Vulnerabilities change root when updating to Safe status

Incident Report for Fluid Attacks

Postmortem

Impact

At least one organization was experiencing issues with Machine reports. The issue started on UTC-5 24-01-04 17:41 and was reactively discovered 6.9 days (TTD) later by a client who reported through our help desk [1] the absence of previously present vulnerabilities. The problem was resolved in 6.9 days (TTF), resulting in a total window of exposure of 13.9 days (WOE) [2].

Cause

When processing Machine reports, similar reports from the same group were not being recognized. This resulted in a report marked as SAFE being moved to the wrong section. The problem originated while attempting to address issues related to updates and changes in specific vulnerabilities [3].

Solution

Validations were implemented to prevent comparing machine reports from different roots. The code that allowed changing the root in a report was removed [4].

Conclusion

There was an incomplete perspective of the code when introducing the change that caused it. Functional tests covering this case will be added [5]. This will ensure a more comprehensive testing process and help detect potential issues related to the identified problem. MISSING_TEST < INCOMPLETE_PERSPECTIVE

Posted Jan 19, 2024 - 17:03 GMT-05:00

Resolved

The incident has been resolved, and now Machine reports are being processed correctly.

Posted Jan 19, 2024 - 15:29 GMT-05:00

Update

The team has fixed the problem and is currently performing a migration to update the affected vulnerabilities.

Posted Jan 18, 2024 - 17:44 GMT-05:00

Identified

When updating a vulnerability to a Safe status, certain vulnerabilities undergo changes in the root, especially when the issue is addressed, such as removing the corresponding line or modifying the affected function.

Posted Jan 18, 2024 - 16:33 GMT-05:00

This incident affected: Platform.