Recently we did a vulnerability scan based on Ubuntu 22.04 using the syft tool and were surprised by the results.
At first we thought it was a false positive from the syft tool, but after double-checking, we found that there are indeed some suspicious ones.
Component Version Installed Security Issues
| Component | Version Installed | Security Issues/CVE | CVSS Score | CVSS Severity |
|---|---|---|---|---|
| gnupg | 2.2.27 | CVE-2022-3515 | 9.8 | Critical |
https://changelogs.ubuntu.com/changelogs/pool/main/g/gnupg2/gnupg2_2.2.27-3ubuntu2.1/changelog
The results show that vulnerabilities such as CVE-2022-3515 are still present in recent Ubuntu 22.04 releases. Let's take CVE-2022-3515 as an example.
My question is about the right lib version of Libksba.
Some interesting information about this CVE.
[info from NVD] in the page: https://nvd.nist.gov/vuln/detail/CVE-2022-3515
we can get info that means if version of libksba <1.6.3, then the issue still exsits.
[info from gnupg] in this gov page of gnupg https://www.gnupg.org/blog/20221017-pepe-left-the-ksba.html
"Affected to our knowledge are: Most software using Libksba versions up to 1.6.2 How to fix If you are on a Unix or Linux system you should get the latest version of Libksba (1.6.3 or newer),
" [info from Ubuntu gov page] https://ubuntu.com/security/CVE-2022-3515
issue fixed in **1.6.0**
libksba8_1.6.0-2ubuntu0.2_amd64.deb Ubuntu 22.04 LTS Download
[info from our local Ubuntu]
Results of cat /etc/os-release:
PRETTY_NAME="Ubuntu 22.04.5 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.5 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy
Results of dpkg -l gnupg :
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-=================-============-==========================================
ii gnupg 2.2.27-3ubuntu2.1 all GNU privacy guard - a free PGP replacement
Results of dpkg -l libksb :
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-================-============-=================================
ii libksba8:amd64 1.6.0-2ubuntu0.2 amd64 X.509 and CMS support library
Results of gpgconf --show-versions :
* GnuPG 2.2.27 (0000000)
GNU/Linux
- Libgcrypt 1.9.4 (0000000)
version:1.9.4:10904:1.43:12b00:
cc:110200:gcc:11.2.0:
ciphers:arcfour:blowfish:cast5:des:aes:twofish:serpent:rfc2268:seed:camellia:idea:salsa20:gost28147:chacha20:sm4:
pubkeys:dsa:elgamal:rsa:ecc:
digests:crc:gostr3411-94::md4:md5:rmd160:sha1:sha256:sha512:sha3:tiger:whirlpool:stribog:blake2:sm3:
rnd-mod:linux:
cpu-arch:x86:
mpi-asm:amd64/mpih-add1.S:amd64/mpih-sub1.S:amd64/mpih-mul1.S:amd64/mpih-mul2.S:amd64/mpih-mul3.S:amd64/mpih-lshift.S:amd64/mpih-rshift.S:
hwflist:intel-bmi2:intel-ssse3:intel-sse4.1:intel-pclmul:intel-aesni:intel-rdrand:intel-avx:intel-avx2:intel-rdtsc:intel-shaext:intel-vaes-vpclmul:
fips-mode:n:n:
rng-type:standard:1:2010000:1:
compliance:::
GpgRT 1.43 (000033f)
Libassuan 2.5.5 (0000000)
KSBA 1.6.0-unknown (0000000)
GNUTLS 3.7.3
