wazuh triggering allert to whatsup that is not even installed on windows server
12 views
Skip to first unread message
Mefisto Evil
Dec 16, 2025, 10:26:11 AM (yesterday) Dec 16
to Wazuh | Mailing List
hello i regularry having alerts about whatsapp vulnerabilty but this is not even installed on this machine. why this happen and how should troubleshhot what triggering this?
json alert:
{ "_index": "wazuh-alerts-4.x-2025.12.16", "_id": "wSI9JZsBuxWx2Oepd-wI", "_version": 1, "_score": null, "_source": { "input": { "type": "log" }, "agent": { "ip": "192.168.114.14", "name": "srv-xyz", "id": "008" }, "manager": { "name": "srv-wazuh" }, "data": { "vulnerability": { "severity": "Critical", "package": { "condition": "Package less than 2.2146", "name": "WhatsApp", "source": " ", "version": "2.2144.11", "architecture": " " }, "assigner": "facebook", "cwe_reference": "CWE-122", "published": "2022-01-04T19:15:14Z", "classification": "CVSS", "title": "CVE-2021-24042 affects WhatsApp", "type": "Packages", "rationale": "The calling logic for WhatsApp for Android prior to v2.21.23, WhatsApp Business for Android prior to v2.21.23, WhatsApp for iOS prior to v2.21.230, WhatsApp Business for iOS prior to v2.21.230, WhatsApp for KaiOS prior to v2.2143, WhatsApp Desktop prior to v2.2146 could have allowed an out-of-bounds write if a user makes a 1:1 call to a malicious actor.", "reference": "https://www.whatsapp.com/security/advisories/2021/", "score": { "version": "3.1", "base": "9.800000" }, "cve": "CVE-2021-24042", "scanner": { "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2021-24042" }, "enumeration": "CVE", "cvss": { "cvss3": { "base_score": "9.800000", "vector": { "user_interaction": "NONE", "integrity_impact": "HIGH", "scope": "UNCHANGED", "availability": "HIGH", "confidentiality_impact": "HIGH", "attack_vector": "NETWORK", "privileges_required": "NONE" } } }, "updated": "2025-05-22T19:15:23Z", "status": "Active" } }, "rule": { "firedtimes": 1, "mail": true, "level": 13, "pci_dss": [ "11.2.1", "11.2.3" ], "tsc": [ "CC7.1", "CC7.2" ], "description": "CVE-2021-24042 affects WhatsApp", "groups": [ "vulnerability-detector" ], "id": "23506", "gdpr": [ "IV_35.7.d" ] }, "location": "vulnerability-detector", "decoder": { "name": "json" }, "id": "1765856339.61997456", "timestamp": "2025-12-16T08:38:59.315+0500" }, "fields": { "data.vulnerability.published": [ "2022-01-04T19:15:14.000Z" ], "data.vulnerability.updated": [ "2025-05-22T19:15:23.000Z" ], "timestamp": [ "2025-12-16T03:38:59.315Z" ] }, "highlight": { "manager.name": [ "@opensearch-dashboards-highlighted-field@srv-wazuh@/opensearch-dashboards-highlighted-field@" ] }, "sort": [ 1765856339315 ] }
json alert:
{ "_index": "wazuh-alerts-4.x-2025.12.16", "_id": "wSI9JZsBuxWx2Oepd-wI", "_version": 1, "_score": null, "_source": { "input": { "type": "log" }, "agent": { "ip": "192.168.114.14", "name": "srv-xyz", "id": "008" }, "manager": { "name": "srv-wazuh" }, "data": { "vulnerability": { "severity": "Critical", "package": { "condition": "Package less than 2.2146", "name": "WhatsApp", "source": " ", "version": "2.2144.11", "architecture": " " }, "assigner": "facebook", "cwe_reference": "CWE-122", "published": "2022-01-04T19:15:14Z", "classification": "CVSS", "title": "CVE-2021-24042 affects WhatsApp", "type": "Packages", "rationale": "The calling logic for WhatsApp for Android prior to v2.21.23, WhatsApp Business for Android prior to v2.21.23, WhatsApp for iOS prior to v2.21.230, WhatsApp Business for iOS prior to v2.21.230, WhatsApp for KaiOS prior to v2.2143, WhatsApp Desktop prior to v2.2146 could have allowed an out-of-bounds write if a user makes a 1:1 call to a malicious actor.", "reference": "https://www.whatsapp.com/security/advisories/2021/", "score": { "version": "3.1", "base": "9.800000" }, "cve": "CVE-2021-24042", "scanner": { "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2021-24042" }, "enumeration": "CVE", "cvss": { "cvss3": { "base_score": "9.800000", "vector": { "user_interaction": "NONE", "integrity_impact": "HIGH", "scope": "UNCHANGED", "availability": "HIGH", "confidentiality_impact": "HIGH", "attack_vector": "NETWORK", "privileges_required": "NONE" } } }, "updated": "2025-05-22T19:15:23Z", "status": "Active" } }, "rule": { "firedtimes": 1, "mail": true, "level": 13, "pci_dss": [ "11.2.1", "11.2.3" ], "tsc": [ "CC7.1", "CC7.2" ], "description": "CVE-2021-24042 affects WhatsApp", "groups": [ "vulnerability-detector" ], "id": "23506", "gdpr": [ "IV_35.7.d" ] }, "location": "vulnerability-detector", "decoder": { "name": "json" }, "id": "1765856339.61997456", "timestamp": "2025-12-16T08:38:59.315+0500" }, "fields": { "data.vulnerability.published": [ "2022-01-04T19:15:14.000Z" ], "data.vulnerability.updated": [ "2025-05-22T19:15:23.000Z" ], "timestamp": [ "2025-12-16T03:38:59.315Z" ] }, "highlight": { "manager.name": [ "@opensearch-dashboards-highlighted-field@srv-wazuh@/opensearch-dashboards-highlighted-field@" ] }, "sort": [ 1765856339315 ] }
Maximiliano Ibarra
Dec 16, 2025, 11:58:39 PM (15 hours ago) Dec 16
to Wazuh | Mailing List
Hi. I don't understand why this could be if you say it's not installed. But we could check the logs to see if they give any indication of what it might be.
  Agent logs: /var/ossec/logs/ossec.log
  Manager logs: /var/ossec/logs/vulnerabilities.log
The vulnerabilities logs have the keyword "vulnerability". I imagine you've already checked if the agent is the same one that appears in the alert.
  Agent logs: /var/ossec/logs/ossec.log
  Manager logs: /var/ossec/logs/vulnerabilities.log
The vulnerabilities logs have the keyword "vulnerability". I imagine you've already checked if the agent is the same one that appears in the alert.
Reply all
Reply to author
Forward
0 new messages