Ubuntu 24.04 linux-image-6.8.0-90-generic Vulnerability

[Creative Wolf (CreativeWolf)]

Heya all,

I've got about a dozen Servers running Ubuntu 24.04 with linux-image-6.8.0-90-generic kernel flagged with 1728 vulnerabilities each.

uname -r
6.8.0-90-generic

 uname -v

#91-Ubuntu SMP PREEMPT_DYNAMIC Tue Nov 18 14:14:30 UTC 2025

dpkg -s linux-image-6.8.0-90-generic | grep Version
Version: 6.8.0-90.91

I've tried deleting the agent_id.db file at /var/ossec/queue/db/ and then restarting the Manager.

Please let me know if I'm missing something and how to globally suppress these from popping up.

Thanks

CreativeWolf

[Javier Adán Méndez Méndez]

Hi 

Deleting agent_id.db won’t help here. Wazuh Vulnerability Detection is based on the Syscollector , so if you have multiple linux-image-* kernels installed, Wazuh will evaluate all of them and the vulnerability count can explode

you can try  this: 

1. Update + reboot into the newest kernel, then remove old kernels:

sudo apt update && sudo apt full-upgrade -y
sudo reboot
sudo apt autoremove --purge -y

2. Verify installed kernels:

dpkg -l 'linux-image-*' | awk '/^ii/ {print $2,$3}'

ref: https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/how-it-works.html

https://help.ubuntu.com/community/RemoveOldKernels

[Creative Wolf (CreativeWolf)]

Hi Javier,

Thanks for your time and input.

I've done these steps and  linux-image-6.8.0-90-generic is the only kernel available.

However, Wazuh is listing vulnerabilities for this kernel version despite it being the latest patched version.

uname -v

#91-Ubuntu SMP PREEMPT_DYNAMIC Tue Nov 18 14:14:30 UTC 2025

Please refer to https://github.com/wazuh/wazuh/issues/15731

I've tried these configuration changes but they are not taking effect - the conflict between Canonical and NVD still is not resolved.

Appreciate any inputs please.

Thanks

[Javier Adán Méndez Méndez]

Hi ,

I read #15731. It explains Wazuh matches your installed packages with Canonical/NVD data, so sometimes they don’t agree and you still see CVEs even on the latest kernel.

What you can do:

1. Check the CVE in Canonical (Ubuntu CVE Tracker / USN).

2. Open one Wazuh event and see which source is reporting it (Canonical or NVD).

3. If Canonical says it’s fixed and you just want it quiet, ignore it with a local rule (match package/CVE → level 0).

[Creative Wolf (CreativeWolf)]

Hi Javier,

Thanks for taking your time on this, appreciate it.

1. Check the CVE in Canonical (Ubuntu CVE Tracker / USN).

• • In the Ubuntu's USN, the particular kernel linux-image-6.8.0-90-generic is reportedly backported and hence no change in the version

dpkg -s linux-image-6.8.0-90-generic | grep -E "(Package|Version)"
Package: linux-image-6.8.0-90-generic
Version: 6.8.0-90.91

apt install linux-image-generic linux-headers-generic

Reading package lists... Done

Building dependency tree... Done

Reading state information... Done

linux-image-generic is already the newest version (6.8.0-90.91).

linux-image-generic set to manually installed.

linux-headers-generic is already the newest version (6.8.0-90.91).

linux-headers-generic set to manually installed.

0 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.

apt dist-upgrade

Reading package lists... Done

Building dependency tree... Done

Reading state information... Done

Calculating upgrade... Done

The following upgrades have been deferred due to phasing:

  python3-distupgrade ubuntu-release-upgrader-core

0 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.

2. Open one Wazuh event and see which source is reporting it (Canonical or NVD).

• • Reporting Source is Canonical

3. If Canonical says it’s fixed and you just want it quiet, ignore it with a local rule (match package/CVE → level 0).

• • Considering it's backported and the kernel is updated to the latest 6.8.0-90.91, I'd like to ignore it with the local rule, can you help me with it and point me to a documentation to aid that please?

Thank you

CreativeWolf

[Javier Adán Méndez Méndez]

Hi CreativeWolf
sorry for the late reply, and thanks for the details. If you just want to silence those kernel findings, an easy workaround is a local rule on the manager to set the alert level to 0 for that package.

On the Wazuh manager, edit:
/var/ossec/etc/rules/local_rules.xml

Add this (replace 23506 with the rule ID you see in your vulnerability alert):

<group name="local,vd_suppress,">
  <rule id="100200" level="0">
    <if_sid>23506</if_sid>
    <field name="data.vulnerability.package.name">^linux-image-6\.8\.0-90-generic$</field>
    <description>Ignore VD alerts for linux-image-6.8.0-90-generic</description>
  </rule>
</group>

the restart 
sudo systemctl restart wazuh-manager}

reference:

https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html

[Creative Wolf (CreativeWolf)]

Hi Javier, 

Thank you for your guidance on this, I did exactly as per your recommendation.

However, while I see a lot of "Solved" in the Events but in the Dashboard and in Inventory they are still listed.

Is there anything else to be done to to remove from Dashboard and Inventory list?

Appreciate your support.

Thank you

CreativeWolf

[Javier Adán Méndez Méndez]

Hi Creative Wolg

I thinks you can try 

Dashboard → Index Management → Indexes → select wazuh-states-vulnerabilities → Delete

Then restart:

systemctl restart wazuh-indexer
systemctl restart wazuh-manager

[Creative Wolf (CreativeWolf)]

Hi Javier,

Thanks, I tried this and yet the listing of these vulnerabilities won't go and it keeps sullying the dashboard.

See attached screen grab - Please let me know if I can provide any other information, logs etc to further identify and resolve this issue.

Thanks

CreativeWolf

[Javier Adán Méndez Méndez]

Hi CreativeWolf,

I dug a bit more and this looks like a false positive. The simplest workaround is to disable/silence the alert with the local rule (as you already did). The Dashboard/Inventory may still list it, but at least you won’t keep getting flooded with alerts.

Javier Mendez

[CreativeWolf]

Hi Javier,

Yes, it is a case of False Positive.

Yes, not getting flooded with alerts after the Local Rule.

But I'd like to have a clean Dashboard as well that reflects the suppression of False Positives either by not showing them at all (ideally), or by showing them as False Positives.

Is there anything that can be done to that end at all?

Thanks for your support on this.

CreativeWolf 

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/j97Aa1S0uZM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/ff860f70-5a83-4b89-9249-0608482dd182n%40googlegroups.com.

[Lucio Donda]

Hi CreativeWolf.

As a wrap-up, you're trying to stop showing some vulnerabilities in the dashboard, right? 

AFAIK wazuh doesn't offer that feature yet, and as javier said syscollector will show all the matching / installed packages in the host.
There's an issue without priority focus on that :
Vulnerability detection exclusions #26819 -> https://github.com/wazuh/wazuh/issues/26819
but there's no target version.

Besides that, there's a possible workaround that is also taken from a similar issue of another user. -> Kernel Vulnerability Detection for Linux based on package version instead of running lernel #27477 (https://github.com/wazuh/wazuh/issues/27477)

The base process is to avoid reporting specific packages from a black list. To achieve this you'll have to add a script that will be executed everytime the agent starts and will update that list.

more details in this comment -> https://github.com/wazuh/wazuh/issues/27477#issuecomment-2580368053

I haven't tested it myself but if that suits your case we could modify it to match you scenario.

TIA!