Giter VIP home page Giter VIP logo

cve-errata-tool's Introduction

CVE-Errata-Tool

This set of tools help Red Hat TAMs gather information about CVEs, Erratas, etc.
It calls https://access.redhat.com/hydra/rest/securitydata API and prints results in the terminal.

unresolved_cves.py

  • Provides information about CVEs fulfilling search criteria. Those include CVE number, release date, severity, URL, description, mitigation strategy, affected products and released errata (aka advisory, RHSA).
  • The script prints data to terminal and saves it to *.csv file. Can also be provided with preconfigured set of arguments in *.txt file.
  • If --search-old-cves specified, it returns also CVEs for specified products that were released earlier, but don't yet have errata published or errata was published within specified period. This argument is 0 by default.

Arguments:
-h, --help show help
-f, --file <filename.txt> read the arguments from a file filename.txt
-o, --search-old-cves <number of months> specify how far back you want to search for unresolved CVEs
-a, --after <YYYY-MM-DD> show only CVEs release after this date
-b, --before <YYYY-MM-DD> show only CVEs released before this date
-p, --product <product name> show affected products (supports Perl compatible regular expressions)
-s, --severity <low, moderate, important, critical> show CVEs of chosen severity
-r, --remove-unaffected <yes, no> do not show packages that are not affected by the CVE

rhsa.py

Querries Red Hat Security Data API for provided errata (aka advisory, RHSA) and gather information about CVE which it concerns. Next, it queries the API for CVEs info and prints all other erratas connected to that CVE.

Arguments: -r, --rhsa

Examples:

$ python3 unresolved_cves.py --file sample_args.txt

EQUALS: 


$ python3 unresolved_cves.py -a 2022-01-13 -b 2022-07-15 -p "(Fuse 7|Camel K|Quarkus|3scale)" -s critical -r yes


CVE Number:     | Severity: | Public date: | URL: 
CVE-2021-44228  | critical  | 2021-12-10   | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-44228.json

Description: 
*) Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
*) A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.

Mitigation strategy: 
For Log4j versions >=2.10
set the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true
For Log4j versions >=2.7 and <=2.14.1
all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m
For Log4j versions >=2.0-beta9 and <=2.10.0
remove the JndiLookup class from the classpath. For example: 
```
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
```
On OpenShift 4 and in OpenShift Logging, the above mitigation can be applied by following the steps in this article: https://access.redhat.com/solutions/6578421
On OpenShift 3.11, mitigation to the affected Elasticsearch component can be applied by following the steps in this article: https://access.redhat.com/solutions/6578441

Package state:                                                  | Fix state:  
Red Hat Integration Camel Quarkus                               | Affected            

Released errata for product:                                    | Release date: | Advisory name:
OpenShift Logging 5.0                                           | 2021-12-14    | RHSA-2021:5137      
OpenShift Logging 5.1                                           | 2021-12-14    | RHSA-2021:5128      
OpenShift Logging 5.2                                           | 2021-12-14    | RHSA-2021:5127      
OpenShift Logging 5.3                                           | 2021-12-14    | RHSA-2021:5129      
Red Hat AMQ Streams 1                                           | 2021-12-14    | RHSA-2021:5133      
Red Hat AMQ Streams 1                                           | 2021-12-14    | RHSA-2021:5138      
Red Hat Data Grid 8                                             | 2021-12-14    | RHSA-2021:5132      
Red Hat Integration                                             | 2021-12-14    | RHSA-2021:5126      
Red Hat Integration                                             | 2021-12-14    | RHSA-2021:5130      
Red Hat JBoss Enterprise Application Platform 7                 | 2021-12-15    | RHSA-2021:5140      
Red Hat JBoss Fuse 7                                            | 2021-12-14    | RHSA-2021:5134      
Red Hat JBoss Fuse 7                                            | 2022-01-20    | RHSA-2022:0203      
Red Hat OpenShift Application Runtimes 1.0                      | 2021-12-14    | RHSA-2021:5093      
Red Hat OpenShift Container Platform 3.11                       | 2021-12-14    | RHSA-2021:5094      
Red Hat OpenShift Container Platform 4.6                        | 2021-12-16    | RHSA-2021:5106      
Red Hat OpenShift Container Platform 4.6                        | 2021-12-16    | RHSA-2021:5106      
Red Hat OpenShift Container Platform 4.6                        | 2021-12-16    | RHSA-2021:5141      
Red Hat OpenShift Container Platform 4.7                        | 2021-12-16    | RHSA-2021:5107      
Red Hat OpenShift Container Platform 4.7                        | 2021-12-16    | RHSA-2021:5107      
Red Hat OpenShift Container Platform 4.8                        | 2021-12-14    | RHSA-2021:5108      
Red Hat OpenShift Container Platform 4.8                        | 2021-12-15    | RHSA-2021:5148      
Red Hat Process Automation 7                                    | 2022-01-11    | RHSA-2022:0082      
Red Hat Process Automation 7                                    | 2022-01-26    | RHSA-2022:0296      


----------------------------------------------------------------------------------------------------------------------------------------------


CVE Number:     | Severity: | Public date: | URL: 
CVE-2021-41269  | critical  | 2021-11-17   | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-41269.json

Description: 
*) cron-utils is a Java library to define, parse, validate, migrate crons as well as get human readable descriptions for them. In affected versions A template Injection was identified in cron-utils enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Versions up to 9.1.2 are susceptible to this vulnerability. Please note, that only projects using the @Cron annotation to validate untrusted Cron expressions are affected. The issue was patched and a new version was released. Please upgrade to version 9.1.6. There are no known workarounds known.
*) A flaw was found in cron-utils. This flaw allows an attacker to perform unauthenticated Remote Code Execution (RCE) via Java Expression Language (EL) injection.

Mitigation strategy: 
No mitigation strategy provided so far.

Package state:                                                  | Fix state:  
Red Hat build of Quarkus                                        | Affected            
Red Hat Integration Camel Quarkus                               | Affected            

Released errata for product:                                    | Release date: | Advisory name:
Red Hat Integration                                             | 2022-03-22    | RHSA-2022:1013      
Red Hat OpenShift Application Runtimes 1.0                      | 2022-02-21    | RHSA-2022:0589      


$ python3 rhsa.py -r RHSA-2022:0188

CVE-2022-0185: 

Released errata for product: 					| Release date: | Advisory name:
Red Hat Enterprise Linux 8                                      | 2022-01-19    | RHSA-2022:0176      
Red Hat Enterprise Linux 8                                      | 2022-01-19    | RHSA-2022:0188      
Red Hat Enterprise Linux 8                                      | 2022-01-24    | RHSA-2022:0232      
Red Hat Enterprise Linux 8.4 Extended Update Support            | 2022-01-19    | RHSA-2022:0187      
Red Hat Enterprise Linux 8.4 Extended Update Support            | 2022-01-19    | RHSA-2022:0186      
Red Hat Enterprise Linux 8.4 Extended Update Support            | 2022-01-24    | RHSA-2022:0231      
Red Hat Virtualization 4 for Red Hat Enterprise Linux 8         | 2022-02-15    | RHSA-2022:0540      


-------------------------------------------------------------------------------------------------


CVE-2021-4155: 

Released errata for product: 					| Release date: | Advisory name:
Red Hat Enterprise Linux 6 Extended Lifecycle Support           | 2022-04-19    | RHSA-2022:1417      
Red Hat Enterprise Linux 7                                      | 2022-02-22    | RHSA-2022:0622      
Red Hat Enterprise Linux 7                                      | 2022-02-22    | RHSA-2022:0592      
Red Hat Enterprise Linux 7                                      | 2022-02-22    | RHSA-2022:0620      
Red Hat Enterprise Linux 7.3 Advanced Update Support            | 2022-02-15    | RHSA-2022:0529      
Red Hat Enterprise Linux 7.4 Advanced Update Support            | 2022-02-15    | RHSA-2022:0530      
Red Hat Enterprise Linux 7.6 Advanced Update Support            | 2022-02-15    | RHSA-2022:0531      
Red Hat Enterprise Linux 7.6 Telco Extended Update Support      | 2022-02-15    | RHSA-2022:0531      
Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions  | 2022-02-15    | RHSA-2022:0531      
Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions  | 2022-02-15    | RHSA-2022:0533      
Red Hat Enterprise Linux 7.7 Advanced Update Support            | 2022-03-01    | RHSA-2022:0712      
Red Hat Enterprise Linux 7.7 Telco Extended Update Support      | 2022-03-01    | RHSA-2022:0712      
Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions  | 2022-03-01    | RHSA-2022:0712      
Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions  | 2022-03-01    | RHSA-2022:0718      
Red Hat Enterprise Linux 8                                      | 2022-01-19    | RHSA-2022:0176      
Red Hat Enterprise Linux 8                                      | 2022-01-19    | RHSA-2022:0188      
Red Hat Enterprise Linux 8                                      | 2022-01-24    | RHSA-2022:0232      
Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions  | 2022-02-01    | RHSA-2022:0335      
Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions  | 2022-02-01    | RHSA-2022:0344      
Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions  | 2022-03-17    | RHSA-2022:0958      
Red Hat Enterprise Linux 8.2 Extended Update Support            | 2022-02-22    | RHSA-2022:0629      
Red Hat Enterprise Linux 8.2 Extended Update Support            | 2022-02-22    | RHSA-2022:0590      
Red Hat Enterprise Linux 8.2 Extended Update Support            | 2022-02-22    | RHSA-2022:0636      
Red Hat Enterprise Linux 8.4 Extended Update Support            | 2022-01-19    | RHSA-2022:0187      
Red Hat Enterprise Linux 8.4 Extended Update Support            | 2022-01-19    | RHSA-2022:0186      
Red Hat Enterprise Linux 8.4 Extended Update Support            | 2022-01-24    | RHSA-2022:0231      
Red Hat Virtualization 4 for Red Hat Enterprise Linux 7         | 2022-04-07    | RHSA-2022:1263      
Red Hat Virtualization 4 for Red Hat Enterprise Linux 8         | 2022-02-15    | RHSA-2022:0540      


-------------------------------------------------------------------------------------------------

cve-errata-tool's People

Contributors

lafayette96 avatar

Stargazers

Sebastien Caps avatar Nick Sanborn avatar avatar Oliver Falk avatar avatar avatar Steffen Scheib avatar Carmelo Sarta avatar

Watchers

James Cloos avatar avatar

Forkers

knumskull laiot sscheib-rh

cve-errata-tool's Issues

Consider moving to argparse

Using argparse (as in this example) saves from reading command line arguments, parsing the value, and defining the format of --help.

CVE-Errata-Tool/unresolved_cves.py

Lines 294 to 309 in 5dc0ad8

arg_help = """\n\t\t Usage: python3 unresolved_cves.py [options] \n
Example:
python3 unresolved_cves.py -a 2022-07-13 -b 2022-07-15 -p "(Fuse 7|Camel K|Quarkus|3scale)" -s important -r yes
OR
python3 unresolved_cves.py --file sample_args.txt
-h, --help show help
-f, --file <filename.txt> reads arguments from a txt file
-o, --search-old-cves <number of months> choose if you want to see older unresolved CVEs. Defaults to 0 meaning, don't search for old CVEs
-a, --after <YYYY-MM-DD> show only CVEs release after this date
-b, --before <YYYY-MM-DD> show only CVEs released before this date
-p, --product <product name> show affected products (supports Perl compatible regular expressions)
-s, --severity <low, moderate, important> choose severity
-r, --remove-unaffected <yes/no> do not show packages that are not affected by the CVE \n"""

[RFE] List errata per product

I'd like to be able to specify a product (and date range, etc.) and then get a list of all errata (RHBA, RHSA, RHEA). Basically a CLI view of what the Red Hat Product Errata search does.

For example for Red Hat Ansible Automation Platform: https://access.redhat.com/errata-search/#/?q=&p=1&sort=portal_publication_date%20desc&rows=10&portal_product=Red%20Hat%20Ansible%20Automation%20Platform

The motivation behind this is that the email notifications for errata from Red Hat can not be configured to show only specific products, and this would fill that feature gap.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.