Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Need real examples of VEX based on actual products and known vulnerabilities, such as Log4J #832

Open
rjb4standards opened this issue Nov 20, 2024 · 9 comments
Open

Need real examples of VEX based on actual products and known vulnerabilities, such as Log4J #832

rjb4standards opened this issue Nov 20, 2024 · 9 comments
Assignees
@tschmidtb51
Labels
call_to_action a call to action has been send out user-question

Comments

@rjb4standards
Copy link

rjb4standards commented Nov 20, 2024
edited
Loading

Please upload actual product VEX documents into the VEX examples repository, https://github.com/oasis-tcs/csaf/tree/master/csaf_2.1/examples/csaf/csaf_vex, for others to test against. The Log4J CVE would be a good example of real product impact, both affected and not affected status. Perhaps a VEX for Apache products that use Log4J would be good candidates for these examples.
@tschmidtb51
Copy link
Contributor

@rjb4standards Thank you for reaching out. The TC is going to discuss this in the next TC meeting.

Flagging @santosomar for attention

@rjb4standards
Copy link
Author

Thank you Thomas, Please consider showing some VEX artifacts for products affected by Log4J as a real world example. This is a CVE we frequently use for testing and demonstration purposes. Thank you for your consideration.

@santosomar
Copy link
Contributor

We (Cisco) didn't have VEX when Log4Shell (the famous log4j vulnerability was disclosed). However, we now have VEX via a tool called CVR and also traditional security advisories in CSAF:

This is a real example of a VEX document for a Cisco product:

{
	"document": {
		"category": "csaf_vex",
		"csaf_version": "2.0",
		"publisher": {
			"category": "vendor",
			"name": "Cisco Systems, Inc.",
			"namespace": "https://www.cisco.com"
		},
		"title": "CVR data for version 20.15.1 of software Cisco Catalyst SD-WAN on platform Cisco Catalyst SD-WAN for CVE CVE-2024-1234",
		"notes": [
			{
				"category": "legal_disclaimer",
				"text": "This Vulnerability Exploitability eXchange (VEX) document and all information contained therein (collectively, the VEX Document) is Cisco Confidential and provided as-is. While Cisco uses commercially reasonable efforts to assemble accurate information, the VEX Document is provided without any representation or warranty of any kind, whether express or implied.  Cisco, its licensors, successors, and assigns hereby disclaim any and all responsibility for your use of the VEX Document."
			}
		],
		"tracking": {
			"current_release_date": "2024-11-27T02:12:43Z",
			"id": "cisco-vex-57.242.20.15.1:CVE-2024-1234",
			"initial_release_date": "2024-11-27T02:12:43Z",
			"revision_history": [
				{
					"date": "2024-11-27T02:12:43Z",
					"number": "1",
					"summary": "Initial"
				}
			],
			"status": "draft",
			"version": "1",
			"generator": {
				"date": "2024-11-27T02:12:43Z",
				"engine": {
					"name": "Cisco Vulnerability Repository (CVR)",
					"version": "0.4.0"
				}
			}
		}
	},
	"product_tree": {
		"branches": [
			{
				"category": "vendor",
				"name": "Cisco Systems, Inc.",
				"branches": [
					{
						"category": "product_family",
						"name": "Cisco Catalyst SD-WAN",
						"branches": [
							{
								"category": "product_version",
								"name": "20.15.1",
								"product": {
									"name": "Cisco Systems, Inc. Cisco Catalyst SD-WAN 20.15.1",
									"product_id": "Cisco_Catalyst_SD-WAN:20.15.1"
								}
							}
						]
					},
					{
						"category": "product_name",
						"name": "Cisco Catalyst SD-WAN",
						"product": {
							"name": "Cisco Systems, Inc. Cisco Catalyst SD-WAN",
							"product_id": "Cisco_Catalyst_SD-WAN"
						}
					}
				]
			}
		],
		"relationships": [
			{
				"product_reference": "Cisco_Catalyst_SD-WAN:20.15.1",
				"category": "installed_on",
				"relates_to_product_reference": "Cisco_Catalyst_SD-WAN",
				"full_product_name": {
					"product_id": "Cisco_Catalyst_SD-WAN:20.15.1:Cisco_Catalyst_SD-WAN",
					"name": "Cisco Systems, Inc. Cisco Catalyst SD-WAN 20.15.1 installed on Cisco Catalyst SD-WAN"
				}
			}
		]
	},
	"vulnerabilities": [
		{
			"cve": "CVE-2024-1234",
			"product_status": {
				"known_not_affected": [
					"Cisco_Catalyst_SD-WAN:20.15.1:Cisco_Catalyst_SD-WAN"
				]
			},
			"notes": [
				{
					"category": "description",
					"text": "The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via data attribute in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
				}
			],
			"threats": [
				{
					"category": "impact",
					"details": "Component not present",
					"product_ids": [
						"Cisco_Catalyst_SD-WAN:20.15.1:Cisco_Catalyst_SD-WAN"
					]
				}
			],
			"flags": [
				{
					"label": "component_not_present",
					"product_ids": [
						"Cisco_Catalyst_SD-WAN:20.15.1:Cisco_Catalyst_SD-WAN"
					]
				}
			]
		}
	]
}

Red Hat has also VEX disclosures available at: https://security.access.redhat.com/data/csaf/v2/vex/

This is the Log4J real VEX doc from RedHat: https://security.access.redhat.com/data/csaf/v2/vex/2021/cve-2021-44228.json

@rjb4standards
Copy link
Author

Thanks very much @santosomar
The Red Hat VEX for Log4J is exactly what I'm looking for.
This information will help the Healthcare Sector Coordinating Council Vulnerability group to see what an actual VEX looks like.
Perfect. Thank you.

@santosomar
Copy link
Contributor

Absolutely! 👍 m glad it helped. Cheers 🍻

@rjb4standards
Copy link
Author

Thanks Omar @santosomar
I'm an advisor to the Healthcare Sector Coordinating Council (HSCC) SRMA Vulnerability committee of the Cybersecurity workgroup and there was a very recent discussion asking what a typical VEX contains, so this information will be passed on to the group, recognizing your contribution providing an actual VEX for Log4J.
Very useful. Thank you.

@tschmidtb51
Copy link
Contributor

@rjb4standards There is also one from Secvisogram in the repo: https://github.com/oasis-tcs/csaf/blob/master/csaf_2.0/examples/csaf/csaf_vex/sec-vex-2022-0001.json

@rjb4standards
Copy link
Author

rjb4standards commented Nov 27, 2024
edited
Loading

Thanks, Thomas @tschmidtb51

Also, FYI: NIST has renamed "Vulnerability Disclosure Report" (VDR) to "Vulnerability Advisory Report" (VAR) to be consistent with IEC 29147, effective November 1, 2024 in SP 800-161r1-upd1 and updated online guidance as well: https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-security-supply-chains-software-1

"Ensure that third-party suppliers continuously enrich SBOM data with a VAR."

@santosomar santosomar added the call_to_action a call to action has been send out label Nov 27, 2024
@tschmidtb51
Copy link
Contributor

The issue has been discussed in today's TC meeting and a Call to Action has been issued: https://groups.oasis-open.org/discussion/call-to-action-for-832

@tschmidtb51 tschmidtb51 self-assigned this Nov 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tschmidtb51 tschmidtb51

Labels
call_to_action a call to action has been send out user-question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@santosomar @rjb4standards @tschmidtb51