Wazuh Alert: Critical Issue Flagged as Low Priority in Ubuntu

64 views
Skip to first unread message

Wazuh User

unread,
Jul 30, 2025, 12:09:12 PM7/30/25
to Wazuh | Mailing List
Hi Team,
     I have found 18 Critical Severity alerts on one of my agents, with the vulnerability CVE-2023-3326. The system is up-to-date, and this vulnerability is flagged as Low priority in Ubuntu. The patch has already been applied, but Wazuh still reports it as Critical.
How can I resolve this situation?
Is it possible to manually mark it as resolved or evaluated in Wazuh?

Screenshot 2025-07-30 200901.png

Santiago Padilla Alvarez

unread,
Jul 30, 2025, 12:43:32 PM7/30/25
to Wazuh | Mailing List
After you upgrade or remove a package the agent’s syscollector module (responsible for collecting such data from each agent) has to run again and send the new package list to the manager.
The syscollector interval time in charge of the package analysis can be found in the agent configuration file /var/ossec/etc/ossec.conf like this:

  <!-- System inventory -->
  <wodle name="syscollector">
    <disabled>no</disabled>
    <interval>1m</interval>

In case of changing the syscollector interval time you will have to restart the agent afterwards.
The manager compares that inventory with its CVE feed. For every package/CVE it keeps one state document inside the index wazuh-states-vulnerabilities-*.
The document is rewritten with a new data.vulnerability.status field ("Detected" to "Solved").
Once a package is removed or upgraded to a version without the vulnerability you are looking for, within the Dashboard -> Vulnerability detection -> Events, an alert that the vulnerability has been solved will appear.

Therefore, I would appreciate it if you could confirm the following:

1) The agent logs (/var/ossec/logs/ossec.log) show that syscollector has scanned again after you resolved the vulnerability.
2) The alert has appeared in Dashboard -> Vulnerability detection -> Events that the vulnerability has been resolved (You can also view it in /var/ossec/logs/alerts/alerts.json in the manager).
3) If all of the above has appeared and the vulnerability is still showing up on the dashboard, please tell me which version of Wazuh you are using so that I can replicate it.

Wazuh User

unread,
Jul 31, 2025, 6:26:00 AM7/31/25
to Wazuh | Mailing List
Hi Santiago,
The upgrade was done last week, and Ubuntu hasn't released any patch for this issue yet. How should we prevent this from being marked as critical, or can we label it as a known issue?
Not only for this, there some more issues like this.

PFA

Screenshot 2025-07-31 143447.png

Santiago Padilla Alvarez

unread,
Jul 31, 2025, 7:06:31 AM7/31/25
to Wazuh | Mailing List

I understand, unfortunately as of today it is not possible to make the vulnerability disappear completely even from the dashboard.

But that will be possible in a future update carried out by a mechanism where in the configuration file we will be able to exclude the CVEs we want like this:

<exclusions>
        <cves>CVE-2023-3326,CVE-2024-12345</cves>
        <packages>sssd,libpam-krb5</packages>
</exclusions>

I leave here the issue so you can see the development updates.

Reply all
Reply to author
Forward
0 new messages