fleet icon indicating copy to clipboard operation
fleet copied to clipboard
verified publisher icon fleetdm

False positive for CVE-2024-47606

Open rebeccaui opened this issue 10 months ago • 3 comments

Fleet version: 4.65

💥  Actual behavior

Fleet has misidentified a vulnerability in libgstreamer1.0-0, 1.16.3-0ubuntu1.2 CVE-2024-47606

Image

Image

🧑‍💻  Steps to reproduce

  1. Upload libgstreamer1.0-0, 1.16.3-0ubuntu1.2 to Fleet.
  2. Wait for CVE-2024-47606 to be assigned to it.

🕯️ More info (optional)

N/A

Fix the false positive.

rebeccaui avatar Mar 21 '25 17:03 rebeccaui

Linked to Unthread ticket:

User message analysis #5150

Sampfluger88 avatar Mar 21 '25 18:03 Sampfluger88

Scope of this is likely either "add false positive handling to OVAL" or "fix parsing of OVALs", to give an idea on estimation.

iansltx avatar Mar 26 '25 01:03 iansltx

Hey team! Please add your planning poker estimate with Zenhub @jahzielv @ksykulev

iansltx avatar Mar 26 '25 01:03 iansltx

This appears to have been resolved with an update from Canonical's side of the OVAL.

Confirmed true-negative and true-positive scenarios here:

Image

The top (vulnerable, true positive) entry was repro'd by running apt install libgstreamer1.0-0=1.16.2-2 on the ubuntu:focal-20191030 Docker image.

The bottom (not vulnerable, true negative) entry was repro'd by running apt install libgstreamer1.0-0 on the ubuntu:focal Docker image.

We'll likely need to revisit OVAL false-positive handling at a later date, but since this ticket is scoped to this specific CVE we'll handle the OVAL false-positive issue the next time we see an instance of that in the wild.

iansltx avatar May 14 '25 19:05 iansltx

False alert now tamed, Fleet's vigilance unblamed, Security's name reclaimed.

fleet-release avatar May 14 '25 19:05 fleet-release