I’m new to InsightVM, but I swear I heard in the training that InsightVM was able to, or is by default applying new vulnerabilities in their feed to assets if they apply.
For example, a Linux asset with a kernel of a specific version is scanned on Feb 20. Then not again.
A new vulnerability check is added to InsightVM’s database for a new CVE that was not disclosed or available Feb 20.
Does this in any way, get applied to the known vulnerable Linux asset that was not scanned after this new check was included?
I swear there was an automatic “magic” helpful inclusion of new vulnerabilities to older assets?
In short I would very much like this to NOT be happening if indeed this is a feature. I’ve failed to locate any documentation that explains this. We only want to have vulnerabilities applied to an asset that was seen to have these vulnerabilities during a scan. Not by some logic.
We want a real world, “last seen” view of vulnerabilities on each asset.
If anyone can point me in the right direction I’d very much appreciate it.
Thank you!
This is not a feature that I’m aware of, as you’ll need to scan your assets to detect any new CVE’s that are added. A good example of this is when Log4j came out late last year. There was no automatic application or detection of that vulnerability for existing assets, because they need to be scanned in order to detect it.
Similarly, if you remediate a vulnerability, you need to re-scan the associated asset in order for it to be marked as remediated.
Thanks for the reply.
I determined an example here is ALAS-2022-1563. It has multiple CVE’s associated with it. And some show separately in InsightVM.
CVE-2022-0492 was not released by NVD until March 3rd 2022. And has been added to assets in our DB that have not been scanned since before this date…
I understand the logic of applying CVE’s to a past advisory, but this is inflating numbers of vulnerabilities in our DB for assets that have not been actively rescanned.
I think I have my explanation but its just frustrating from a reporting point of view.
I think for scans that look for specific vulnerabilities by signature are not added as those signatures were not available at the time. For vulnerabilities that have to do with versions or other basic ID data that is retained it will populate on assets scanned previously. For instance CVE-2022-0492, it affects specific versions of RedHat and that information is retained so the new vulnerabilities would be applied.
I would think that this is intentional behavior. This function only servers to further secure your environment. It can be frustrating with reporting. I would approach the problem by including a small dose of threat intel on the specific vulnerability when these situations arise.