In July, we were hit with a flood of new Linux kernel findings. After hours of investigation,yelling at the patching team, etc. we came across this post on the SUSE Linux site:
Essentially, the upstream Linux kernel team is now self-publishing CVEs which has the downstream effect of causing thousands of false positives for individual distributions. For SUSE, the count is upwards of 2,200 new CVEs that are irrelevant to SUSE usage scenarios.
So, now to get rid of 1.2 million false positives, we have our work cut out for us in creating exceptions in bulk.
I am really hoping that Rapid7 is going to be able to work with the SUSE, RHEL, etc. teams to align on detection for relevancy to distribution.
Old topic, I know, but I recently ran into the same thing on our Debian machines.
In our case, it appears to affect machines that were upgraded from Buster (10) to Bullseye (11), vs. fresh installs of Bullseye. Hundreds of packages are identified as their Buster versions (e.g. apt 1.8.2.3, vs the installed and running apt 2.2.4).
Support basically told me to pound sand, and that their engineers weren’t going to bother with it. Their only recommendations were to remove the old kernels, which I did with no change to the vulnerability findings, or to exclude the findings en masse.
I’ve generally been happy with Rapid7 support, but this time… they were not only unhelpful, but the tone was off, too. I’ll forgive the tone b/c that could very well be in the eye of the beholder, but the simple refusal to entertain the idea of fixing their CVE filtering based on running kernel and actual command --version output is less than ideal.