Old kernel vulnerabilities reported even if kernel upgraded to new and latest version, how to handle

[Om Narayan]

• I’m running Wazuh on several RHEL machines and noticed that Wazuh is reporting a very high number of CVEs against older kernel packages even after I’ve upgraded to the latest kernel.

For example in the below image, my running kernel is 6.12.0.226.el10 which is confirmed by running the command "uname -r" , however Wazuh reports vulnerability even for older kernel version 6.12.0.144.el10 too and in huge number.

[root@centosstream10 ~]# uname -r
6.12.0-226.el10.x86_64
[root@centosstream10 ~]#

• Even after a successful upgrade and reboot into the new kernel, the older kernels remain installed and i think this is controlled by the file /etc/dnf/dnf.conf which has installonly_limit as 3 by default.

[root@centosstream10 ~]# cat /etc/dnf/dnf.conf
[main]
gpgcheck=1
installonly_limit=3
clean_requirements_on_remove=True
best=True
skip_if_unavailable=False
[root@centosstream10 ~]#

and hence vulnerability would have been reported for the older kernels as well..

My understanding is that technically the old kernel packages are still present and contain the vulnerabilities, but in practice the system is no longer vulnerable unless it boots into the old kernel. Reporting them creates significant noise and alert fatigue.

My questions are:

1)From an end-user / operational security perspective, what is the recommended way to handle these vulnerabilities reported against the old kernels?

2) Should we ignore/suppress alerts for non-running kernels?

3) Is there a configuration option in Wazuh (e.g., in vulnerability-detector or agent config) to only consider the running kernel for vulnerability assessment?

4) Or is the expectation that we should remove the old kernels manually before Wazuh stops flagging them?

[Christian Borla]

Hi Om Narayan ,

Your understanding is correct. In this case, Wazuh is reporting vulnerabilities for the older kernel packages because those packages are still installed on the endpoint and are still present in the RPM package database.

Wazuh Vulnerability Detection works from the software inventory collected by Syscollector. For Linux systems, this includes installed RPM packages, not only the currently running kernel reported by uname -r. So if an older kernel package such as 6.12.0-144.el10 is still installed, Wazuh can still report CVEs associated with that package. 

• https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/index.html

From an operational/security perspective, I would handle this as follows:

1. First, confirm that the system is actually running the patched kernel

2. Keep only the number of fallback kernels required by your organization’s policy. Keeping one previous known-good kernel is common for rollback purposes, but keeping more old kernels increases vulnerability noise.

3. Remove older kernel packages once you are confident the new kernel is working correctly. For example:  sudo dnf remove --oldinstallonly (a quick search)   or remove the specific old kernel packages after validating what is installed.

4. Optionally adjust /etc/dnf/dnf.conf to reduce the number of retained install-only packages, for example: installonly_limit=2

Regarding your questions:

• I would not treat this as a Wazuh false positive. The vulnerable package is still installed.

• I would not fully ignore it either, because the system could still be booted into the old kernel later.

• Unfortunately Wazuh does not currently provide a Vulnerability Detection option to evaluate only the running kernel from uname -r.

• If you want Wazuh to stop reporting those CVEs, the expected approach is to remove the old vulnerable kernel packages from the system.
  
  I hope it helps. Regards.