Wazuh vulnerabilities for Centos streams

33 views
Skip to first unread message

Om Narayan

unread,
Jun 8, 2026, 2:39:24 AM (5 days ago) Jun 8
to Wazuh | Mailing List
Our wazuh version is 4.14.4. we have seen that Wazuh reported vulnerabilities for Centos stream 9 and centos stream 10 had some oddities as in:

1) Both CentOS Stream 9 and Centos stream10 were found to be relying on backported fixes for certain packages for resolving vulnerabilities. These fixes do not align with the versions reported by Wazuh as Wazuh relies/may rely on Red Hat advisories even for CentOS Stream OSes.. and the reported vulnerability by Wazuh may come as false -positives..

Manual validation of changelogs and installed versions  to confirm the resolution of vulnerabilities is not always possible if we have a large number of such vulnerabilities...how do we handle these? if we have too many such issues, it will become difficult to manage?

2. for centos stream 9 and 10, The Wazuh vulnerability report reports fixed versions for certain packages that are not yet available for the centos stream 9 an 10 from the centos upstream, leading to potential confusion. As the fixed versions provided by wazuh vulnerability report are for the Redhat RHEL versions and do not align with the Centos stream 9 and 10 versions.  It is difficult to validate.. how do we handle such scnarios as we have a big environment and many such vulnerabilities ??

3. What is Wazuh's stand interms of support for vulnerabilities for Centos Stream 8, 9, and 10 ? Does it provide accurate results? or we need to wait for next releases?

 

Stuti Gupta

unread,
Jun 8, 2026, 3:39:34 AM (5 days ago) Jun 8
to Wazuh | Mailing List

Hi Om,

CentOS Stream 9 is supported by Wazuh Vulnerability Detection.

CentOS Stream belongs to the same ecosystem and uses the same package base as RHEL. Because of that, Wazuh relies on the Red Hat security data for vulnerability detection. If a CVE is marked as affecting RHEL 9 packages, Wazuh may also report it for CentOS Stream when the same package version is detected. https://www.redhat.com/en/topics/linux/what-is-centos-stream.

To better understand,  can you please share the following information:
Please share the CVE ID that you believe is affected in CentOS 9
Please share the package details 
GET /syscollector/<agent_id>/packages?search=<package name>

This will help us verify whether the reported result is expected or if there is an issue with the vulnerability data for that specific package.

You can also search the CVE details here: https://cti.wazuh.com/vulnerabilities/cves

Stuti Gupta

unread,
Jun 8, 2026, 3:41:30 AM (5 days ago) Jun 8
to Wazuh | Mailing List
Additionally, you can check the supported os list here: https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/how-it-works.html#compatibility-matrix
CentOS 10, 9, and 8 are supported. 

Om Narayan

unread,
Jun 8, 2026, 3:10:10 PM (4 days ago) Jun 8
to Stuti Gupta, Wazuh | Mailing List
Thanks Stuti,

I am also expecting some answers, explanations on the first two questions i asked..

1) Both CentOS Stream 9 and Centos stream10 were found to be relying on backported fixes for certain packages for resolving vulnerabilities. These fixes do not align with the versions reported by Wazuh as Wazuh relies/may rely on Red Hat advisories even for CentOS Stream OSes.. and the reported vulnerability by Wazuh may come as false -positives..

Manual validation of changelogs and installed versions to confirm the resolution of vulnerabilities is not always possible if we have a large number of such vulnerabilities...

Question: How do we handle these? if we have too many such issues, it will become difficult to manage?

2. for centos stream 9 and 10, The Wazuh vulnerability report reports fixed versions for certain packages that are not yet available for the centos stream 9 an 10 from the centos upstream, leading to potential confusion. As the fixed versions provided by wazuh vulnerability report are for the Redhat RHEL versions and do not align with the Centos stream 9 and 10 versions. It is difficult to validate.. 

Question: How do we handle such scnarios as we have a big environment and many such vulnerabilities ??

Regards,
Om Narayan
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/81303ec9-6f4c-4f36-be34-176df5226da3n%40googlegroups.com.

Stuti Gupta

unread,
Jun 9, 2026, 7:15:54 AM (4 days ago) Jun 9
to Wazuh | Mailing List

Hi Om,

Let me answer both questions together. 

Firstly, the Wazuh CTI platform gets vulnerability information from operating system vendors and other official sources. Since CentOS Stream is part of the RHEL ecosystem, the vulnerability data for CentOS Stream is based on the same vendor security information.

A package may be fixed through a backport while keeping the same package version. In such cases, if you believe a vulnerability is being reported as a false positive, please share a few CVE IDs, package names, and package versions with us.

For large environments, checking every vulnerability manually is not practical. So, please provide a few examples. We can review them, verify the information against the CTI data, and discuss the findings internally if needed. If we find a common pattern, I can investigate it further and check whether there is an issue with the vulnerability data or the reported result is expected.


To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages