I currently have a situation that several appliances are detected with product cpe:/a:apache:http_server, and a lot of CVE’s are then triggered. For example:
CVE-1999-1237
CVE-1999-0236
CVE-1999-1412
So it seems like the CVE scanner now triggers on products without a version, and the CVE’s triggered have no solution.
What can I do about this as it messes up my reports.
Anyone please? Can I remove cpe:/a:apache:http_server from the scanner perhaps?
Same goes for cpe:/a:php:php.
IMHO this is the expected behavior. If the NVD dateset is marking a product cpe:/a:apache:http_server without any version as affected all versions / deployments of the product should be marked as vulnerable.
You might want to contact the NVD to get these CPE entries corrected / updated with the affected / fixed version range.
It’s just doesnt make real sense, there are loads of CVE’s being tagged on these hosts who have nothing to do with the actual products running on them.
If I zoom into the host in assets, you would expect the CPE identifier cpe:/a:apache:http_server would be on the host, but that isn’t the case. Otherwise I could remove that indentifier. Is there a reason it isn’t shown on the host details?
CPE: cpe:/a:apache:http_server
This CPE does not appear in the CPE dictionary but is referenced by one or more CVE.
This is what GSA says about this CPE.
Have a look at e.g. the following mentioned CPE:
https://nvd.nist.gov/vuln/detail/CVE-1999-1237?cpeVersion=2.2#vulnConfigurationsArea
which lists the plain cpe:/a:apache:http_server CPE at the Known Affected Software Configurations., because of this you will get this result which is expected.
But it looks to me that your problem is more originating from this one:
The CPE identifiers might be from older scans, a bug in GVM or similar. I can’t help further on this topic as this is out of my knowledge, hope some one else with more knowledge is able to assist here.
Well, I’m actually seeing a lot of DB errors in gvmd.log:
md manage:WARNING:2020-05-28 22h18.15 UTC:11370: sql_exec_internal: SQL: SELECT value FROM report_host_details WHERE report_host = 12577 AND name = 'cpe:/a:apache:http_server' AND source_type = 'nvt' AND source_name = (SELECT source_name FROM report_host_details WHERE report_host = 12577 AND source_type = 'nvt' AND name = 'App' AND value = 'cpe:/a:apache:http_server');
The errors where because I deleted a host within GSA. Apparently there’s another bug which results in the GVMD keep referencing this deleted host and therefore a SQL query error.
However, this has nothing to do with the actual problem of a generic non version CPE. I have flushed my DB, created a new fresh job for the targets and run a NVT & CVE scan. Again, same result in CVE scan that some hosts get the CPE applications discovered without version and therefore a lot of CVE’s are applied with no meaningful output. It messes up the reports big time.
Details of non version CPE’s:
This CPE does not appear in the CPE dictionary but is referenced by one or more CVE.
Unfortunately the discovered applications are not viewable via the hosts view, otherwise I could imagine some filter option to block a certain application from being detected.
So I have no other option, and now my reports are screwed and have no meaning anymore… Can some of the dev’s perhaps help me on this?
Ps, these version less CPE’s only appear on a CVE scan job, not on a NVT scan.