I monitor the @CVENew Twitter feed to keep up with any interesting new vulnerabilities that are released. On December 11th CVE-2020-29589 was published claiming that “the kapacitor Docker images through 1.5.0-alpine contain a blank password for the root user” and that it has a CVSS score of 9.8.
This CVE was just a re-report of CVE-2019-5021, which I researched last year when it came out. AlpineLinux rightfully claims in their write up that “You are not affected unless you have shadow
or Linux-pam
packages installed.” Checking the DockerFile for the Kapactior image, it has neither package installed, so this container is not affected by either the root CVE-2019-5021 vulnerability or even the new CVE-2020-29589 it was just given. Mistakes happen, so I reached out to InfluxData to ask them to dispute the CVE and moved on with my day.
Then it started to happen. Over the last 7 days, the following CVEs were filed claiming the same issue with no verification or even attempting to reach out to the container owners to let them know a CVE was filed.
- CVE-2020-29589
- CVE-2020-29590
- CVE-2020-29591
- CVE-2020-35184
- CVE-2020-35185
- CVE-2020-35186
- CVE-2020-35187
- CVE-2020-35188
- CVE-2020-35189
- CVE-2020-35190
- CVE-2020-35191
- CVE-2020-35192
- CVE-2020-35193
- CVE-2020-35194
- CVE-2020-35195
- CVE-2020-35196
- CVE-2020-35197
- CVE-2020-35462
- CVE-2020-35463
- CVE-2020-35464
- CVE-2020-35465
- CVE-2020-35466
- CVE-2020-35467
- CVE-2020-35468
The descriptions have even started to worsen as with CVE-2020-35466, which lists the affected product as “Blackfire Docker image – store/blackfire/blackfire“, making it impossible even to check if the vulnerability exists.
With the expansion of CNAs, I know that the overall amount of CVEs will explode, with XSS bugs in specialty software like CVE-2019-14478 becoming more common. However, as long as there is some effort to verify the vulnerability, the data is still useful. If we get to the point where you can not even trust the data in a CVE is accurate, security teams’ ability to mitigate vulnerabilities becomes impossible. As Michael Roytman told me, “The only thing worse than no data is bad data,” and that is what is happening here; the CVE database is being stuffed with bad data. I have not found a way to contact the NVD or Mitre about these CVEs and am only having mixed luck letting the container owners know to dispute the CVEs.