cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1177
Views
5
Helpful
7
Replies

PSIRT OpenVuln API Timezone for dates?

Hi,

I have a question relating to the timezone for the dates returned in the OpenVuln API responses.

For example, the following dates, are we to assume they are UTC?

"firstPublished": "YYYY-MM-DDT16:00:00",
"lastUpdated": "YYYY-MM-DDT19:16:46",
Many thanks for any clarification you can provide.
Kind regards
 
(Note used YYYY-MM-DD in place of actual dates since it wouldn't let me post with actual dates in the body...)
1 Accepted Solution

Accepted Solutions

PR Oxman
Cisco Employee
Cisco Employee

Hello,

    Yes they are in UTC.  I am about to make a minor update to the docs, so will add that to them.

Thanks.

 

View solution in original post

7 Replies 7

Hey buddy! I did some digging in this a while back, as the Webex CC API is (was) the sameThere isn't explicit confirmation within the Cisco OpenVuln API documentation that the dates are returned in UTC. But.....based on the format of the dates we are given ("YYYY-MM-DDT16:00:00" and "YYYY-MM-DDT19:16:46"), it is a reasonable guess that these dates are in UTC (Coordinated Universal Time), also known as Zulu time (Z) and the format adheres to the ISO 8601 standard for representing dates and times, which specifies that if no time zone offset is provided, the time is assumed to be in UTC.

But, happy to be 100% wrong here (which often i am!) 

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

Hey Stuart, good to hear from you. Hope you are well. 

Yes, that was my assumption too, but just wanted to double check...

PR Oxman
Cisco Employee
Cisco Employee

Hello,

    Yes they are in UTC.  I am about to make a minor update to the docs, so will add that to them.

Thanks.

 

Great stuff, thanks.

ROBERT THOMSON
Level 1
Level 1

Are they really in UTC?
When you look in the CSAF RSS feed (https://sec.cloudapps.cisco.com/security/center/csaf_20.xml) you see entries like the below which show the time as PDT
<item>
<!-- I2R 9899 -->
<title>cisco-sa-asaftd-cmd-inj-ZJV8Wysm</title>
<link>https://sec.cloudapps.cisco.com:443/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-cmd-inj-ZJV8Wysm/csaf/cisco-sa-asaftd-cmd-inj-ZJV8Wysm.json?vs_f=&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=cisco-sa-asaftd-cmd-inj-ZJV8Wysm&vs_k=...</link>
<description> </description>
<pubDate>Wed, 24 Apr 2024 23:00:00 PDT</pubDate>
<guid>https://sec.cloudapps.cisco.com:443/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-cmd-inj-ZJV8Wysm/csaf/cisco-sa-asaftd-cmd-inj-ZJV8Wysm.json</guid>
</item>

When you check the data returned from OpenVulnAPI you get
advisoryId : cisco-sa-asaftd-cmd-inj-ZJV8Wysm
advisoryTitle : Cisco Adaptive Security Appliance and Firepower Threat Defense Software Command Injection Vulnerability
csafUrl : https://sec.cloudapps.cisco.com/security/center/contentjson/CiscoSecurityAdvisory/cisco-sa-asaftd-cmd-inj-ZJV8Wysm/csaf/cisco-sa-asaftd-cmd-inj-ZJV8Wysm.json
firstPublished : 2024-04-24T23:00:00
lastUpdated : 2024-04-24T23:00:00
status : Final
version : 1.0

When you look at the JSON data in the csafUrl it shows the time in the document.tracking property as
"current_release_date": "2024-04-24T16:00:00+00:00"

The human readable advisory at "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-cmd-inj-ZJV8Wysm" shows the time to be consistent with the CSAF JSON download at 2024 April 24 16:00 GMT.

Given that the PDT timezone offset is -7 hours from GMT/UTC, I think both the RSS feed and the OpenVulnAPI are both trying to be PDT, but are inadvertently subtracting -7 (rather than adding) to end up in IndoChina Time zone  (UTC+7).
Either way there is a disagreement amongst all the sources, and a math error is easiest way to explain it.

PR Oxman
Cisco Employee
Cisco Employee

Hello Robert,

    Investigating the above and will revert ASAP.

Thanks.

 

Hello Robert,

 In short its a bug.  The times should all be in UTC, but there is a condition we are trying to track down that will cause some of the times to be pushed out in PDT.

Development are investigating.

Thanks.