AnsweredAssumed Answered

qualys reports vulnerability still exists even after the fix is applied

Question asked by Sundararajan Pitchai on Oct 4, 2018
Latest reply on Oct 5, 2018 by DMFezzaReed

I have a kernel version 2.6.32-279. In order to fix the stack clash vulnerability(CVE-2017-1000364), I have back ported patch from kernel-2.6.32-696 to 2.6.32-279. Also the glibc package was upgraded to 2.12-1.209.el6.1_1alcy.i686.rpm. When qualys guard vulnerability scan was done it reports CVE-2017-100364 is not solved and vulnerability exists. 

 

From the linkHow does vulnerability scanning work? , I read "The scanner first tries to check the version of the service in order to detect only vulnerabilities applicable to this specific service version. Every vulnerability detection is non-intrusive, meaning that the scanner never exploits a vulnerability if it could negatively affect the host in any way."

Does it mean if the until I upgrade to kernel version where vulnerability is officially fixed, qualys guard will continue to report this vulnerability exists?

 

Any suggestions/clarifications to resolve this will be appreciated.

 

 

Outcomes