Wazuh Vulnerability Scanner strange behavior on upgrade Packages stay on unsolved
93 views
Skip to first unread message
No Data
Nov 7, 2025, 2:13:16 AM (5 days ago) Nov 7
to Wazuh | Mailing List
Hello everyone,
We are currently observing some strange behavior in the vulnerability scanner. CVEs are only marked as Solved when the affected packages are uninstalled. However, when a package is upgraded, it is not marked as solved.
The inventory (IT hygiene) correctly shows the newly installed package. According to the vendor’s errata, this is a fixed version. Nevertheless, the vulnerability scanner still lists it as Unsolved.
A test involving the uninstallation of packages confirmed that such cases are detected correctly.
Attached are two screenshots illustrating the situation — both SUSE (SLES 12/15) and Red Hat (8/9) systems in our environment are affected.
According to Red Hat, the fixed version is installed:
https://access.redhat.com/errata/RHSA-2024:1436
The package details in the inventory confirm this.
However, the vulnerability details still list the system as vulnerable — interestingly, the package has been installed longer than the vulnerability has been detected. In other words, the vulnerability has been known for some time but was only recently flagged by the scanner, even though the fixed version is already in place.
Something about this seems quite odd.
I also noticed that the vulnerability scanner details are missing information about the fixed version. In the past, before CTI, this information was always shown. I believe including this would be quite useful.
We are currently observing some strange behavior in the vulnerability scanner. CVEs are only marked as Solved when the affected packages are uninstalled. However, when a package is upgraded, it is not marked as solved.
The inventory (IT hygiene) correctly shows the newly installed package. According to the vendor’s errata, this is a fixed version. Nevertheless, the vulnerability scanner still lists it as Unsolved.
A test involving the uninstallation of packages confirmed that such cases are detected correctly.
Attached are two screenshots illustrating the situation — both SUSE (SLES 12/15) and Red Hat (8/9) systems in our environment are affected.
According to Red Hat, the fixed version is installed:
https://access.redhat.com/errata/RHSA-2024:1436
The package details in the inventory confirm this.
However, the vulnerability details still list the system as vulnerable — interestingly, the package has been installed longer than the vulnerability has been detected. In other words, the vulnerability has been known for some time but was only recently flagged by the scanner, even though the fixed version is already in place.
Something about this seems quite odd.
I also noticed that the vulnerability scanner details are missing information about the fixed version. In the past, before CTI, this information was always shown. I believe including this would be quite useful.
i'm confused, any help will be welcome?
with best regards
Ifeanyi Onyia Odike
Nov 7, 2025, 5:33:00 AM (5 days ago) Nov 7
to Wazuh | Mailing List
Rafael Gomez
Nov 7, 2025, 6:58:59 AM (5 days ago) Nov 7
to wa...@googlegroups.com
Same here. I’m dealing with other kinds of the same false positive. It’s driving me crazy.
Rafael Gómez
+34 644 668 229
+34 644 668 229
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/f89e0497-7fef-41d6-adfa-e1d200df2178n%40googlegroups.com.
Ifeanyi Onyia Odike
Nov 7, 2025, 11:21:51 AM (5 days ago) Nov 7
to Wazuh | Mailing List
Hello
To resolve this query, I will itemize the three issues you have observed and provide responses:
Answer: Could you please share more details about the exact field you are referring to/missing?
To resolve this query, I will itemize the three issues you have observed and provide responses:
- Patched packages are not marked as “Solved.” The scanner only resolves CVEs when the vulnerable package is uninstalled, not when it’s upgraded.
- The System Inventory shows correct (fixed/upgraded) versions, but the vulnerability scanner still flags them as vulnerable.
- I also noticed that the vulnerability scanner details are missing information about the fixed version. In the past, before CTI, this information was always shown. I believe including this would be quite useful.
app...@proton.me
Nov 7, 2025, 12:32:21 PM (5 days ago) Nov 7
to Wazuh | Mailing List
Question: This is strange and shouldn't work like that. Could you confirm that you restarted your Wazuh agent after upgrading the package? The vulnerability detector needs to perform another scan on the Wazuh agent after packages are updated to patched versions.
yes the agents restarted.
Yes, only one version is visible in the Inventory Dashboard. What’s strange is that the package.installed column is empty here. However, the Vulnerability Report does show an installation date. I checked the installation directly on the server, and the package is installed. No duplicate packages.
. Removed Package on the affected Servers are marked as solved in the last days.
Question: Could you please share more details about the exact field you are referring to/missing?
In the old days, before CTI was used as a source for the Vulnerability Scanner (NVD and vendor ERRATA), the Red Hat errata data at least included a field with the fixed version. That field no longer exists today, which makes filtering for false positives more difficult. Now, it’s always necessary to check directly on the vendor’s website.
Ifeanyi Onyia Odike
Nov 11, 2025, 1:32:05 AM (24 hours ago) Nov 11
to Wazuh | Mailing List
Hi
This is the related behavior for the first question.
"If the changes are made to packages while the Wazuh agent is in a stopped state, no alerts will be triggered. Also, if these changes are only detected after the Wazuh agent is restarted, no alert will be triggered."
I will get back to you with a reply about the third question.
Regards,
app...@proton.me
Nov 11, 2025, 2:47:42 AM (23 hours ago) Nov 11
to Wazuh | Mailing List
Hi,
I think we misunderstood each other. I thought you meant whether we had restarted the agents themselves after an upgrade. That has been done. The agents are updated remotely on our side. They run continuously and are not stopped during a package upgrade on the servers — that wouldn’t make any sense anyway. It’s not that simple. So this is not the expected behavior.
with best regards
app...@proton.me
Nov 11, 2025, 9:21:57 AM (16 hours ago) Nov 11
to Wazuh | Mailing List
No, that doesn’t help at all, and of course I know the link. However, there are no fixed versions listed there either — otherwise, they would probably also appear as a value in the dataset. The only workaround is to go through your errata pages; then I can copy the CVE and go directly to the corresponding page. Furthermore, it’s hard to filter using just a link — something like “version greater than” or “version smaller than” doesn’t really work well with a link.
In principle this is more of a luxury problem, but it would be better if the “Vulnerability Scanner” did its job — which it effectively does not at the moment. Is there any solution for this? Otherwise I’ll delete the index now and have everything rebuilt. I can’t accept this poor, invalid state. The old version of the Vulnerability Scanner was noticeably better and more robust. Since the switch, there have apparently been widespread problems — not just for us.
with best regards
Reply all
Reply to author
Forward
0 new messages