QID Spotlight: Discover CBL-Mariner Vulnerabilities using Qualys VMDR

The Qualys vulnerability signatures team has released a new series of signatures (detections) for CBL-Mariner (Common Base Linux), allowing security teams to identify CBL-Mariner hosts and detect their vulnerabilities.

 CBL-Mariner (Common Base Linux) is developed by Microsoft and is a Linux distribution for edge network services. It serves as the base Linux in SONiC, Azure Sphere OS, Windows Subsystem for Linux (WSL) and for containers in the Azure Stack HCI implementation of Azure Kubernetes Service. CBL-Mariner is also used in Azure IoT Edge for Linux on Windows to run Linux workloads on Windows IoT.

The newly released set of 285 signatures (QIDs) covers all CBL-Mariner advisories released to date. Qualys research plans to release more QIDs for upcoming advisories on an ongoing basis.

Security teams should use Qualys Vulnerability Management, Detection and Response (VMDR) to discover, assess, prioritize, and patch critical vulnerabilities in real time, including for CBL-Mariner, as part of your security and compliance programs.

Identify CBL-Mariner Linux Assets & Vulnerabilities

To identify CBL-Mariner hosts and detect their vulnerabilities, Qualys recommends running a Linux agent scan using Qualys Cloud Agent.

CBL-Mariner QIDs are included in Linux Cloud Agent and are automatically updated on Linux agent version 4.6.0 and above, Cloud Agent Service version 3.0.3.2 and above; and Cloud Agent manifest version 2.5.251.3-2 and above.

Customers can search for all CBL-Mariner operating system using the following QQL query:


vulnerabilities.hostOS:”CBL-Mariner”



Scan CBL-Mariner Hosts

Scanning for CBL-Mariner vulnerabilities does not require root privileges; however, the account must be able to perform following commands:

/etc/mariner-release

rpm -qa

Scan reports identify CBL-Mariner as:



Qualys VMDR automatically detects new CBL-Mariner OS vulnerabilities as their associated detections (QIDs) are added to the Qualys KnowledgeBase. As with all detections, CBL-Mariner QIDs contain recommended steps to address the vulnerability.