Scan results for 22.01.840

OpenSCAP and vulnerability scan report:
  • Prisma Cloud Compute release: 22.01 (22.01.840)
  • Base image: registry.access.redhat.com/ubi8/ubi-minimal:8.4-205
  • Benchmark URL: scap-security-guide-0.1.59/ssg-rhel8-ds.xml
  • Benchmark ID: xccdf_org.ssgproject.content_benchmark_RHEL-8
  • Profile ID: xccdf_org.ssgproject.content_profile_stig
  • Compared to IronBank’s UBI8-minimal, Version 8.5, Build Date: 2022-03-04

twistlock/private:console_22_01_840

Findings for Prisma Cloud Compute Console.

OpenSCAP report

You can find the OpenSCAP report here
Rule_ID
Compute finding
IronBank finding
Justification
xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy
Pass
Fail
/etc/pki/tls/openssl.cnf configured according to check
xccdf_org.ssgproject.content_rule_accounts_authorized_local_users
Fail
Pass
local accounts include: twistlock = non-root account for service, mongod = mongoDB database & saslauth = authentication libraries. Application is a non-interactive container. There is no interactive console session with the container.
xccdf_org.ssgproject.content_rule_dir_group_ownership_library_dirs
Fail
Pass
Incorrect finding. /lib, /usr/lib /lib64 and /usr/lib64 group ownership is root
oval:com.redhat.rhsa:def:20220658
Fail
Pass
CVE-2022-24407 to be patched in next update
oval:ssg-accounts_umask_etc_csh_cshrc:def:1
Fail
Pass
Umask 027. Application is a non-interactive container. There is no interactive console session with the container.
oval:ssg-accounts_umask_etc_profile:def:1
Fail
Pass
Umask 027. Application is a non-interactive container. There is no interactive console session with the container.

Vulnerabilities full report

You can find the full vulnerabilities report here.
CVE
Package
Version
Fix Status
Justification
CVE-2020-16135
libssh
0.9.4-3.el8
Update to Intelligence Stream will remove this finding. Patched package is included in image.
CVE-2020-29652
golang.org/x/crypto
v0.0.0-20210220033148-5ea612d1eb83
The vulnerability is in the implementation of ssh server which is not used within the Console.
CVE-2021-44716
go net/http
1.17.3, 1.16.7
To be patched in next release (Kepler).
CVE-2021-29923
go
1.16.7
To be patched in next release (Kepler).
CVE-2021-41771
go
1.16.7
Relevant for the debug/macho package, and Prisma Cloud Compute does not accessing Mach-O object files. To be patched in next release (Kepler).
CVE-2021-39293
go
1.16.7
To be patched in next release (Kepler).
CVE-2021-38297
go
1.16.7
Not applicable since Prisma Cloud Compute does not include WASM module in compilation. To be patched in next release (Kepler).
CVE-2021-41772
go
1.16.7
To be patched in next release (Kepler).

twistlock/private:defender_22_01_840

Findings for Prisma Cloud Compute Defender.

OpenSCAP report

You can find the OpenSCAP report here.
Rule_ID
Compute finding
IronBank finding
Justification
xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy
Pass
Fail
/etc/pki/tls/openssl.cnf configured according to check
xccdf_org.ssgproject.content_rule_dir_group_ownership_library_dirs
Fail
Pass
Incorrect finding. /lib, /usr/lib /lib64 and /usr/lib64 group ownership is root

Vulnerabilities full report

You can find the full vulnerabilities report here.
CVE
Package
Version
Fix Status
Justification
CVE-2020-16135
libssh
0.9.4-3.el8
Update to Intelligence Stream will remove this finding. Patched package is included in image.
CVE-2021-44716
go net/http
1.17.3, 1.16.7
To be patched in next release (Kepler).

Recommended For You