Hey everyone! I'm dealing with a situation in my role as a sysadmin where I've got my RHEL 9.7 system running with Crowdstrike installed. My manager keeps seeing countless vulnerabilities flagged every month, and it feels like there's hardly any fix available yet because the tools aren't reporting any patches that correspond to those vulnerabilities. I'm curious how others manage this kind of scenario when the machines are supposedly up to date, yet still getting bombarded by these no-fix alerts. Any advice on how to navigate this would be greatly appreciated!
5 Answers
Just a heads up, this presence of no-fix vulnerabilities often indicates a failure in vulnerability management. An IT manager typically shouldn't be resolving these deeply technical issues alone. Engaging with security experts to assess and properly address these vulnerabilities would be ideal.
It's important to double-check if those vulnerabilities are genuine or just false positives. Red Hat often backports security fixes, which can confuse many scanners. They might report a vulnerability that’s already been patched in the version you have.
It's worth mentioning that if Crowdstrike hasn't flagged a fix, then it's likely there's no patch issued by Red Hat yet. Showing your manager the security advisory status ('Affected' vs. 'Fix available') can help clarify the situation.
I think the real deal here is validating what the scanners report. They're tools, not foolproof solutions. You have to validate the claims, find out who’s responsible for the vulnerabilities, and get them to acknowledge it. Then, work together to come up with a remediation plan—patch, disable features, or whatever is necessary. This is an ongoing process of checks and balances.
Absolutely! Once you've nailed down the process, keep digging deeper to find any additional issues down the line.
Check if the vulnerabilities reported by Crowdstrike are actually fixed with regards to RHEL's versioning. RHEL may backport fixes that some scanners might not pick up. You can look up CVE details on the Red Hat security page to see if there's a fix available, which involves checking against the CVE and their Errata page for updates.
Thanks for breaking that down! If a vulnerability has been marked as 'Medium' and hasn't been fixed in over 76 days, does that mean it’s unlikely to be addressed soon?
I've definitely printed out CVE write-ups and shared them with my security team to make sure they know what's valid vs. what the scanner claims.

That's a good point! I'd love to know more about how to check for those backported fixes, especially with regards to OpenSSL.