Under evaluation / Evaluated vulnerabilities
329 views
Skip to first unread message
j885...@gmail.com
Jan 22, 2025, 1:44:10 AM1/22/25
to Wazuh | Mailing List
Hello!
Could you help me understand how "Under evaluation / Evaluated" buttons SHOULD work?
My understanding was that all vulnerabilities should fall either to "Evaluated" category or "Under evaluation" category. Thus the sum of to should be equal to all vulnerabilities.
But in my environment there's 50 evaluated vulners, 5 under evaluation and 500 total (numbers are an example). I don't understand why a huge porion does not fall to either category and if this can/should be fixed.
I tried removing vulnerabilities index and restarting manager.
Wazuh version is 4.10.1
Md. Nazmur Sakib
Jan 22, 2025, 2:19:02 AM1/22/25
to Wazuh | Mailing List
Hi User,
The new vulnerability.under_evaluation field, which provides an Evaluated and Under evaluation filter.
The vulnerability either falls under Evaluated and Under evaluation. Check the screenshot for reference.
All
Evaluated
Under evaluation
Check the Vulnerability evaluation status section of this document to learn more vulnerability.under_evaluation field :
https://wazuh.com/blog/introducing-wazuh-4-10-0/
This field was previously not available in Wazuh. It was added in 4.10.1 Did you upgrade from Wazuh 4.8 or 4.9 to 4.10.1?
Have you followed the Configuring Filebeat section of this document while upgrading?
Ref: https://documentation.wazuh.com/current/upgrade-guide/upgrading-central-components.html#configuring-filebeat
Looking forward to your update on the issue.
j885...@gmail.com
Jan 22, 2025, 3:08:29 AM1/22/25
to Wazuh | Mailing List
We upgraded from 4.8.2 to 4.10.1. All steps Configuring Filebeat were followed.
I noticed that we have three values for vulnerability.under_evaluation:
Some vulnerabilities are vulnerability.under_evaluation:true, some are vulnerability.under_evaluation:false, but huge portion of vulnerabilities vulnerability.under_evaluation:-
Why is that and how to fix it?
j885...@gmail.com
Jan 24, 2025, 12:11:38 AM1/24/25
to Wazuh | Mailing List
Kind reminder about this issue.
j885...@gmail.com
Jan 24, 2025, 1:08:27 AM1/24/25
to Wazuh | Mailing List
Additional example: Filtered for one and the same CVE and one and the same OS version, but different package versions on different assets.
For some of the lines in the middle the under_evaluation is absent (-) for some reason.
j885...@gmail.com
Jan 28, 2025, 6:36:30 AM1/28/25
to Wazuh | Mailing List
Any hints would be greately appreciated. We can't fully use Evaluation functionality because of this.
Md. Nazmur Sakib
Jan 29, 2025, 3:11:14 AM1/29/25
to Wazuh | Mailing List
Sorry for the late response. Can you share your OS and OS version?
I will try to replicate this issue by upgrading from 4.8 to 4.10.1 and let you know my findings.
I will try to replicate this issue by upgrading from 4.8 to 4.10.1 and let you know my findings.
j885...@gmail.com
Jan 30, 2025, 7:03:59 AM1/30/25
to Wazuh | Mailing List
OS: Ubuntu 22.04.4 LTS
What we noticed is that the vulnerabilities with "-" in under_evaluation field relate to packages/OS that are no longer present on the server or OS has been updated to a new version.
Example, OS is updated to x.6775 but vulnerabilities for 5830 are also shown. All of these 299 have under_evaluation "-":
For some servers there's no such issue, so I'm not sure if it's primaraly related to Wazuh upgrade.
Looking forward to suggestions.
Md. Nazmur Sakib
Feb 4, 2025, 8:16:43 AM2/4/25
to Wazuh | Mailing List
As per my assumption, the issue happened due to the changes in the field in under_evaluation, which was added in the Wazuh 4.10.1 version.
As you already had the vulnerability index from 4.8.0, which didn't have this under_evaluation filed earlier. It seems after the upgrade; this field was not updated for all old CVEs in your index and that created this anomaly as those OS are not available so those data are also not updated.
Let me know if you need any further information on this.
As you already had the vulnerability index from 4.8.0, which didn't have this under_evaluation filed earlier. It seems after the upgrade; this field was not updated for all old CVEs in your index and that created this anomaly as those OS are not available so those data are also not updated.
Let me know if you need any further information on this.
j885...@gmail.com
Feb 6, 2025, 2:55:06 AM2/6/25
to Wazuh | Mailing List
The only question is how can I fix this? Any way to fully rescan/rebuild vulnerabilities DB?
j885...@gmail.com
Feb 11, 2025, 12:38:41 AM2/11/25
to Wazuh | Mailing List
The only question is how can I fix this? Any way to fully rescan/rebuild vulnerabilities index or fix it in another way?
Md. Nazmur Sakib
Feb 12, 2025, 6:39:29 AM2/12/25
to Wazuh | Mailing List
I am checking this with the team, I will come back with a possible workaround soon.
Md. Nazmur Sakib
Feb 12, 2025, 6:56:35 AM2/12/25
to Wazuh | Mailing List
Could you enable the enable the debug mode, adding wazuh_modules.debug=2 in /var/ossec/etc/internal_options.conf, restart the manager, wait 1h and send me the output of these commands
cat /var/ossec/logs/ossec.log | grep -iE "vulnerability|indexer-connector"
cat /var/ossec/logs/ossec.log | grep -iE "error|warn"j885...@gmail.com
Feb 17, 2025, 12:59:17 AM2/17/25
to Wazuh | Mailing List
I've sent the logs to the email: nazmur.sakib at wazuh.com
Md. Nazmur Sakib
Feb 18, 2025, 12:46:18 AM2/18/25
to Wazuh | Mailing List
I have analyzed your logs, I have not found anything that points out the issue you are having. I will request you to open an issue in our GitHub and report this:
https://github.com/wazuh/wazuh/issues
So that our development team can look into this and We will try to provide you with any possible workaround or update on this issue.
https://github.com/wazuh/wazuh/issues
So that our development team can look into this and We will try to provide you with any possible workaround or update on this issue.
j885...@gmail.com
Mar 12, 2025, 1:07:03 AM3/12/25
to Wazuh | Mailing List
The issue has been resolved: https://github.com/wazuh/wazuh/issues/28553
Reply all
Reply to author
Forward
0 new messages