fonts-20201206-2.amzn2023.0.2.noarch graphite2-1.3.14-7.amzn2023.0.2.x86_64 harfbuzz-7.0.0-2.amzn2023.0.1.x86_64 java-17-amazon-corretto-1:17.0.7+7-1.amzn2023.1.x86_64 java-17-amazon-corretto-headless-1:17.0.7+7-1.amzn2023.1.x86_64 javapackages-filesystem-6.0.0-7.amzn2023.0.5.noarch langpacks-core-font-en-3.0-21.amzn2023.0.4.noarch libICE-1.0.10-6.amzn2023.0.2.x86_64 libSM-1.2.3-8.amzn2023.0.2.x86_64 libX11-1.7.2-3.amzn2023.0.2.x86_64 libX11-common-1.7.2-3.amzn2023.0.2.noarch libXau-1.0.9-6.amzn2023.0.2.x86_64 libXext-1.3.4-6.amzn2023.0.2.x86_64 libXi-1.7.10-6.amzn2023.0.2.x86_64 libXinerama-1.1.4-8.amzn2023.0.2.x86_64 libXrandr-1.5.2-6.amzn2023.0.2.x86_64 libXrender-0.9.10-14.amzn2023.0.2.x86_64 libXt-1.2.0-4.amzn2023.0.2.x86_64 libXtst-1.2.3-14.amzn2023.0.2.x86_64 libbrotli-1.0.9-4.amzn2023.0.2.x86_64 libjpeg-turbo-2.1.4-2.amzn2023.0.2.x86_64 libpng-2:1.6.37-10.amzn2023.0.2.x86_64 libxcb-1.13.1-7.amzn2023.0.2.x86_64 pixman-0.40.0-3.amzn2023.0.3.x86_64 xml-common-0.6.3-56.amzn2023.0.2.noarch Complete! # Javaのバージョンの確認 $ java --version openjdk 17.0.7 2023-04-18 LTS OpenJDK Runtime Environment Corretto-17.0.7.7.1 (build 17.0.7+7-LTS) OpenJDK 64-Bit Server VM Corretto-17.0.7.7.1 (build 17.0.7+7-LTS, mixed mode, sharing) # Tomcatのバイナリをダウンロード $ wget https://archive.apache.org/dist/tomcat/tomcat-10/v10.0.18/src/apache-tomcat-10.0.18-src.tar.gz --2023-05-29 01:25:38-- https://archive.apache.org/dist/tomcat/tomcat-10/v10.0.18/src/apache-tomcat-10.0.18-src.tar.gz Resolving archive.apache.org (archive.apache.org)... 65.108.204.189, 2a01:4f9:1a:a084::2 Connecting to archive.apache.org (archive.apache.org)|65.108.204.189|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 6088118 (5.8M) [application/x-gzip] Saving to: ‘apache-tomcat-10.0.18-src.tar.gz’ apache-tomcat-10.0.18-src.tar.gz 100%[===========================================================================================>] 5.81M 6.20MB/s in 0.9s 2023-05-29 01:25:40 (6.20 MB/s) - ‘apache-tomcat-10.0.18-src.tar.gz’ saved [6088118/6088118] # 展開 $ tar zxvf apache-tomcat-10.0.18-src.tar.gz . . (中略) . . pache-tomcat-10.0.18-src/webapps/manager/WEB-INF/web.xml apache-tomcat-10.0.18-src/webapps/manager/css/manager.css apache-tomcat-10.0.18-src/webapps/manager/images/asf-logo.svg apache-tomcat-10.0.18-src/webapps/manager/images/tomcat.svg apache-tomcat-10.0.18-src/webapps/manager/index.jsp apache-tomcat-10.0.18-src/webapps/manager/status.xsd apache-tomcat-10.0.18-src/webapps/manager/xform.xsl
バイナリのダウンロード後、SSMステートマネージャーのInspectorInventoryCollection-do-not-deleteを手動で関連付けします。
しかし、1時間待っても検出されません。
そもそもSSMインベントリのアプリケーション一覧でApache Tomcatを確認することができません。
それもそのはず、SSMインベントリのアプリケーションとして認識されるものはrpmやdpkg-query、snapで認識できるもののみだからです。
Amazon Linux 2023にインストールされているSSM Agentのソースコードに書いてあります。
こちらは以下記事でも紹介されています。
具体的にはインベントリを収集する処理を行っているdataProvider_unix.goに記載されています。
var (
startMarker = "<start" + randomString(8) + ">"
endMarker = "<end" + randomString(8) + ">"
// rpm commands related constants
rpmCmd = "rpm"
rpmCmdArgToGetAllApplications = "-qa"
rpmQueryFormat = "--queryformat"
rpmQueryFormatArgs = `\{"Name":"` + mark(`%{NAME}`) + `","Publisher":"` + mark(`%{VENDOR}`) + `","Version":"` + mark(`%{VERSION}`) + `","Release":"` + mark(`%{RELEASE}`) + `","Epoch":"` + mark(`%{EPOCH}`) + `","InstalledTime":"` + mark(`%{INSTALLTIME}`) +
`","ApplicationType":"` + mark(`%{GROUP}`) + `","Architecture":"` + mark(`%{ARCH}`) + `","Url":"` + mark(`%{URL}`) + `",` +
`"Summary":"` + mark(`%{Summary}`) + `","PackageId":"` + mark(`%{SourceRPM}`) + `"\},`
// dpkg query commands related constants
dpkgCmd = "dpkg-query"
dpkgArgsToGetAllApplications = "-W"
dpkgQueryFormat = `-f={"Name":"` + mark(`${Package}`) + `","Publisher":"` + mark(`${Maintainer}`) + `","Version":"` + mark(`${Version}`) + `","ApplicationType":"` + mark(`${Section}`) +
`","Architecture":"` + mark(`${Architecture}`) + `","Url":"` + mark(`${Homepage}`) + `","Summary":"` + mark(`${Description}`) +
// PackageId should be something like ${Filename}, but for some reason that field does not get printed,
// so we build PackageId from parts
`","PackageId":"` + mark(`${Package}_${Version}_${Architecture}.deb`) + `"},`
snapPkgName = "snapd"
snapCmd = "snap"
snapArgsToGetAllInstalledSnaps = "list"
snapQueryFormat = "{\"Name\":\"%s\",\"Publisher\":\"%s\",\"Version\":\"%s\",\"ApplicationType\":\"%s\",\"Architecture\":\"%s\",\"Url\":\"%s\",\"Summary\":\"%s\",\"PackageId\":\"%s\"}"
// platforms that can pass application inventory files, as the agent cannot gather the data from the local package manager
inventoryApplicationFileSupportedPlatforms = []string{"Bottlerocket"}
)
// collectPlatformDependentApplicationData collects all application data from the system using rpm or dpkg query.
func collectPlatformDependentApplicationData(context context.T) (appData []model.ApplicationData) {
var err error
var cmd string
var args []string
log := context.Log()
platformName, _ := platformInfoProvider(log)
for _, fileSupportedPlatform := range inventoryApplicationFileSupportedPlatforms {
lowerPlatformName := strings.ToLower(platformName)
formattedPlatformName := strings.ReplaceAll(lowerPlatformName, " ", "-")
inventoryApplicationFileLocation := "/var/lib/" + formattedPlatformName + "/inventory/application.json"
if platformName == fileSupportedPlatform && fileExists(inventoryApplicationFileLocation) {
var inventoryApplicationFileBytes []byte
if inventoryApplicationFileBytes, err = ioutil.ReadFile(inventoryApplicationFileLocation); err != nil {
log.Errorf("Unable to read inventory file - hence no inventory data for %v: %v", GathererName, err)
return
}
if appData, err = getInventoryApplicationFileData(inventoryApplicationFileBytes); err != nil {
log.Errorf("Failed to gather inventory data from inventory file %v: %v", GathererName, err)
return
}
log.Infof("Used file to gather application")
return
}
}
if checkCommandExists(dpkgCmd) {
cmd = dpkgCmd
args = []string{dpkgArgsToGetAllApplications, dpkgQueryFormat}
} else if checkCommandExists(rpmCmd) {
cmd = rpmCmd
args = []string{rpmCmdArgToGetAllApplications, rpmQueryFormat, rpmQueryFormatArgs}
} else {
log.Errorf("Unable to detect package manager - hence no inventory data for %v", GathererName)
return
}
log.Infof("Using '%s' to gather application information", cmd)
if appData, err = getApplicationData(context, cmd, args); err != nil {
log.Errorf("Failed to gather inventory data for %v: %v", GathererName, err)
return
}
// Due to ubuntu 18 use snap, so add getApplicationData here
if snapIsInstalled(appData) {
cmd = snapCmd
args = []string{snapArgsToGetAllInstalledSnaps}
var snapAppData []model.ApplicationData
if snapAppData, err = getApplicationData(context, cmd, args); err != nil {
log.Errorf("Getting applications information using snap failed. Skipping.")
return
}
log.Infof("Appending application information found using snap to application data.")
appData = append(appData, snapAppData...)
}
return
}
Amazon Inspector v2はSSMインベントリに収集されたアプリケーションの情報を使用しています。そのため、SSMインベントリのアプリケーションとして情報が収集されないもの(バイナリを置いただけであったり、ソースからコンパイルしてインストールしたもの)はAmazon Inspector v2で検出することはできません。
Vulnerability database search の Detection platforms をチェックするの大事
Amazon Inspectorで対象の脆弱性を検出できるOSであるかはVulnerability database search の Detection platforms を確認する必要があることを紹介しました。
標準リポジトリからインストールしたものであっても場合によってはDetection platformsに含まれないケースもありそうなので注意が必要ですね。
現状Vulnerability database searchはCVEからでしか検出できません。今後はパッケージ名やDetection platforms、CVSSのスコアで検索できると嬉しいですね。
この記事が誰かの助けになれば幸いです。
以上、AWS事業本部 コンサルティング部の のんピ(@non____97)でした!
