Prisma Cloud Runtime Security: High number of false positives when scanning images from registry.access.redhat.com/ubi9/ubi:9.5

Prisma Cloud Runtime Security: High number of false positives when scanning images from registry.access.redhat.com/ubi9/ubi:9.5

1230
Created On 02/04/25 15:06 PM - Last Modified 07/24/25 14:15 PM


Symptom


When scanning the ubi:9.5 image, you may observe:

  • Over 200 false positive vulnerabilities detected.
  • These false positives were not present when scanning the older ubi:9.4 image.
  • Examples of frequently reported false positives include:

    • CVE-2015-0204

    • CVE-2015-7497

    • CVE-2016-5420

    • CVE-2024-5535

Environment


  • Prisma Cloud Enterprise Edition with Runtime Security Enabled

Cause


The high number of false positives is due to a known issue in the redhat-vex builder.

This builder incorrectly processes CPE (Common Platform Enumeration) strings, leading to the erroneous association of vulnerabilities across all Red Hat distribution releases.

Consequently, the ubi:9.5 image triggers these incorrect alerts.

Resolution


This issue will be resolved with the Quinn release of Prisma Cloud.

The Quinn release includes fixes that address the mishandling of CPE strings in the redhat-vex builder, which will significantly reduce the number of false positives.

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000PRB9CAO&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail