Skip to main content

Vulnerability Patcher

caution

This module is not enabled by default, however, it can be enabled on the Servers page per server or on the Configuration page on User Level.

The Vulnerability Patcher module is designed to discover weaknesses in technical word vulnerabilities in the websites on your server. It helps you identify insecure areas on your server and provides patches to fix these issues. Previously this module was present before 3.10.6, however since this version it is able to fix various CVE fixes. The currently supported CVE fixes can be found in our Changelog page.

info

As of now there module does not automatically patch, instead it lists the discovered vulnerabilities on the dashboard.

Currently this module has two CLI options:

bitninjacli --module=Patcher --restorePatch=<value>
        bitninjacli --module=Patcher --restorePatch=/var/lib/bitninja/Patcher/backups/2024/01/01/example.php
            
            Restores all applied patches for the given path.

bitninjacli --module=Patcher --patch=<value>
        bitninjacli --module=Patcher --patch=CVE_EXAMPLE_2024_0101 --domainPath=/path/to/dir

            Applies the given patch to the given domain path.

        Extra options for patch:
                --domainPath=<value>

The BitNinja Vulnerability Patcher determines whether a system is affected by known vulnerabilities by analyzing the actual source code of installed applications rather than relying on version numbers. This approach ensures accurate detection even when files are manually modified, patches are backported, or version metadata is unreliable. Each vulnerability is represented as a standalone package.

Live patches are located in the /opt/bitninja/modules/Patcher/patches directory using the format below.

CVE-XXXX/
├── info.json
└── files/
├── alias_1_orig.txt
├── alias_1_patch.txt
└── ...

The info.json file defines the vulnerability metadata, including its name, description, and reference links. It also specifies the affected files and the detection rules associated with them.

{
  "files": {
    "wp-includes/class-wp-meta-query.php": {
      "alias_1": {
        "search": "files/alias_1_orig.txt",
        "patch": "files/alias_1_patch.txt"
      }
    }
  }
}

Alias Concept

Each alias represents a single detection rule. The search field contains the vulnerable code snippet, while the patch field contains the corrected version of that snippet.

Target Discovery

BitNinja identifies application roots using the following configuration file:

/var/lib/bitninja/ConfigParser/getVhosts-report.json

Example

{
  "doc_roots": [
    "/usr/share/nginx/html",
    "/var/www/example.com/html"
  ]
}

The system parses all available doc_roots entries from the configuration file and builds a list of directories that may contain web applications. During this process, duplicate paths are removed, and only valid, existing directories are retained for scanning.

File Resolution

For each vulnerability definition, BitNinja reads the info.json file and iterates through the listed target files. It then constructs absolute file paths by combining each document root with the relative file path defined in the patch.

For example, a relative path such as wp-includes/class-wp-meta-query.php resolves to -> /var/www/example.com/html/wp-includes/class-wp-meta-query.php

Detection Workflow

The detection process iterates through every document root, vulnerability definition, target file, and alias rule. For each combination, BitNinja performs pattern-based matching against the actual file contents.

Detected vulnerabilities can be seen at your dashboard: https://console.bitninja.io/patcher