False Positives for CVE-2024-6387 and CVE-2023-25136 in Security Scans on Aria Operations for Logs 8.18.4
search cancel

False Positives for CVE-2024-6387 and CVE-2023-25136 in Security Scans on Aria Operations for Logs 8.18.4

book

Article ID: 412752

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

Security scanners may continue to report vulnerabilities CVE-2024-6387 and CVE-2023-25136 on systems running Aria Operations for Logs 8.18.4, despite these issues being addressed in the release. This can lead to confusion regarding the security posture of the deployed environment.

Environment

Aria Operations for Logs 8.18.4

Cause

The root cause of these false positives lies in how certain vulnerability scanners interpret software versioning. Specifically: CVE-2024-6387 was resolved in OpenSSH version 8.9.1-8-ph4.
In many Linux distributions, version numbers include packaging-specific suffixes (e.g., -10.ph4, -14, etc.) that indicate the specific patch level or distribution build.
Some scanners compare only the major and minor version components (e.g., 8.9) and ignore or misinterpret the extended suffix, which leads them to incorrectly flag the product as vulnerable.
In the case of CVE-2023-25136, it was introduced in OpenSSH 9.1 and fixed in OpenSSH 9.2. Since Aria Operations for Logs 8.18.4 uses OpenSSH 8.9, this version is not affected by CVE-2023-25136.

Resolution

  1. Confirm the Installed OpenSSH Version:
    To verify the installed version of OpenSSH on your system, run the following command:
    rpm -qa | grep ssh
    If the output shows a version equal to or later than openssh 8.9p1-8-ph4 (e.g., openssh-8.9p1-10.ph4.x86_64), the fix for CVE-2024-6387 is present.
     
  2. Understand Scanner Limitations:
    If the correct version is installed and the scanner still flags the vulnerabilities:
    • It is likely due to the scanner not parsing the full version string, including distribution-specific suffixes.
    • These suffixes often indicate the presence of backported security fixes, even if the major version appears unchanged.
  3. Take No Further Action if Patched:
    As long as the installed version meets the fixed criteria:
    • CVE-2024-6387 is addressed in the package.
    • CVE-2023-25136 does not apply to OpenSSH versions prior to 9.1.
  4. Reference:
If you continue to receive false positives, consider updating the vulnerability scanner’s ruleset or excluding the finding based on verified version and patch information.

Additional Information

Powered by Wolken Software