Skip to main content

Host Vulnerability - FAQs


Why do host vulnerability results show two different versions of the same package on a machine?

Generally, assessment data is from what currently exists at the time of assessment. In some circumstances, Lacework can carry forward fixed status data to provide information about a previously existing vulnerability that has since been patched/addressed.

Hosts must be online at least once within a 30-day window for vulnerability assessment metrics to carry forward. Carrying forward metrics means Lacework updates the existing assessment report instead of creating a new assessment report. See When Host Assessment Metrics Carry Forward for more details.

How can I fix a host vulnerability detected by an assessment?

Debian-based Distributions
apt remove and dpkg --remove
RedHat-based Distributions
rpm -e PackageName (instead of `yum remove PackageName`)

For details, see Fix a Host Vulnerability.

Why doesn’t the host vulnerability assessment identify recently updated packages as “Fixed”?

Package collection runs hourly, however, Lacework does not restrict the assessment to the last hour of collected packages. The last day of packages is considered because that is also the assessment interval - daily. The impact is that if the package existed within 24 hours before the assessment, it appears in the assessment. See When Host Assessments Identify a Vulnerability as Fixed for more details.

What happens when there are multiple fix versions for the same vulnerability?

If there are multiple fixed package versions, Lacework selects only one fixed version to assess against each installed version because there is one fixed version out of many that is the most appropriate for comparison.

By default, Lacework displays the longest version prefix match (for example, v2.* installed versions are compared against v2.* instead of v1.*). If no major version matches, Lacework selects the highest fixed version. See Multiple Fixed Parallel Package Versions for more details.

How often does Lacework update their CVE database?

The Lacework platform ingests a new CVEs daily from OS vendors and the NIST National Vulnerability Database (NVD).

How does Lacework handle inactive kernel packages on hosts?

Vulnerabilities found on inactive kernel packages on hosts have exceptions automatically created for them.

  • The Lacework Console does not display vulnerability exceptions for inactive kernel packages.
  • The Lacework API does return data that displays these automated exceptions.

Does Lacework support scanning of Fat JARs?

Scanning of Fat JARs is fully supported when using Agentless Workload Scanning to assess vulnerabilities on hosts. Fat JARs are single JAR files that contain all the dependencies needed for a project or to run a service (including the service code itself). Lacework will scan all the dependent packages within the Fat JAR and report back with any vulnerabilities.