Identifying software CVEs with possible CPE change (F5 acquire NGINX)

GVM versions

gsad: 21.4.3
gvmd: 21.4.4 (DB 242)
openvas-scanner: 21.4.3
gvm-libs: 21.4.3

Environment

Operating system: Ubuntu
Kernel: 5.4.0-1018-aws #18-Ubuntu SMP Wed Jun 24 01:15:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Installation method / source: ppa:mrazavi/gvm APT repository

Hi folks,

We used the GVM above to scan a server with NGINX v1.18. The OpenVAS scanner identified: cpe:/a:nginx:nginx:1.18.0

In the CVE scanner results, and as per NIST, this has no known CVEs:

NVD - Results*

However, when we scanned the same server with a different tool CVE-2021-23017 was identified. This CVE affects NGINX 0.6.18 <= version < 1.20.1, and so does look like it applies to this server. (Btw, our GVM has this CVE definition.)

I believe the second vulnerability scanner identified our NGINX as follows, i.e. with vendor F5 Networks: cpe:/a:f5:nginx:1.18.0

As-per NIST this CPE has the one known CVE 2021-23017:

NVD - Results*

I could easily be missing something, but it looks to me that this is the same NGINX software. That when F5 acquired NGINX what was once referred to as “cpe:/a:nginx:nginx” began to be called “cpe:/a:f5:nginx”

If this is the case then ideally the GVMs CVE scanner would have also reported CVE-2021-23017 against this NGINX v1.18 server. (Perhaps by matching CVEs from both of these CPEs…)

Can someone help me with these questions?

  1. Is my assumption about the CPE change correct and is f5:nginx an alias/rename of nginx:nginx?

  2. And if this is true, is there a way to configure or otherwise use the GVM so it would report CVE-2021-23017 against NGINX 1.18.0?

Thanks very much for your time and all the work done on this product!

1 Like

Hello,

welcome to this community portal and thanks a lot for your posting.

The CVE scanner in GVM depends on the CPEs set on NASL side by detection VTs like e.g. gb_nginx_consolidation.nasl (can be found in your scripts/ folders) and AFAIK GVM currently doesn’t provide a way to define own CPEs or overwrite existing ones.

It seems indeed that NIST has started to use the f5:nginx CPE in their NVD database (which is the base for the CVE Scanner in GVM) for nginx related CVEs:

On the related CVE-2021-23017 - Change History entry you can see that the CPE got changed from cpe:/a:nginx:nginx to cpe:/a:f5:nginx on 10/14/2021.

To catch up with these changes on NVD side the previously mentioned gb_nginx_consolidation.nasl VT received an update to register both CPEs (the “old” one is still referenced by a few older CVEs).

These changes should be available in the feed tomorrow or on Monday.

3 Likes

Thanks for your response, and this information and action. It’s much appreciated!

2 Likes

A post was split to a new topic: CVE scans not matching the expected CVE-2021-23017

(Quick moderator note, I’ve moved this thread into the Vulnerability Tests category)

1 Like