Release 1.32.1

April 12. 2024

Qualys strongly recommends upgrading your Container Security Sensor to 1.32.1 version in order to avoid its false-positive detection against CVE 2024-3094. 

What’s New?

Addressed Potential Security Concerns with liblzma

Security Advisory: CVE-2024-3094 in liblzma 

A recent vulnerability (CVE-2024-3094) was identified in the liblzma library, potentially leading to remote code execution under certain conditions (CVSS score: 10.0). 

Qualys Container Security Sensor Not Affected by CVE-2024-3094 

Our investigation determined that the Qualys Container Security Sensor 1.32.0 is not vulnerable to CVE-2024-3094 due to the following reasons: 

  • Sensor Implementation: The sensor's implementation of liblzma does not utilize the functionality exploited by the vulnerability. 
  • Limited Attack Surface: The sensor does not use SSHD (Secure Shell Daemon) and doesn't expose ports accessible from external networks. 

Mitigating False Positive Findings 

To eliminate potential false positive detections related to CVE-2024-3094, Container Security sensor 1.32.1 downgraded liblzma to an Uncompromised (not vulnerable) version (5.4.6). 

Support for Docker Version 25.0.1 

Earlier, the Container Security sensor did not support Docker version 25.0.1. This was causing Static scans to fail. With this release, the sensor supports Docker 25.0.1.  

Issues Addressed

The following issues have been fixed with this release:

Category Issue
Container re-scan The sensor failed to re-scan the containers after specifying the Container Scanning Interval value.
Static Scan Static scan failed on Docker version 25.0.1.