CVE-2018-1126 procps package

Hi, In my UCS servers I’ve this procps package version 2:3.3.12-3+deb9u1
My SIEM allert me about CVE-2018-1126

Have you same package version?

The debian security tracker you linked shows that the CVE is fixed in the procps package version 2:3.3.12-3+deb9u1, which is available and installed on current UCS systems:

root@ucsmaster:~# apt-cache policy procps
  Installed: 2:3.3.12-3+deb9u1
  Candidate: 2:3.3.12-3+deb9u1
  Version table:
 *** 2:3.3.12-3+deb9u1 500
        500 4.3-2/amd64/ Packages
        100 /var/lib/dpkg/status

How does your SIEM check if a package contains a fix for a specific CVE? One possibility is that the SIEM checks for a certain version string. The debian fix backported the fix to close the security issue, but did not import a newer version of procps. Tools from the package still show their version as 3.3.12, which may confuse your SIEM.

root@ucsmaster:~# top -h
  procps-ng 3.3.12

Ok, @damrose, thank you for your feedback.
My SIEM are newbie, and I’m observing a lot of false positive allerts