Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability finding improvements #1176

Merged
merged 7 commits into from
Sep 17, 2024
Merged

Vulnerability finding improvements #1176

merged 7 commits into from
Sep 17, 2024

Conversation

floydtree
Copy link
Contributor

@floydtree floydtree commented Sep 13, 2024
edited
Loading

Related Issue: n/a

Description of changes:

  1. Adding a generalized Security Advisory object to the framework, to represent Apple SAs, Microsoft KB Articles and other vendor published advisories
  2. Updating descriptions throughout Vulnerability object
  3. Adding related_cwes, related_cves, exploit_last_seen_time to the framework

--

Demonstrating use-case of the new advisory object

OCSF Vuln Finding event, modelling Apple SA based finding.

{
    "activity_id": 1,
    "activity_name": "Create",
    "resources": [
     {
        "cloud_partition": "aws", 
        "data": { 
            "awsEc2Instance": { 
                "type": "mac1.metal",
                "imageId": "ami-1234aa5678b90123b",
                "ipV4Addresses": [
                  "10.0.0.2"
                ],
                "ipV6Addresses": [],
                "keyName": "Example-KeyPair",
                "iamInstanceProfileArn": "arn:aws:iam::1234567890123:instance-profile/MacSSMRole",
                "vpcId": "vpc-123456a7b8c90123d",
                "subnetId": "subnet-1a23456b7cd89d01a",
                "launchedAt": "2024-08-19T10:45:43.000Z",
                "platform": "MACOS"
            },
            "type": "AWS_EC2_INSTANCE"
        },
        "labels": ["Name: macOS-BigSur-Example"], 
        "region": "us-east-1",
        "type": "AWS_EC2_INSTANCE", 
        "uid": "i-123ab4c5678901d23" 
    } ], 
    "category_name": "Findings",
    "category_uid": 2,
    "class_name": "Vulnerability Finding",
    "class_uid": 2002,
    "cloud": {
        "account": {
            "type_id": 10, 
            "uid": "1234567890123" 
        },
       "provider": "AWS",
       "region": "us-east-1"
    },
    "enrichments": [
        {
            "name": "vulnerabilities.advisory.uid", 
            "value": "APPLE-SA-2022-12-13-6", 
            "type": "Inspector Priority",
            "provider": "Amazon Inspector",
            "data": { 
                "eeveePriority": "IMMEDIATE",
                "eeveePriorityIntelligence": "UNVERIFIED"
            }
        }
    ],
    "finding_info": {
        "created_time": "2023-04-20T22:01:25.133Z", 
        "first_seen_time": "2023-04-20T22:01:25.133Z", 
        "last_seen_time": "2024-08-19T10:45:58.815Z",
        "modified_time": "2024-08-19T10:45:58.815Z", 
        "title": "APPLE-SA-2022-12-13-6 - macOS 11.7.1",
        "types": [
            "PACKAGE_VULNERABILITY"
        ],
        "uid": "arn:aws:inspector2:us-east-1:1234567890123:finding/4680fc060e62ccdbf7907f810d844c2b"
    },
    "metadata": {
        "product": { 
               "name": "Amazon Inspector"
         },
        "version": "1.4.0-dev" 
    },
    "severity": "Critical", 
    "severity_id": 5,
    "status": "In Progress",
    "status_id": 2,
    "time": "2023-04-20T22:01:25.133Z", 
    "type_name": "Vulnerability Finding: Create",
    "type_uid": 200201,
    "vulnerabilities": [
        {
            "affected_packages": [ 
                {
                    "architecture": "ALL",
                    "epoch": 0,
                    "fixed_in_version": "0:11.7.2",
                    "name": "macOS",
                    "remediation": {
                        "desc": "softwareupdate --list"
                    },
                    "version": "11.7.1"
                }
            ],
            "advisory": {
                "created_time": "2022-12-13T12:00:00.000Z", 
                "severity": "CRITICAL", 
                "related_cves": [ 
                    {
                        "uid": "CVE-2022-32942",
                        "cvss": [
                            {
                                "base_score": 7.8,
                                "severity": "HIGH",
                                "source": "NVD",
                                "source_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32942",
                                "vector_string": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                                "version": "CVSS3.1"
                            }
                        ],
                        "created_time": "2022-12-15T19:15:18Z",
                        "desc": "The issue was addressed with improved memory handling. This issue is fixed in macOS Monterey 12.6.2, macOS Ventura 13.1, macOS Big Sur 11.7.2. An app may be able to execute arbitrary code with kernel privileges.",
                        "epss": {
                            "created_time": "2024-09-10T00:00:00+0000", 
                            "score": "0.00097", 
                            "percentile": 0.41423,
                            "version": "v2023.03.01"
                        },
                        "modified_time": "2023-01-09T16:59:08Z"
                    },
                    {
                        "uid": "CVE-2022-42840",
                        "cvss": [
                            {
                                "base_score": 7.8,
                                "severity": "HIGH",
                                "source": "NVD",
                                "source_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42840",
                                "vector_string": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                                "version": "CVSS3.1"
                            }
                        ],
                        "created_time": "2022-12-15T19:15:23Z",
                        "desc": "The issue was addressed with improved memory handling. This issue is fixed in macOS Monterey 12.6.2, macOS Ventura 13.1, macOS Big Sur 11.7.2, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2. An app may be able to execute arbitrary code with kernel privileges.",
                        "epss": {
                            "created_time": "2024-09-10T00:00:00+0000", 
                            "score": "0.00097", 
                            "percentile": 0.41423,
                            "version": "v2023.03.01"
                        },
                        "modified_time": "2023-01-09T16:59:23Z"
                    },
                    {
                        "uid": "CVE-2022-42841",
                        "cvss": [
                            {
                                "base_score": 7.8,
                                "severity": "HIGH",
                                "source": "NVD",
                                "source_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42841",
                                "vector_string": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                                "version": "CVSS3.1"
                            }
                        ],
                        "cwe": [],
                        "created_time": "2022-12-15T19:15:32Z",
                        "desc": "A type confusion issue was addressed with improved checks. This issue is fixed in macOS Monterey 12.6.2, macOS Ventura 13.1, macOS Big Sur 11.7.2. Processing a maliciously crafted package may lead to arbitrary code execution.",
                        "epss": {
                            "created_time": "2024-09-10T00:00:00+0000", 
                            "score": "0.00108", 
                            "percentile": 0.44515,
                            "version": "v2023.03.01"
                        },
                        "modified_time": "2023-01-09T16:59:32Z"
                    },  
                    {
                        "uid": "CVE-2022-42845",
                        "cvss": [
                            {
                                "base_score": 7.2,
                                "severity": "HIGH",
                                "source": "NVD",
                                "source_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42845",
                                "vector_string": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                                "version": "CVSS3.1"
                            }
                        ],
                        "created_time": "2022-12-15T19:15:24Z",
                        "desc": "The issue was addressed with improved memory handling. This issue is fixed in tvOS 16.2, macOS Monterey 12.6.2, macOS Ventura 13.1, macOS Big Sur 11.7.2, iOS 16.2 and iPadOS 16.2, watchOS 9.2. An app with root privileges may be able to execute arbitrary code with kernel privileges.",
                        "epss": {
                            "created_time": "2024-09-10T00:00:00+0000", 
                            "score": "0.00648", 
                            "percentile": 0.79742,
                            "version": "v2023.03.01"
                        },
                        "modified_time": "2023-11-07T03:53:38Z"
                    },  
                    {
                        "uid": "CVE-2022-46689",
                        "cvss": [
                            {
                                "base_score": 7.0,
                                "severity": "HIGH",
                                "source": "NVD",
                                "source_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46689",
                                "vector_string": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                                "version": "CVSS3.1"
                            }
                        ],
                        "cwe": [
                            "CWE-362"
                        ],
                        "created_time": "2022-12-15T19:15:26Z",
                        "desc": "A race condition was addressed with additional validation. This issue is fixed in tvOS 16.2, macOS Monterey 12.6.2, macOS Ventura 13.1, macOS Big Sur 11.7.2, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2, watchOS 9.2. An app may be able to execute arbitrary code with kernel privileges.",
                        "epss": {
                            "created_time": "2024-09-10T00:00:00+0000", 
                            "score": "0.00586", 
                            "percentile": 0.78574,
                            "version": "v2023.03.01"
                        },
                        "modified_time": "2023-01-09T16:48:27Z"
                    },  
                    {
                        "uid": "CVE-2022-40304",
                        "cvss": [
                            {
                                "base_score": 7.8,
                                "severity": "HIGH",
                                "source": "NVD",
                                "source_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40304",
                                "vector_string": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                                "version": "CVSS3.1"
                            }
                        ],
                        "cwe": [
                            "CWE-415"
                        ],
                        "created_time": "2022-11-23T19:15:26Z",
                        "desc": "An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked.",
                        "epss": {
                            "created_time": "2024-09-10T00:00:00+0000", 
                            "score": "0.00089", 
                            "percentile": 0.39013,
                            "version": "v2023.03.01"
                        },
                        "modified_time": "2023-11-07T03:52:15Z"
                    },  
                    {
                        "uid": "CVE-2022-42842",
                        "cvss": [
                            {
                                "base_score": 9.8,
                                "severity": "CRITICAL",
                                "source": "NVD",
                                "source_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42842",
                                "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                                "version": "CVSS3.1"
                            }
                        ],
                        "created_time": "2022-11-23T19:15:26Z",
                        "desc": "The issue was addressed with improved memory handling. This issue is fixed in tvOS 16.2, macOS Monterey 12.6.2, macOS Ventura 13.1, macOS Big Sur 11.7.2, iOS 16.2 and iPadOS 16.2, watchOS 9.2. A remote user may be able to cause kernel code execution.",
                        "epss": {
                            "created_time": "2024-09-10T00:00:00+0000", 
                            "score": "0.01213", 
                            "percentile": 0.85593,
                            "version": "v2023.03.01"
                        },
                        "modified_time": "2023-01-09T16:48:27Z"
                    },  
                    {
                        "uid": "CVE-2022-42864",
                        "cvss": [
                            {
                                "base_score": 7.0,
                                "severity": "HIGH",
                                "source": "NVD",
                                "source_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42684",
                                "vector_string": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                                "version": "CVSS3.1"
                            }
                        ],
                        "cwe": [
                            "CWE-362"
                        ],
                        "created_time": "2022-11-23T19:15:26Z",
                        "desc": "A race condition was addressed with improved state handling. This issue is fixed in tvOS 16.2, macOS Monterey 12.6.2, macOS Ventura 13.1, macOS Big Sur 11.7.2, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2, watchOS 9.2. An app may be able to execute arbitrary code with kernel privileges.",
                        "epss": {
                            "created_time": "2024-09-10T00:00:00+0000", 
                            "score": "0.00127", 
                            "percentile": 0.48284,
                            "version": "v2023.03.01"
                        },
                        "modified_time": "2023-01-09T16:48:27Z"
                    },  
                    {
                        "uid": "CVE-2022-40303",
                        "cvss": [
                            {
                                "base_score": 7.5,
                                "severity": "HIGH",
                                "source": "NVD",
                                "source_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40303",
                                "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                                "version": "CVSS3.1"
                            }
                        ],
                        "cwe": [
                            "CWE-190"
                        ],
                        "created_time": "2022-11-23T19:15:26Z",
                        "desc": "An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault.",
                        "epss": {
                            "created_time": "2024-09-10T00:00:00+0000", 
                            "score": "0.00499", 
                            "percentile": 0.76752,
                            "version": "v2023.03.01"
                        },
                        "modified_time": "2023-01-09T16:48:27Z"
                    },  
                    {
                        "uid": "CVE-2022-42821",
                        "cvss": [
                            {
                                "base_score": 5.5,
                                "severity": "MEDIUM",
                                "source": "NVD",
                                "source_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42821",
                                "vector_string": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
                                "version": "CVSS3.1"
                            }
                        ],
                        "created_time": "2022-11-23T19:15:26Z",
                        "desc": "A logic issue was addressed with improved checks. This issue is fixed in macOS Monterey 12.6.2, macOS Big Sur 11.7.2, macOS Ventura 13. An app may bypass Gatekeeper checks.",
                        "epss": {
                            "created_time": "2024-09-10T00:00:00+0000", 
                            "score": "0.00084", 
                            "percentile": 0.36497,
                            "version": "v2023.03.01"
                        },
                        "modified_time": "2023-01-09T16:48:27Z"
                    }
                ],
                "desc": "macOS Big Sur 11.7.2 addresses multiple issues. Information about the security content is available at: https://support.apple.com/HT213534",
                "uid": "APPLE-SA-2022-12-13-6" 
            },
            "is_exploit_available": false, 
            "is_fix_available": true, 
            "references": [
                "https://lists.apple.com/archives/security-announce/2023/Jan/msg00013.html",
                "https://support.apple.com/HT213534"
            ]
        }
    ]
}

Raw Finding from Amazon Inspector -

{
  "findingArn": "arn:aws:inspector2:us-east-1:1234567890123:finding/4680fc060e62ccdbf7907f810d844c2b",
  "awsAccountId": "1234567890123",
  "type": "PACKAGE_VULNERABILITY",
  "description": "macOS Big Sur 11.7.2 addresses multiple issues. Information about the security content is available at: https://support.apple.com/HT213534",
  "title": "APPLE-SA-2022-12-13-6 - macOS 11.7.1",
  "remediation": {
    "recommendation": {
      "text": "macOS Big Sur 11.7.2 may be obtained from the Mac App Store or Apple\u0027s Software Downloads web site: https://support.apple.com/downloads"
    }
  },
  "severity": "CRITICAL",
  "firstObservedAt": "2023-04-20T22:01:25.133Z",
  "lastObservedAt": "2024-08-19T10:45:58.815Z",
  "updatedAt": "2024-08-19T10:45:58.815Z",
  "status": "ACTIVE",
  "resources": [
    {
      "type": "AWS_EC2_INSTANCE",
      "id": "i-123ab4c5678901d23",
      "partition": "aws",
      "region": "us-east-1",
      "tags": {
        "Name": "macOS-BigSur-Example"
      },
      "details": {
        "awsEc2Instance": {
          "type": "mac1.metal",
          "imageId": "ami-1234aa5678b90123b",
          "ipV4Addresses": [
            "10.0.0.2"
          ],
          "ipV6Addresses": [],
          "keyName": "Example-KeyPair",
          "iamInstanceProfileArn": "arn:aws:iam::1234567890123:instance-profile/MacSSMRole",
          "vpcId": "vpc-123456a7b8c90123d",
          "subnetId": "subnet-1a23456b7cd89d01a",
          "launchedAt": "2024-08-19T10:45:43.000Z",
          "platform": "MACOS"
        }
      }
    }
  ],
  "inspectorScoreDetails": {},
  "packageVulnerabilityDetails": {
    "vulnerabilityId": "APPLE-SA-2022-12-13-6",
    "vulnerablePackages": [
      {
        "name": "macOS",
        "version": "11.7.1",
        "epoch": 0,
        "arch": "ALL",
        "packageManager": "OS",
        "fixedInVersion": "0:11.7.2",
        "remediation": "softwareupdate --list"
      }
    ],
    "source": "MACOS",
    "cvss": [],
    "relatedVulnerabilities": [
        "CVE-2022-32942",
        "CVE-2022-42840",
        "CVE-2022-42841",
        "CVE-2022-42845",
        "CVE-2022-46689",
        "CVE-2022-40304",
        "CVE-2022-42842",
        "CVE-2022-42864",
        "CVE-2022-40303",
        "CVE-2022-42821"
    ],
    "sourceUrl": "https://support.apple.com/HT213534",
    "vendorSeverity": "UNTRIAGED",
    "vendorCreatedAt": "2022-12-13T12:00:00.000Z",
    "referenceUrls": [
        "https://lists.apple.com/archives/security-announce/2023/Jan/msg00013.html",
        "https://support.apple.com/HT213534"
    ]
  },
  "fixAvailable": "YES",
  "exploitAvailable": "NO",
  "exploitabilityDetails": {
    "lastKnownExploitAt": ""
  }
}

@floydtree
adding src_url to cvss object
21fed6b 
Signed-off-by: Rajas Panat <rajaspa@amazon.com>
@floydtree
addomg related_cwes to the cve object
fcf49fe 
Signed-off-by: Rajas Panat <rajaspa@amazon.com>
@floydtree
updates to vuln object, adding advisory attr, refining descs
e413a81 
Signed-off-by: Rajas Panat <rajaspa@amazon.com>
@floydtree
Creating an advisory object
e0ff755 
Signed-off-by: Rajas Panat <rajaspa@amazon.com>
@floydtree
adding related dictionary items
306dc27 
Signed-off-by: Rajas Panat <rajaspa@amazon.com>
@floydtree floydtree added enhancement New feature or request findings Issues related to Findings Category labels Sep 13, 2024
@floydtree floydtree requested a review from jcburgo September 13, 2024 19:16
@floydtree floydtree changed the title Vulnerability finding improvements [DRAFT] Vulnerability finding improvements Sep 13, 2024
irakledibm
irakledibm approved these changes Sep 16, 2024
View reviewed changes
Copy link
Contributor

@irakledibm irakledibm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgfm

@floydtree floydtree marked this pull request as ready for review September 17, 2024 15:28
@floydtree floydtree changed the title [DRAFT] Vulnerability finding improvements Vulnerability finding improvements Sep 17, 2024
@mikeradka mikeradka merged commit bb09b1f into ocsf:main Sep 17, 2024
3 checks passed
@floydtree floydtree deleted the vuln_finding_improvements branch September 17, 2024 18:41
floydtree added a commit to floydtree/ocsf-schema that referenced this pull request Sep 19, 2024
@floydtree
Adding changelog entries for ocsf#1176
b47e64c 
Signed-off-by: Rajas Panat <rajaspa@amazon.com>
@floydtree floydtree mentioned this pull request Sep 19, 2024
Merged
floydtree added a commit that referenced this pull request Sep 20, 2024
@floydtree
Sibling bugfix - confidence_id (#1180)
4a8ad2f 
#### Related Issue: n/a

#### Description of changes:
1. Adding sibling definition for `confidence_id`. It has been missing
since we first added this attribute to the framework.
2. Adding missing changelog entries for #1176

---------

Signed-off-by: Rajas Panat <rajaspa@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@irakledibm irakledibm irakledibm approved these changes

@mikeradka mikeradka mikeradka approved these changes

@pagbabian-splunk pagbabian-splunk pagbabian-splunk approved these changes

@jcburgo jcburgo Awaiting requested review from jcburgo

@jasonbreimer jasonbreimer Awaiting requested review from jasonbreimer

@Aniak5 Aniak5 Awaiting requested review from Aniak5 Aniak5 is a code owner

@zschmerber zschmerber Awaiting requested review from zschmerber zschmerber is a code owner

Assignees
No one assigned
Labels
enhancement New feature or request findings Issues related to Findings Category
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@floydtree @pagbabian-splunk @mikeradka @irakledibm @jcburgo