Querying the vulnerability database

You can find the vulnerability database at /var/ossec/queue/vulnerabilities/cve.db on the Wazuh server and query it using SQLite. SQLite provides an interface that you can use to interact with SQL databases.

Perform the following steps to query the vulnerability database using SQLite.

Start SQLite and open the vulnerability database using the following command:
```
# sqlite3 /var/ossec/queue/vulnerabilities/cve.db
```
List the tables in the database using the following command:
```
sqlite> .tables
```
Retrieve all the data in a table by running the following command:
```
sqlite> SELECT * from <TABLE>;
```

Replace <TABLE> with the name of the table you are interested in.

Warning

Don’t make changes to the database. It can lead to issues when the Vulnerability Detector module is running a scan.

Use Case: Find all KBs that patch a specified CVE for Windows endpoints

In this example, you will see how to find all Windows Knowledge Base (KB) updates that patch a specific vulnerability on Windows endpoints from the vulnerability database. You can achieve this using SQLite on the Wazuh server.

Start SQLite and open the vulnerability database using the following command:
```
# sqlite3 /var/ossec/queue/vulnerabilities/cve.db
```
Run .mode line in the SQLite prompt to configure the SQLite output format.

Run the following command to view all the details of the chosen CVE and operating system:

sqlite> SELECT * FROM msu WHERE cveid = "<CVE_ID>" AND PRODUCT LIKE "%<OS_IDENTIFIER>%";

Where:

<OS_IDENTIFIER> is a string from the operating system name. It displays result for only the specified operating system.
<CVE_ID> is the identifier for the CVE.

You can see an example below:

sqlite> SELECT * FROM msu WHERE cveid = "CVE-2023-21524" AND PRODUCT LIKE "%Server 2022%";

CVEID = CVE-2023-21524
         PRODUCT = Windows Server 2022 (Server Core installation)
           PATCH = 5022291
           TITLE = Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability
             URL = https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5022291
         SUBTYPE = Security Update
RESTART_REQUIRED = Yes
      CHECK_TYPE = 1

           CVEID = CVE-2023-21524
         PRODUCT = Windows Server 2022
           PATCH = 5022291
           TITLE = Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability
             URL = https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5022291
         SUBTYPE = Security Update
RESTART_REQUIRED = Yes
      CHECK_TYPE = 1

Run the command below to list all the KBs that patch KB5022291 replaces. This will be a list of patches that are no longer necessary to install once a user installs KB5022291.

sqlite> SELECT patch FROM msu_supersedence WHERE super = "5022291";

PATCH = 5010796

PATCH = 5022291

PATCH = 5022553

PATCH = 5021656

PATCH = 5021249

PATCH = 5020436

PATCH = 5020032
...

Run the command below to get a list of all the patches that replaced KB5022291. This list contains all the patches that resolve the same vulnerabilities as KB5022291 when installed.
```
sqlite> SELECT super FROM msu_supersedence WHERE patch = "5022291";
```
```
SUPER = 5022291
SUPER = 5022842
SUPER = 5023705
SUPER = 5025230
SUPER = 5026370
```