False positive vulnerabilities in RHEL Images

False positive vulnerabilities in RHEL Images

736
Created On 05/15/25 21:33 PM - Last Modified 08/07/25 15:11 PM


Symptom


  • One or more CVEs which seem to contradict official, RedHat security advisories

Environment


  • RHEL OS
  • Prisma Cloud Defender version <= 34.xx.xx

Cause


In some cases, the seemingly inaccurate vulnerability detections are due to RHEL images which reference package repositories which are not supported by Prisma Cloud. For example, take the "libxml2" package in RHEL 9.5 and CVE-2025-24928:

When inspecting the image's content manifests, the package repositories included in the "content_sets" field are as follows:



[root@e0508fb111f9 content_manifests]# cat content-sets.json
{
  ...
  "content_sets": [
    "rhel-9-for-aarch64-appstream-rpms",
    "rhel-9-for-aarch64-appstream-source-rpms",
    "rhel-9-for-aarch64-baseos-rpms",
    "rhel-9-for-aarch64-baseos-source-rpms",
    "rhel-9-for-ppc64le-appstream-rpms",
    "rhel-9-for-ppc64le-appstream-source-rpms",
    "rhel-9-for-ppc64le-baseos-rpms",
    "rhel-9-for-ppc64le-baseos-source-rpms",
    "rhel-9-for-s390x-appstream-rpms",
    "rhel-9-for-s390x-appstream-source-rpms",
    "rhel-9-for-s390x-baseos-rpms",
    "rhel-9-for-s390x-baseos-source-rpms",
    "rhel-9-for-x86_64-appstream-rpms",
    "rhel-9-for-x86_64-appstream-source-rpms",
    "rhel-9-for-x86_64-baseos-rpms",
    "rhel-9-for-x86_64-baseos-source-rpms"
    ]
  }


As Prisma Cloud only supports amd64(x86_64) and arm64(aarch64) architectures, Prisma Cloud skips the repositories for the ppc64le and s390x architectures during the CPE matching phase and considers them as "unknown". Thus, to avoid false negatIves for packages, they are measured against all vulnerabilities within the intelligence stream database and considered vulnerable to CVEs which are broadly associated with all CPEs.


In the case of the example package "libxml2", CVEs such as CVE-2025-24928 are displayed in the vulnerability results, regardless of any security advisories which suggest otherwise from Redhat.



 





              
Resolution

  1. Check the content-sets.json within the image to determine the RHEL repositories referenced by the image
  2. Verify the RHEL repositories which are supported by the intelligence stream. For SaaS edition, downloading the intelligence is a good way to get the RHEL repositories which will be inside the CVEs.zip:


./twistcli intelligence download --token <Prisma Cloud Access Token>


    3. Prisma Cloud access tokens can be found in the console UI, on the page "Runtime Security > Manage > System > Intelligence". 


           For self-hosted edition, the RHEL repositories can also be found in a self-hosted console pod, in the "/var/lib/twistlock/feeds/rhel-repos.json" file.


    4. Check for the affected package in the official, Redhat CVE database: https://access.redhat.com/security/security-updates/cve


If these criteria are met, the presence of CVEs which do not always correlate with official, Redhat advisories is expected behavior.




        
       
      





      

        
        
        

    

    

    

      

        
Other users also viewed:

        

             

               
              

        

    

        

        
        

          
Actions

          
    
           
            
            
            
  • 
                Print
            
    • 
            
  • 
            
    • 
            
  • 
              Copy Link
                
                
    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000blRXKAY&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail
    
            
    •