Prisma cloud defender/Agentless scan continues to identify vulnerabilities associated with an older kernel version despite applying the latest patch

Prisma cloud defender/Agentless scan continues to identify vulnerabilities associated with an older kernel version despite applying the latest patch

3281
Created On 02/05/24 13:37 PM - Last Modified 11/14/24 23:05 PM


Symptom



Prisma Cloud Compute Defender/Agentless scan reports vulnerabilities of older kernels despite upgrading to the latest version.
Linux host running latest version:

[user@host1 ~]$ uname -mrs
Linux 4.14.336-253.554.amzn2.x86_64 x86_64

Prisma cloud showing vulnerabilities from older kernel versions.

Environment


Prisma cloud.

Runtime security.

Vulnerability Management.

Host defender.

Agentless scan.

Cause


We checked all the installed kernel packages in the host and found the old kernel versions. Though they are inactive they are present in the host, so Prisma cloud presents the vulnerabilities associated with those kernel packages.

[user@host1 ~]$ rpm -qa | grep kernel
kernel-tools-4.14.336-253.554.amzn2.x86_64
kernel-4.14.328-248.540.amzn2.x86_64
kernel-devel-4.14.328-248.540.amzn2.x86_64
kernel-devel-4.14.336-253.554.amzn2.x86_64
kernel-4.14.336-253.554.amzn2.x86_64
kernel-4.14.334-252.552.amzn2.x86_64
kernel-devel-4.14.334-252.552.amzn2.x86_64
kernel-headers-4.14.336-253.554.amzn2.x86_64

For Debian/ubuntu versions:

user@ubuntu-22-04:~$ dpkg --list | grep linux-image
rc  linux-image-5.15.0-112-generic                   5.15.0-112.122                          amd64        Signed kernel image generic
rc  linux-image-5.15.0-113-generic                   5.15.0-113.123                          amd64        Signed kernel image generic
rc  linux-image-5.15.0-116-generic                   5.15.0-116.126                          amd64        Signed kernel image generic
rc  linux-image-5.15.0-117-generic                   5.15.0-117.127                          amd64        Signed kernel image generic
rc  linux-image-5.15.0-118-generic                   5.15.0-118.128                          amd64        Signed kernel image generic
rc  linux-image-5.15.0-119-generic                   5.15.0-119.129                          amd64        Signed kernel image generic
rc  linux-image-5.15.0-121-generic                   5.15.0-121.131                          amd64        Signed kernel image generic
rc  linux-image-5.15.0-122-generic                   5.15.0-122.132                          amd64        Signed kernel image generic
ii  linux-image-5.15.0-124-generic                   5.15.0-124.134                          amd64        Signed kernel image generic
ii  linux-image-5.15.0-125-generic                   5.15.0-125.135                          amd64        Signed kernel image generic
rc  linux-image-5.15.0-60-generic                    5.15.0-60.66                            amd64        Signed kernel image generic
ii  linux-image-generic                              5.15.0.125.124                          amd64        Generic Linux kernel image
user@ubuntu-22-04:~$ uname -mrs
Linux 5.15.0-125-generic x86_64


 

Resolution


This is an expected behaviour on the prisma cloud side as we display all the vulnerabilities in the kernel packages present irrespective which is active.

You can use yum remove or apt-get remove based on the distro used to remove the unused kernel packages to stop seeing these requests.

**Please be cautious when deleting the unused kernel package, make sure they are actually unused.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008WyhCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language