Hello,

I know when Nessus scans a device it looks at the versions of packages and modules and then will say a device is "vulnerable" if that particular version has known CVEs related to it. I also know that  the Qradar appliances are not using full blown RHEL so even though it may contain a "vulnerable" version of a package it may not be able to be exploited on Qradar because for one reason or another it may not use the package/module etc...

My question is when searching a CVE on X-force it lists "Affected products", "Dependent Products", and "References" for each CVE. If Qradar is not listed there for a particular CVE does that mean it is not affected by it, even if Nessus thinks it is?

------------------------------
Gregory Gonzalez
------------------------------

Gregory,

there are a couple of thoughts that come to my mind. 1st of all CVE is not X-force. They just refer to each other. CVE search is listing 244 QRadar entries vs 483 for QRadar in X-force. Categories I have not checked but the raw number indicates that when there is no entry in X-force the problem is either still unknown/under investigation or does not affect QRadar as being suggested by you. CVE entries regarding RHEL from my experience mean nothing as long as your installations is built on top of QRadar image and up to date, i.e. containing the latest fixes. If however you are using standard RHEL and install QRadar on top, you result in two lists of rpms. Those maintained by QRadar and those maintained by RHEL. That means you have to check both lists in CVE and X-force just to be sure depending on your nessus results. To answer your question. Yes I believe you are right being skeptical regarding your nessus results being wrong, as long as you havent installed extra packages not being maintained by QRadar. Moreover the weights being used by CVE and X-force are very different, so one-to-one comparison will always fail.

Regards

Karl

------------------------------
[Karl] [Jaeger] [#ibmchampion]
[QRadar Specialist]
[cnag]
[Siegen] [Germany]
------------------------------

Original Message:
Sent: Wed May 16, 2018 10:44 AM
From: Gregory Gonzalez
Subject: Qradar Vulnerabilities

Hello,

I know when Nessus scans a device it looks at the versions of packages and modules and then will say a device is "vulnerable" if that particular version has known CVEs related to it. I also know that  the Qradar appliances are not using full blown RHEL so even though it may contain a "vulnerable" version of a package it may not be able to be exploited on Qradar because for one reason or another it may not use the package/module etc...

My question is when searching a CVE on X-force it lists "Affected products", "Dependent Products", and "References" for each CVE. If Qradar is not listed there for a particular CVE does that mean it is not affected by it, even if Nessus thinks it is?

------------------------------
Gregory Gonzalez
------------------------------