Wazuh Vulnerability Scanner strange behavior on upgrade Packages stay on unsolved
72 views
Skip to first unread message
No Data
Nov 7, 2025, 2:13:16 AM (4 days ago) Nov 7
to Wazuh | Mailing List
Hello everyone,
We are currently observing some strange behavior in the vulnerability scanner. CVEs are only marked as Solved when the affected packages are uninstalled. However, when a package is upgraded, it is not marked as solved.
The inventory (IT hygiene) correctly shows the newly installed package. According to the vendor’s errata, this is a fixed version. Nevertheless, the vulnerability scanner still lists it as Unsolved.
A test involving the uninstallation of packages confirmed that such cases are detected correctly.
Attached are two screenshots illustrating the situation — both SUSE (SLES 12/15) and Red Hat (8/9) systems in our environment are affected.
According to Red Hat, the fixed version is installed:
https://access.redhat.com/errata/RHSA-2024:1436
The package details in the inventory confirm this.
However, the vulnerability details still list the system as vulnerable — interestingly, the package has been installed longer than the vulnerability has been detected. In other words, the vulnerability has been known for some time but was only recently flagged by the scanner, even though the fixed version is already in place.
Something about this seems quite odd.
I also noticed that the vulnerability scanner details are missing information about the fixed version. In the past, before CTI, this information was always shown. I believe including this would be quite useful.
We are currently observing some strange behavior in the vulnerability scanner. CVEs are only marked as Solved when the affected packages are uninstalled. However, when a package is upgraded, it is not marked as solved.
The inventory (IT hygiene) correctly shows the newly installed package. According to the vendor’s errata, this is a fixed version. Nevertheless, the vulnerability scanner still lists it as Unsolved.
A test involving the uninstallation of packages confirmed that such cases are detected correctly.
Attached are two screenshots illustrating the situation — both SUSE (SLES 12/15) and Red Hat (8/9) systems in our environment are affected.
According to Red Hat, the fixed version is installed:
https://access.redhat.com/errata/RHSA-2024:1436
The package details in the inventory confirm this.
However, the vulnerability details still list the system as vulnerable — interestingly, the package has been installed longer than the vulnerability has been detected. In other words, the vulnerability has been known for some time but was only recently flagged by the scanner, even though the fixed version is already in place.
Something about this seems quite odd.
I also noticed that the vulnerability scanner details are missing information about the fixed version. In the past, before CTI, this information was always shown. I believe including this would be quite useful.
i'm confused, any help will be welcome?
with best regards
Ifeanyi Onyia Odike
Nov 7, 2025, 5:33:00 AM (4 days ago) Nov 7
to Wazuh | Mailing List
Rafael Gomez
Nov 7, 2025, 6:58:59 AM (4 days ago) Nov 7
to wa...@googlegroups.com
Same here. I’m dealing with other kinds of the same false positive. It’s driving me crazy.
Rafael Gómez
+34 644 668 229
+34 644 668 229
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/f89e0497-7fef-41d6-adfa-e1d200df2178n%40googlegroups.com.
Ifeanyi Onyia Odike
Nov 7, 2025, 11:21:51 AM (4 days ago) Nov 7
to Wazuh | Mailing List
Hello
To resolve this query, I will itemize the three issues you have observed and provide responses:
Answer: Could you please share more details about the exact field you are referring to/missing?
To resolve this query, I will itemize the three issues you have observed and provide responses:
- Patched packages are not marked as “Solved.” The scanner only resolves CVEs when the vulnerable package is uninstalled, not when it’s upgraded.
- The System Inventory shows correct (fixed/upgraded) versions, but the vulnerability scanner still flags them as vulnerable.
- I also noticed that the vulnerability scanner details are missing information about the fixed version. In the past, before CTI, this information was always shown. I believe including this would be quite useful.
app...@proton.me
Nov 7, 2025, 12:32:21 PM (4 days ago) Nov 7
to Wazuh | Mailing List
Question: This is strange and shouldn't work like that. Could you confirm that you restarted your Wazuh agent after upgrading the package? The vulnerability detector needs to perform another scan on the Wazuh agent after packages are updated to patched versions.
yes the agents restarted.
Yes, only one version is visible in the Inventory Dashboard. What’s strange is that the package.installed column is empty here. However, the Vulnerability Report does show an installation date. I checked the installation directly on the server, and the package is installed. No duplicate packages.
. Removed Package on the affected Servers are marked as solved in the last days.
Question: Could you please share more details about the exact field you are referring to/missing?
In the old days, before CTI was used as a source for the Vulnerability Scanner (NVD and vendor ERRATA), the Red Hat errata data at least included a field with the fixed version. That field no longer exists today, which makes filtering for false positives more difficult. Now, it’s always necessary to check directly on the vendor’s website.
Ifeanyi Onyia Odike
1:32 AM (1 hour ago) 1:32 AM
to Wazuh | Mailing List
Hi
This is the related behavior for the first question.
"If the changes are made to packages while the Wazuh agent is in a stopped state, no alerts will be triggered. Also, if these changes are only detected after the Wazuh agent is restarted, no alert will be triggered."
I will get back to you with a reply about the third question.
Regards,
Reply all
Reply to author
Forward
0 new messages