Potential false positive in vulnerability detector
86 views
Skip to first unread message
moosemaimer
Dec 2, 2022, 9:47:56 AM12/2/22
to Wazuh mailing list
I got a number of "Untriaged" vulnerability alerts on my server for several devices running Centos7, for packages:
- kernel
- kernel-devel
- kernel-headers
- kernel-tools
- kernel-tools-libs
- perf
- python-perf
- bpftool
CVE is listed as CVE-2022-4269, but this page shows the actual subject of the report is IBM QRadar 7.3.0-7.3.3, running on
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
I see similar groups of alerts from time to time, they always get marked as resolved within a few days without my doing anything. Maybe some part of the database system is confusing the "affected" packages with the "runs on/with" package?
Damian Nicastro
Dec 5, 2022, 3:17:22 AM12/5/22
to Wazuh mailing list
Hi Stephen:
I hope you are fine.
This vulnerability is also affecting Kernel in different Red Hat versions as was reported in the following document:
If you want to check the information in Wazuh CVE DB, you can do:
[]# sqlite3 /var/ossec/queue/vulnerabilities/cve.db
SQLite version 3.7.17 2013-05-20 00:56:22
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> .headers on
sqlite> .tables
ADVISORIES_INFO CPE_INDEX NVD_METADATA
AGENTS METADATA NVD_METRIC_CVSS
AGENT_HOTFIXES MSU NVD_REFERENCE
ARCHITECTURES MSU_SUPERSEDENCE REFERENCES_INFO
BUGZILLA_REFERENCES_INFO NVD_CPE VARIABLES
CPE_HELPER NVD_CVE VULNERABILITIES
CPE_HELPER_SOURCE NVD_CVE_CONFIGURATION VULNERABILITIES_INFO
CPE_HELPER_TRANSLATION NVD_CVE_MATCH
SQLite version 3.7.17 2013-05-20 00:56:22
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> .headers on
sqlite> .tables
ADVISORIES_INFO CPE_INDEX NVD_METADATA
AGENTS METADATA NVD_METRIC_CVSS
AGENT_HOTFIXES MSU NVD_REFERENCE
ARCHITECTURES MSU_SUPERSEDENCE REFERENCES_INFO
BUGZILLA_REFERENCES_INFO NVD_CPE VARIABLES
CPE_HELPER NVD_CVE VULNERABILITIES
CPE_HELPER_SOURCE NVD_CVE_CONFIGURATION VULNERABILITIES_INFO
CPE_HELPER_TRANSLATION NVD_CVE_MATCH
For instance:
sqlite> select * from VULNERABILITIES where CVEID="CVE-2022-4269";
CVEID|TARGET|TARGET_MINOR|PACKAGE|OPERATION|OPERATION_VALUE|CHECK_VARS|IGNORE|ARCH_ID
CVE-2022-4269|RHEL9||kernel-devel-matched|less than|0:0|0|0|0
CVE-2022-4269|RHEL9||kernel-devel|less than|0:0|0|0|0
...
CVEID|TARGET|TARGET_MINOR|PACKAGE|OPERATION|OPERATION_VALUE|CHECK_VARS|IGNORE|ARCH_ID
CVE-2022-4269|RHEL9||kernel-devel-matched|less than|0:0|0|0|0
CVE-2022-4269|RHEL9||kernel-devel|less than|0:0|0|0|0
...
As you can see, there is only PACKAGE information that is the affected package.
I hope his helps
Thanks
Reply all
Reply to author
Forward
0 new messages