Closed Rebits closed 1 week ago
In 4.8.0-beta5 it changed the index structure for wazuh-states-vulnerabilities.
wazuh-states-vulnerabilities
In previous stages, vulnerability indices contain a timestamp field like the following:
{ "_index":"wazuh-states-vulnerabilities", "_id":"master_008_b28978ba313613635f07ea1aae582041f387b2cc_CVE-2024-0741", "_score":1.1063815, "_source":{ "@timestamp":"2024-03-06T15:51:08.761Z", "agent":{ "ephemeral_id":"master", "id":"008", "name":"agent1", "type":"wazuh", "version":"v4.8.0" }, "ecs":{ "version":"8.11.0" }, "host":{ "os":{ "full":"CentOS Linux 7.9.2009", "kernel":"3.10.0-1160.102.1.el7.x86_64", "name":"CentOS Linux", "platform":"centos", "type":"centos", "version":"7.9.2009" } }, "package":{ "architecture":"x86_64", "description":"Mozilla Firefox Web browser", "installed":"2024-03-06T15:51:04.000Z", "name":"firefox", "size":275922442, "type":"rpm", "version":"91.13.0-1.el7.centos" }, "vulnerability":{ "category":"Packages", "classification":"CVSS", "description":"An out of bounds write in ANGLE could have allowed an attacker to corrupt memory leading to a potentially exploitable crash. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.", "enumeration":"CVE", "id":"CVE-2024-0741", "reference":"https://bugzilla.mozilla.org/show_bug.cgi?id=1864587, https://lists.debian.org/debian-lts-announce/2024/01/msg00015.html, https://lists.debian.org/debian-lts-announce/2024/01/msg00022.html, https://www.mozilla.org/security/advisories/mfsa2024-01/, https://www.mozilla.org/security/advisories/mfsa2024-02/, https://www.mozilla.org/security/advisories/mfsa2024-04/", "scanner":{ "vendor":"Wazuh" }, "score":{ "base":6.5, "version":"3.1" }, "severity":"Medium" }, "wazuh":{ "cluster":{ "name":"wazuh" }, "manager":{ "name":"ip-172-31-7-184" } } } },
Now, this field was removed, including a detected_at value in the vulnerability field:
detected_at
{ "_index":"wazuh-states-vulnerabilities", "_id":"node01_002_HTOFC4PYXP_CVE-1999-1301", "_score":1.0, "_source":{ "agent":{ "ephemeral_id":"node01", "id":"002", "name":"1-m7MtocT5LYkPKjNC-debian8", "type":"wazuh" }, "host":{ "os":{ "full":"Ubuntu 20.04.6LTS(FocalFossa)", "kernel":"6.2.6-76060206-generic", "name":"Ubuntu", "platform":"ubuntu", "type":"ubuntu", "version":"20.04.6.4.18.0-305.12.1.el8_4.x86_64" } }, "package":{ "name":"freebsd", "size":6, "version":"2.0" }, "vulnerability":{ "category":"Packages", "classification":"CVSS", "description":"A design flaw in the Z-Modem protocol allows the remote sender of a file to execute arbitrary programs on the client, as implemented in rz in the rzsz module of FreeBSD before 2.1.5, and possibly other programs.", "detected_at":"2024-04-15T15:46:48.356Z", "enumeration":"CVE", "id":"CVE-1999-1301", "published_at":"1996-07-16T04:00:00Z", "reference":"ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/old/FreeBSD-SA-96:17.rzsz.asc, http://ciac.llnl.gov/ciac/bulletins/g-31.shtml, http://www.iss.net/security_center/static/7540.php", "scanner":{ "vendor":"Wazuh" }, "score":{ "base":7.5, "version":"2.0" }, "severity":"High" }, "wazuh":{ "cluster":{ "name":"wazuh" }, "manager":{ "name":"rhel-manager" }, "schema":{ "version":"1.0.0" } } } },
Moved ETA to allow final review to 24/04/2024
LGTM
Description
In 4.8.0-beta5 it changed the index structure for
wazuh-states-vulnerabilities
.In previous stages, vulnerability indices contain a timestamp field like the following:
Now, this field was removed, including a
detected_at
value in the vulnerability field: