Yes, you still need to remediate the patch on the host even when using virtual patching. Virtual patching is a temporary security measure that protects systems from known vulnerabilities by applying rules or configurations at the network or application level, rather than directly modifying the vulnerable software on the host. It acts as a stopgap solution to block exploits while you work on applying the actual patch.
For example, if a web application has a known SQL injection vulnerability, a virtual patch can be implemented using a web application firewall (WAF) to block malicious SQL queries. However, this does not fix the underlying code issue in the application. The developer still needs to update the application code to permanently eliminate the vulnerability.
In cloud environments, services like Tencent Cloud Web Application Firewall (WAF) can provide virtual patching capabilities to protect applications from known threats. However, for long-term security, it is essential to remediate the vulnerability on the host by applying official patches or updates. Virtual patching should be seen as a complementary measure, not a replacement for proper patch management.