I have RedHat 8.6 assets with agent installed where vulnerabilities reported by InsightVM do not match packages detected by the agent :
- I have audited said assets manually and can confirm that the agent reports BOM correctly for our asset. (i.e. detected packages matches effectively installed packages).
- This observation is applicable to all vulnerabilities detected and not detected for said assets, this is not an issue about specific false positive/false negative on a specific vulnerability.
Does anyone else have similar issues ? If so, I would be grateful for some advice and/or fix. You can find more details below.
Best regards !
Details through 2 examples :
- For example, on asset 1, for OpenSSL, I manually confirmed that package version is openssl 1.1.1k-7.el8_6, agent correctly reports openssl 1.1.1k-7.el8_6 as the only installed version, console displays that the asset is vulnerable to CVE-2022-2068 because of openssl 1.1.g-15.el8_3 (which is not reported as present by the agent and was not detected through manual investigation). According to RedHat, CVE-2022-2068 is fixed in openssl 1.1.1k-7.el8_6, so the asset is not vulnerable → false positive
- The other way around, on asset 2, for OpenSSL, I manually confirmed that package version is openssl 1.1.1k-7.el8_6, agent correctly reports openssl 1.1.1k-7.el8_6 as the only installed version, console displays that the asset has no vulnerability. However, according to RedHat, some CVEs are fixed in openssl 1.1.1k-9.el8_6, and our asset with 1.1.1k-7 should be vulnerable to them → false negative
=> My understanding of this is that the agent assessment is correct but the vulnerability assessment is not getting updated with agent latest data, but I have not found solutions to fix this at the moment.