Linux endpoints will show a CVE vulnerability in the Carbon Black Cloud console despite the application being patched to a version required to fix the issue.

• Carbon Black Cloud Console: Current Version
  • Vulnerability Management
• Carbon Black Cloud Linux Sensor: Supported Versions
• Linux OS: Supported Versions

Linux supports installation of applications in multiple ways, but our Vulnerability management scanner is designed to check several package repositories to see if vulnerable applications exist. 

Locating and removing older installer package for applications that have been updated via another method will help prevent endpoints from being tagged for Vulnerability CVEs.

For example, CVE-2023-6864 confirms there are vulnerable Firefox and Thunderbird snap packages that need to be updated; however, if those applications are updated via other means, the older vulnerable snap packages would still exist locally on the endpoint and our vulnerability assessment scan would find them and tag the endpoint as vulnerable to CVE-2023-6864 until they are removed from snap.

Example steps:

1. Check what deb packages are installed:

   dpkg -l | grep -E '^(firefox|thunderbird)'

    

2. Remove them:

   # Remove firefox transitional package
   sudo apt remove --purge firefox
   
   # Remove thunderbird transitional package  
   sudo apt remove --purge thunderbird
   
   # Clean up any remaining dependencies
   sudo apt autoremove 

3. Verify packages are removed:

   dpkg -l | grep -E '^(firefox|thunderbird)'
   #Check osquery again

4. Run OS query from the CBC console again to validate the packages are no longer listed:

   SELECT * FROM deb_packages WHERE name IN ('firefox', 'thunderbird');