Hi, In my UCS servers I’ve this procps package version 2:3.3.12-3+deb9u1
My SIEM allert me about CVE-2018-1126 https://security-tracker.debian.org/tracker/CVE-2018-1126
Have you same package version?
Hi, In my UCS servers I’ve this procps package version 2:3.3.12-3+deb9u1
My SIEM allert me about CVE-2018-1126 https://security-tracker.debian.org/tracker/CVE-2018-1126
Have you same package version?
The debian security tracker you linked shows that the CVE is fixed in the procps package version 2:3.3.12-3+deb9u1
, which is available and installed on current UCS systems:
root@ucsmaster:~# apt-cache policy procps
procps:
Installed: 2:3.3.12-3+deb9u1
Candidate: 2:3.3.12-3+deb9u1
Version table:
*** 2:3.3.12-3+deb9u1 500
500 http://updates.knut.univention.de/4.3/maintained 4.3-2/amd64/ Packages
100 /var/lib/dpkg/status
How does your SIEM check if a package contains a fix for a specific CVE? One possibility is that the SIEM checks for a certain version string. The debian fix backported the fix to close the security issue, but did not import a newer version of procps
. Tools from the package still show their version as 3.3.12
, which may confuse your SIEM.
root@ucsmaster:~# top -h
procps-ng 3.3.12
Ok, @damrose, thank you for your feedback.
My SIEM are newbie, and I’m observing a lot of false positive allerts