Linux Vulnerabilities Without Fix Version Are Not Flagged as Applicable in Carbon Black Cloud
search cancel

Linux Vulnerabilities Without Fix Version Are Not Flagged as Applicable in Carbon Black Cloud

book

Article ID: 426221

calendar_today

Updated On:

Products

Carbon Black Cloud Audit and Remediation Carbon Black Cloud Managed Threat Hunting Carbon Black Cloud Managed Detection and Response Carbon Black Cloud Endpoint Standard Carbon Black Cloud Enterprise EDR

Issue/Introduction

Customers may notice that some Linux vulnerabilities (CVEs) are* not shown as applicable* in Carbon Black Cloud Vulnerability Management, even though those CVEs exist in public vulnerability databases.
This typically happens for vulnerabilities where the upstream Linux vulnerability feed does not provide a fixed version (also known as fixVersion).
As a result, these vulnerabilities do not appear as applicable or actionable in the CBC console.

Environment

Carbon Black Cloud – Vulnerability Management Linux workloads and endpoints

Cause

Carbon Black Cloud relies on vendor and community vulnerability feeds to determine:
• Whether a CVE applies to a given OS package
• Which package versions are affected
• Which version resolves the vulnerability (fixVersion)
For many Linux CVEs—especially those related to:
• Kernel components
• Backported fixes
• Distribution-specific patches
the vulnerability feed often does not provide a fixVersion.
Because Linux distributions frequently backport security fixes without changing the package version, it becomes technically unreliable to determine whether a system is vulnerable if no fixVersion is available.
To avoid incorrect vulnerability reporting, Carbon Black Cloud filters out CVEs that do not contain fixVersion data.

Why This Behaviour Exists
This behaviour is intentional and designed to maintain accuracy and signal quality.
If all Linux CVEs without fixVersion were included:
• Thousands of Linux vulnerabilities would be flagged
• Many of them would be false positives
• Customers would see large numbers of non-actionable alerts and Security and patching teams would lose trust in the data
By filtering out CVEs without fixVersion, Carbon Black Cloud ensures that:
• Only actionable vulnerabilities are shown
• Reported vulnerabilities can be validated and remediated
• Patch recommendations remain reliable
Impact
This behaviour means that:
• Some Linux CVEs may not appear in CBC
• Those CVEs cannot be reliably assessed for applicability
• No incorrect vulnerability or patch guidance is generated
This prevents false risk inflation and avoids unnecessary patching actions.

Resolution

No customer action is required.
This is by design and aligned with best practices for Linux vulnerability assessment.

Powered by Wolken Software