Package default status" in "vulnerability scanner Condition" field in Wazuh

[Om Narayan]

In wazuh, if certain vulnerabilities/CVE has  "Package default status" in "vulnerability scanner Condition" field, should we consider those as non-actionable vulnerabilities, as in, can we safely ignore those and work on only those which Wazuh flags with a definite fix version?

[Nicolas Zapata]

Hi Om Narayan,

You should not automatically consider vulnerabilities with Package default status as non-actionable or safe to ignore.

In Wazuh vulnerability detection, the Condition field describes the package/vendor status relationship for that CVE, but it does not necessarily mean that the vulnerability has no impact or no remediation path. In many cases, Package default status simply means the vendor has not provided a specific fixed package version in the security feed metadata.

[Om Narayan]

So, when you say " You should not automatically consider vulnerabilities with Package default status as non-actionable or safe to ignore."  and " but it does not necessarily mean that the vulnerability has no impact or no remediation path" and also " Package default status simply means the vendor has not provided a specific fixed package version in the security feed metadata.""  what could we the consumer of the wazuh vulnerability report or the end users can do for this case.. what are the actionable items?

[Nicolas Zapata]

The actionable items depend on the vendor's guidance for the affected package.

When a CVE is reported with Package default status, the recommended next steps are:

• Review the vendor's security advisory for the CVE.
• Verify whether a fix has been backported to the installed package version.
• Check whether an updated package is available through the operating system's repositories.
• Assess the risk based on the CVSS score, package exposure, and the system's role.
• Apply any vendor-recommended mitigations if no package update is currently available.

Wazuh reports the vulnerability information provided by the upstream feeds, but determining the remediation path for Package default status findings may require consulting the operating system or software vendor's documentation.

[Om Narayan]

When you say the recommended steps involve all the below  steps when CVEs are reported as Package default status:

• Review the vendor's security advisory for the CVE.
• Verify whether a fix has been backported to the installed package version.
• Check whether an updated package is available through the operating system's repositories.
• Assess the risk based on the CVSS score, package exposure, and the system's role.
• Apply any vendor-recommended mitigations if no package update is currently available.

My question is:

We have around 40k instances in wazuh at this point and this number is going to increase. And we get thousands and lakhs of CVEs with "package default status " ,  So, is it practically feasible/possible to go through all the recommended steps for all the CVEs with package default status?? the numbers are in lakhs ...