Ubuntu 22.04 LTS OVAL missing version check for vulnerability in older kernel | pressku.com

Trending 4 months ago

On nan NVD website, CVE-2023-1989 is stated arsenic being coming successful various kernels, among them 5.11 to 5.15.105. After an OpenSCAP scan of a 5.15.0 image, I noticed that vulnerability and respective others to beryllium missing from nan generated report.

In nan Jammy OVAL XML record that OpenSCAP uses, nan CVE meaning exists nether oval:com.ubuntu.jammy:def:60331000000, which specifies 2 tests:

<unix:uname_test check="at slightest one" comment="Is kernel 6.1.0-\d+(-oem) presently running?" id="oval:com.ubuntu.jammy:tst:603310000000" version="1"> <unix:object object_ref="oval:com.ubuntu.jammy:obj:603310000000"/> <unix:state state_ref="oval:com.ubuntu.jammy:ste:603310000000"/> </unix:uname_test> <ind:variable_test id="oval:com.ubuntu.jammy:tst:603310000010" version="1" check="all" check_existence="all_exist" comment="kernel type comparison"> <ind:object object_ref="oval:com.ubuntu.jammy:obj:603310000010"/> <ind:state state_ref="oval:com.ubuntu.jammy:ste:603310000010"/> </ind:variable_test>

The state_ref links to:

<ind:variable_state id="oval:com.ubuntu.jammy:ste:603310000010" version="1"> <ind:value datatype="debian_evr_string" operation="less than">0:6.1.0-1009</ind:value> </ind:variable_state>

Which ends up meaning that only kernels moving 6.1.0-n are checked for n<1099. However, a 5.15.0 kernel, for example, does person nan vulnerability, since its source does not incorporate nan corresponding patch successful drivers/bluetooth/btsdio.c.

Why does nan OVAL record not see a cheque for older kernels?