Bug 1315502

Summary: CVE-2014-7810 missing from RH SCAP/OVAL Definitions on RHEL7
Product: [Other] Security Response Reporter: Rob <robert.mattson>
Component: dataAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: jlieskov, jrusnack, openscap-maint, slukasik, thoger
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-02 17:00:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rob 2016-03-07 23:05:16 UTC 
Description of problem:
RedHat 7 is currently vulnerable to CVE-2014-7810.
There should be a check for CVE-2014-7810 in the SCAP definitions.

I acknowledge I'm raising this bug against the scanner, however I can't seem to see an 'OVAL definitions' or like component.

Version-Release number of selected component (if applicable):
todays definition -> sha1sum() = 90d5addbe3be4e4ed548524781b01ad504371c67de7b3b325fc2dfb0b9d9eb0b

How reproducible:
very.

Steps to Reproduce:
1. wget https://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml
2. wget https://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml
3. sha256sum Red_Hat_Enterprise_Linux_7.xml  com.redhat.rhsa-all.xml
( 90d5addbe3be4e4ed548524781b01ad504371c67de7b3b325fc2dfb0b9d9eb0b  Red_Hat_Enterprise_Linux_7.xml
a2f3398fa685c0e431658c414f53376545669a35982ecd6cbecbb537d7646d9b  com.redhat.rhsa-all.xml)
4. #grep CVE-2014-7810 Red_Hat_Enterprise_Linux_7.xml com.redhat.rhsa-all.xml
(nothing returned)
5. echo $?
1


Actual results:
A check for CVE-2014-7810 is not defined.

Expected results:
A test must be defined.

Additional info:
-
Comment 2 Jan Lieskovsky 2016-03-08 09:14:39 UTC 
Thank you for the report, Robert.

Moving the bug to the proper product and component for correct triage && resolution.

Regards, Jan.
Comment 4 Tomas Hoger 2016-03-08 09:34:56 UTC 
OVAL content is only available for released errata.  Issues with no released erratum have no OVAL content published.
Comment 5 Šimon Lukašík 2016-03-08 09:45:08 UTC 
This is not a bug in openscap package published in Red Hat Enterprise Linux. This is an issue (or better say RFE) for a derived stream published outside of Red Hat Enterprise Linux.

Please drop an e-mail to secalert, to have this RFE tracked correctly.
Comment 6 Tomas Hoger 2016-03-08 09:46:58 UTC 
(In reply to Tomas Hoger from comment #4)
> Issues with no released erratum have no OVAL content published.

To clarify this, in situations when some issue affects multiple Red Hat Enterprise Linux versions, and there's update already released for e.g. Red Hat Enterprise Linux 7, but not yet for Red Hat Enterprise Linux 6, released OVAL content will only flag older Red Hat Enterprise Linux 7 packages as affected, but will not cover Red Hat Enterprise Linux 6.
Comment 7 Šimon Lukašík 2016-03-08 09:47:53 UTC 
Omg, sorry. For whatever reason, I though this was bug against openscap component. I am sorry for the churn. I'll punish myself appropriately.
Comment 8 Rob 2016-03-08 22:44:54 UTC 
(In reply to Tomas Hoger from comment #6)
> (In reply to Tomas Hoger from comment #4)
> > Issues with no released erratum have no OVAL content published.
> 
> To clarify this, in situations when some issue affects multiple Red Hat
> Enterprise Linux versions, and there's update already released for e.g. Red
> Hat Enterprise Linux 7, but not yet for Red Hat Enterprise Linux 6, released
> OVAL content will only flag older Red Hat Enterprise Linux 7 packages as
> affected, but will not cover Red Hat Enterprise Linux 6.

The issue at hand is not resolved in any RHEL version, see https://bugzilla.redhat.com/show_bug.cgi?id=1222573

Acknowledgement that RHEL 6 & 7 (and possibly 5) are affected here:
https://access.redhat.com/security/cve/cve-2014-7810

The above link recognizes a fix available for JBoss.

Speaking more directly to your comment, is it the case for example, that vulnerabilities present in the RedHat enterprise suite of products which are resolved in RHEL 7 are not highlighted by OVAL tests/SCAP tool in older yet still supported RHEL releases when they could still be present? Is that an official RedHat policy?
Comment 9 Tomas Hoger 2016-03-09 08:58:19 UTC 
(In reply to Rob from comment #8)
> Speaking more directly to your comment, is it the case for example, that
> vulnerabilities present in the RedHat enterprise suite of products which are
> resolved in RHEL 7 are not highlighted by OVAL tests/SCAP tool in older yet
> still supported RHEL releases when they could still be present?

Right, that's what my Red Hat Enterprise Linux 7 / 6 example was meant to explain.  If update is released for RHEL-7, it does not make (still affected) RHEL-6 get flagged as affected.

The following quotes are from the OVAL FAQ:

https://access.redhat.com/articles/221883

  Red Hat creates and supports OVAL patch definitions, providing a machine-
  readable versions of our security advisories.

  Red Hat OVAL content cannot be used to detect vulnerabilities in a system
  for which no security update has been released by Red Hat.

The latter can probably be made more explicit by changing the end to "... released by Red Hat for a given product version".