Solved: Re: PSIRT OpenVuln API Timezone for dates?

Darren Parkinson · ‎04-09-2024

Hi,

I have a question relating to the timezone for the dates returned in the OpenVuln API responses.

For example, the following dates, are we to assume they are UTC?

"firstPublished": "YYYY-MM-DDT16:00:00",
"lastUpdated": "YYYY-MM-DDT19:16:46",

Many thanks for any clarification you can provide.

Kind regards

(Note used YYYY-MM-DD in place of actual dates since it wouldn't let me post with actual dates in the body...)

PR Oxman · ‎04-09-2024

Hello,

Yes they are in UTC. I am about to make a minor update to the docs, so will add that to them.

Thanks.

View solution in original post

bigevilbeard · ‎04-09-2024

Hey buddy! I did some digging in this a while back, as the Webex CC API is (was) the same. There isn't explicit confirmation within the Cisco OpenVuln API documentation that the dates are returned in UTC. But.....based on the format of the dates we are given ("YYYY-MM-DDT16:00:00" and "YYYY-MM-DDT19:16:46"), it is a reasonable guess that these dates are in UTC (Coordinated Universal Time), also known as Zulu time (Z) and the format adheres to the ISO 8601 standard for representing dates and times, which specifies that if no time zone offset is provided, the time is assumed to be in UTC.

But, happy to be 100% wrong here (which often i am!)

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

Darren Parkinson · ‎04-10-2024

Hey Stuart, good to hear from you. Hope you are well.

Yes, that was my assumption too, but just wanted to double check...

PR Oxman · ‎04-09-2024

Hello,

Yes they are in UTC. I am about to make a minor update to the docs, so will add that to them.

Thanks.

Darren Parkinson · ‎04-10-2024

Great stuff, thanks.

ROBERT THOMSON · ‎04-27-2024

Are they really in UTC?
When you look in the CSAF RSS feed (https://sec.cloudapps.cisco.com/security/center/csaf_20.xml) you see entries like the below which show the time as PDT
<item>

<title>cisco-sa-asaftd-cmd-inj-ZJV8Wysm</title>
<link>https://sec.cloudapps.cisco.com:443/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-cmd-inj-ZJV8Wysm/csaf/cisco-sa-asaftd-cmd-inj-ZJV8Wysm.json?vs_f=&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=cisco-sa-asaftd-cmd-inj-ZJV8Wysm&vs_k=...</link>
<description> </description>
<pubDate>Wed, 24 Apr 2024 23:00:00 PDT</pubDate>
<guid>https://sec.cloudapps.cisco.com:443/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-cmd-inj-ZJV8Wysm/csaf/cisco-sa-asaftd-cmd-inj-ZJV8Wysm.json</guid>
</item>

When you check the data returned from OpenVulnAPI you get
advisoryId : cisco-sa-asaftd-cmd-inj-ZJV8Wysm
advisoryTitle : Cisco Adaptive Security Appliance and Firepower Threat Defense Software Command Injection Vulnerability
csafUrl : https://sec.cloudapps.cisco.com/security/center/contentjson/CiscoSecurityAdvisory/cisco-sa-asaftd-cmd-inj-ZJV8Wysm/csaf/cisco-sa-asaftd-cmd-inj-ZJV8Wysm.json
firstPublished : 2024-04-24T23:00:00
lastUpdated : 2024-04-24T23:00:00
status : Final
version : 1.0

When you look at the JSON data in the csafUrl it shows the time in the document.tracking property as
"current_release_date": "2024-04-24T16:00:00+00:00"

The human readable advisory at "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-cmd-inj-ZJV8Wysm" shows the time to be consistent with the CSAF JSON download at 2024 April 24 16:00 GMT.

Given that the PDT timezone offset is -7 hours from GMT/UTC, I think both the RSS feed and the OpenVulnAPI are both trying to be PDT, but are inadvertently subtracting -7 (rather than adding) to end up in IndoChina Time zone (UTC+7).
Either way there is a disagreement amongst all the sources, and a math error is easiest way to explain it.

PR Oxman · ‎04-28-2024

Hello Robert,

Investigating the above and will revert ASAP.

Thanks.

PR Oxman · ‎04-29-2024

Hello Robert,

In short its a bug. The times should all be in UTC, but there is a condition we are trying to track down that will cause some of the times to be pushed out in PDT.

Development are investigating.

Thanks.