GVM versions
gsad: 21.4.3
gvmd: 21.4.4 (DB 242)
openvas-scanner: 21.4.3
gvm-libs: 21.4.3
Environment
Operating system: Ubuntu
Kernel: 5.4.0-1018-aws #18-Ubuntu SMP Wed Jun 24 01:15:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Installation method / source: ppa:mrazavi/gvm APT repository
Hi folks,
We used the GVM above to scan a server with NGINX v1.18. The OpenVAS scanner identified: cpe:/a:nginx:nginx:1.18.0
In the CVE scanner results, and as per NIST, this has no known CVEs:
However, when we scanned the same server with a different tool CVE-2021-23017 was identified. This CVE affects NGINX 0.6.18 <= version < 1.20.1, and so does look like it applies to this server. (Btw, our GVM has this CVE definition.)
I believe the second vulnerability scanner identified our NGINX as follows, i.e. with vendor F5 Networks: cpe:/a:f5:nginx:1.18.0
As-per NIST this CPE has the one known CVE 2021-23017:
I could easily be missing something, but it looks to me that this is the same NGINX software. That when F5 acquired NGINX what was once referred to as “cpe:/a:nginx:nginx” began to be called “cpe:/a:f5:nginx”
If this is the case then ideally the GVMs CVE scanner would have also reported CVE-2021-23017 against this NGINX v1.18 server. (Perhaps by matching CVEs from both of these CPEs…)
Can someone help me with these questions?
-
Is my assumption about the CPE change correct and is f5:nginx an alias/rename of nginx:nginx?
-
And if this is true, is there a way to configure or otherwise use the GVM so it would report CVE-2021-23017 against NGINX 1.18.0?
Thanks very much for your time and all the work done on this product!