Focus

Prisma Cloud Compute Edition Public Sector

Scan results for 22.01.840

Table of Contents

OpenSCAP and vulnerability scan report:

Prisma Cloud Compute release: 22.01 (22.01.840)

Base image: registry.access.redhat.com/ubi8/ubi-minimal:8.4-205

Benchmark URL: scap-security-guide-0.1.59/ssg-rhel8-ds.xml

Benchmark ID: xccdf_org.ssgproject.content_benchmark_RHEL-8

Profile ID: xccdf_org.ssgproject.content_profile_stig

Compared to IronBank’s UBI8-minimal, Version 8.5, Build Date: 2022-03-04

Findings for Prisma Cloud Compute Console.

You can find the OpenSCAP report here

Rule_ID	Compute finding	IronBank finding	Justification
xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy	Pass	Fail	/etc/pki/tls/openssl.cnf configured according to check
xccdf_org.ssgproject.content_rule_accounts_authorized_local_users	Fail	Pass	local accounts include: twistlock = non-root account for service, mongod = mongoDB database & saslauth = authentication libraries. Application is a non-interactive container. There is no interactive console session with the container.
xccdf_org.ssgproject.content_rule_dir_group_ownership_library_dirs	Fail	Pass	Incorrect finding. /lib, /usr/lib /lib64 and /usr/lib64 group ownership is root
oval:com.redhat.rhsa:def:20220658	Fail	Pass	CVE-2022-24407 to be patched in next update
oval:ssg-accounts_umask_etc_csh_cshrc:def:1	Fail	Pass	Umask 027. Application is a non-interactive container. There is no interactive console session with the container.
oval:ssg-accounts_umask_etc_profile:def:1	Fail	Pass	Umask 027. Application is a non-interactive container. There is no interactive console session with the container.

You can find the full vulnerabilities report here.

CVE	Package	Version	Fix Status	Justification
CVE-2020-16135	libssh	0.9.4-3.el8	fixed in 0.9.4-3.el8	Update to Intelligence Stream will remove this finding. Patched package is included in image.
CVE-2020-29652	golang.org/x/crypto	v0.0.0-20210220033148-5ea612d1eb83	fixed in v0.0.0-20201216223049-8b5274cf687f	The vulnerability is in the implementation of ssh server which is not used within the Console.
CVE-2021-44716	go net/http	1.17.3, 1.16.7	fixed in 1.17.3, 1.16.12	To be patched in next release (Kepler).
CVE-2021-29923	go	1.16.7	fixed in 1.17	To be patched in next release (Kepler).
CVE-2021-41771	go	1.16.7	fixed in 1.17.3, 1.16.10	Relevant for the debug/macho package, and Prisma Cloud Compute does not accessing Mach-O object files. To be patched in next release (Kepler).
CVE-2021-39293	go	1.16.7	fixed in 1.17.1, 1.16.8	To be patched in next release (Kepler).
CVE-2021-38297	go	1.16.7	fixed in 1.17.2, 1.16.9	Not applicable since Prisma Cloud Compute does not include WASM module in compilation. To be patched in next release (Kepler).
CVE-2021-41772	go	1.16.7	fixed in 1.17.3, 1.16.10	To be patched in next release (Kepler).

Findings for Prisma Cloud Compute Defender.

You can find the OpenSCAP report here.

Rule_ID	Compute finding	IronBank finding	Justification
xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy	Pass	Fail	/etc/pki/tls/openssl.cnf configured according to check
xccdf_org.ssgproject.content_rule_dir_group_ownership_library_dirs	Fail	Pass	Incorrect finding. /lib, /usr/lib /lib64 and /usr/lib64 group ownership is root

You can find the full vulnerabilities report here.

CVE	Package	Version	Fix Status	Justification
CVE-2020-16135	libssh	0.9.4-3.el8	fixed in 0.9.4-3.el8	Update to Intelligence Stream will remove this finding. Patched package is included in image.
CVE-2021-44716	go net/http	1.17.3, 1.16.7	fixed in 1.17.3, 1.16.12	To be patched in next release (Kepler).