Vulnerability Remediation Change Types¶
Vulnerability remediation changes address specific CVEs, misconfigurations, and exposed credentials identified by security scanners or manual review.
Install Package Update¶
Updates a specific package on a Linux host to a target version to remediate a CVE.
Connectors: SSH, Agent
Parameters:
| Parameter | Type | Description |
|---|---|---|
| Package Name | string | Package name (e.g., openssl) |
| Target Version | string | Version to install (e.g., 3.0.2-0ubuntu1.15) |
| Package Manager | string | apt, yum, dnf, or zypper |
Execution:
# apt example
apt-get install -y openssl=3.0.2-0ubuntu1.15
# yum/dnf example
dnf install -y openssl-3.0.7-1.el9
Rollback: Downgrades the package to the version that was installed before the change (recorded in the pre-check step).
Risk base score: 4 (medium -- package updates can introduce regressions)
Version pinning
Nexplane pins the package to the exact target version. If your package manager updates the package again in a subsequent run (apt-get upgrade), Nexplane does not track that as a rollback event.
Remove Vulnerable Package¶
Removes a package that has a known vulnerability and no available fix (e.g., an end-of-life package with an unpatched CVE).
Connectors: SSH, Agent
Parameters:
| Parameter | Type | Description |
|---|---|---|
| Package Name | string | Package to remove |
| Purge Config | boolean | Also remove configuration files (default: false) |
Rollback: Re-installs the package at the version that was removed. Note that if the package was removed because it has a critical vulnerability, rolling it back re-introduces that vulnerability.
Risk base score: 6 (medium-high -- removing a package may break applications that depend on it)
Revoke Exposed Credential¶
Immediately revokes a credential that has been identified as exposed. This change type is designed for emergency response -- it bypasses the normal approval queue when the emergency-bypass approval policy is enabled.
Supported connectors: AWS, GCP, Azure, LDAP, HashiCorp Vault
Parameters:
| Parameter | Type | Description |
|---|---|---|
| Credential Type | string | iam-key, service-account-key, client-secret, ldap-password, vault-token |
| Credential Identifier | string | Key ID, accessor, or user DN depending on credential type |
| Exposure Source | string | Where the credential was found (recorded in audit log, not used in execution) |
Execution: Immediately revokes or resets the credential using the appropriate connector action. For LDAP, the password is reset to a random 32-character string.
Rollback: Not available. Revocation is intentionally irreversible. If the credential was revoked in error, create a new one using a Credentials change type.
Risk base score: 9 (high -- immediate service impact is expected)
Block Public S3 Bucket¶
Enables the S3 Block Public Access settings on a bucket that has been identified as publicly accessible.
Connector: AWS
Parameters:
| Parameter | Type | Description |
|---|---|---|
| Bucket Name | string | S3 bucket name |
Execution: Calls s3:PutBucketPublicAccessBlock with all four block settings enabled.
Rollback: Restores the previous public access block settings. Note that rolling back to allow public access should only be done intentionally.
Risk base score: 7 (high -- may break public-facing web assets if the bucket was intentionally public)