Potential unaligned/outdated CVE checks for Docker Desktop (MacBook ARM)

[DavidGarciaCat]

Wazuh version
v4.5.1

I have installed a Wazuh agent on my laptop for testing reasons, and my Wazuh server reports 8 CVEs for my Docker Desktop on my MacBook with M1 SoC:

• CVE-2018-10892
• CVE-2019-13139
• CVE-2019-13509
• CVE-2019-16884
• CVE-2019-5736
• CVE-2020-27534
• CVE-2021-21284
• CVE-2021-21285

As per a recent discussion with the Docker team members in charge of getting security reports, all these CVEs have already been fixed:

• CVE-2018-10892 was fixed in docker engine 18.06.0 through Add /proc/acpi to masked paths moby/moby#37404 and [18.06] Add /proc/acpi to masked paths docker-archive/engine#14
• CVE-2019-13139 was fixed in docker engine 18.09.4 through gitutils: add validation for ref (CVE-2019-13139) moby/moby#38944
• CVE-2019-13509 was fixed in docker engine 18.09.9 https://docs.docker.com/engine/release-notes/18.09/#18098
• CVE-2019-16884 was fixed in runc v1.0.0-rc9 (Only allow proc mount if it is procfs opencontainers/runc#2129) and newer versions are included with any of the current versions of containerd and docker engine
• CVE-2019-5736 was fixed in a version of runc that's included with docker engine 18.06.3 and newer; https://docs.docker.com/engine/release-notes/18.06/#18062
• CVE-2020-27534 was fixed in docker engine 19.03.9 and newer; [19.03] vendor: buildkit v0.6.4-5-g59e305aa moby/moby#40877
• CVE-2021-21284 was fixed in docker engine 19.03.15 and v20.10.3 and newer; https://github.com/moby/moby/releases/tag/v19.03.15, https://github.com/moby/moby/releases/tag/v20.10.3
• CVE-2021-21285 was fixed in docker engine 19.03.15 and v20.10.3 and newer; https://github.com/moby/moby/releases/tag/v19.03.15, https://github.com/moby/moby/releases/tag/v20.10.3

I was wondering if there are any outdated databases or if there are any misconfiguration settings that can lead to get false positives.

The Docker Security team has answered me with the two following lines:

But note that while Docker Desktop for Mac does include the Docker Engine, the Engine is just "one" component of it, and it uses its own versioning that's separate from the Docker Engine.

Could it be Wazuh is looking at the Docker Desktop version, and producing false positives because of that?

Can you please advise me on the best course of action here? Before implementing Wazuh agents across the company's computers, I need to ensure we won't get false positives for each computer we install an agent.

I am looking forward to hearing from you, and thanks in advance for any potential help you might provide.

Warm regards,

[nwhistler]

I ran into the same issue and I believe it is looking in the wrong place for the docker version. It is looking at the docker desktop version rather than the engine version. Do you know if there is a way to exclude this CVE based on OS or host?

[DavidGarciaCat]

No idea. But I would rather get a fix than hide the CVE as it might be reporting real security vulnerabilities in the future and hiding these ones could hide other issues later.

[bewareofgeek]

Seems this is still an issue