Title
#fleet
r

Ryan

10/20/2021, 9:18 AM
Interesting discovery regarding the automated vulnerability scanning - we have some Oracle Enterprise Linux hosts (don’t ask), and several vulnerabilities have been detected, we set up yum-cron and they got patched, however the vulnerability count hasn’t changed for the hosts in Fleet. Interestingly Fleet shows them as RedHat Enterprise Linux, which is what Oracle Linux is based on, and in fact the hosts themselves report that in
/etc/redhat-release
. How does the vulnerability scanner determine if a package is vulnerable or not? Is it based on the distro it thinks it is running?
12:57 PM
$ cat /etc/os-release
NAME="Oracle Linux Server"
VERSION="7.9"
ID="ol"
ID_LIKE="fedora"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="7.9"
PRETTY_NAME="Oracle Linux Server 7.9"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:oracle:linux:7:9:server"
HOME_URL="<https://linux.oracle.com/>"
BUG_REPORT_URL="<https://bugzilla.oracle.com/>"

ORACLE_BUGZILLA_PRODUCT="Oracle Linux 7"
ORACLE_BUGZILLA_PRODUCT_VERSION=7.9
ORACLE_SUPPORT_PRODUCT="Oracle Linux"
ORACLE_SUPPORT_PRODUCT_VERSION=7.9
12:57 PM
$ cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.9 (Maipo)
1:00 PM
The code for this table suggests to me they don’t expect
/etc/redhat-release
to be present when
/etc/os-release
is, but I don’t know C++ very well 🤔 🙂 https://github.com/osquery/osquery/blob/master/osquery/tables/system/linux/os_version.cpp
r

Riccardo

10/20/2021, 1:56 PM
Looks like it’s an open issue: https://github.com/osquery/osquery/issues/7268
r

Ryan

10/20/2021, 1:59 PM
ah yeah 😄
1:59 PM
glad I’m not the only one then heheh
Tomas Touceda

Tomas Touceda

10/20/2021, 2:07 PM
vulnerabilities are detected based on the best CPE guess from a software name, version, and source
2:08 PM
if you upgrade to a non vulnerable version and osquery doesn't report the old version anymore, then it will disappear from the host vulnerable software. However, what we have seen is that upgrading sometimes results in having both versions, and osquery picks that up
2:09 PM
that said, there's always the possibility of a bug in fleet, and if you feel like that's the case, we can debug further to see what might be happening
Mystery Incorporated

Mystery Incorporated

10/20/2021, 3:10 PM
@Ryan are they python packages you're seeing vulnerable by chance?
r

Ryan

10/20/2021, 4:06 PM
no, lots of packages actually, like
curl
and the
kernel
Mystery Incorporated

Mystery Incorporated

10/21/2021, 1:47 AM
Ok gotcha, my experience is unrelated then, I updated python packages and found the original package still remained