What Are Common Vulnerabilities and Exposures (CVE) and the Common Vulnerability Scoring System (CVSS)?
It seems like new vulnerabilities enter the mainstream every day. With the recent Log4Shell bug attracting significant attention as one of the worst vulnerabilities known to cybersecurity, many businesses are scrambling to understand their exposure and how the cybersecurity industry is responding. One way to understand these vulnerabilities is to look at security databases and classifications. Two of the most widespread frameworks for classifying and ranking vulnerabilities are the Common Vulnerabilities Exposures and Common Vulnerability Scoring Systems.
What Are Common Vulnerabilities and Exposures?
The Common Vulnerabilities and Exposures (CVE) list computer security flaws made public to catalog these threats publicly and support common cybersecurity responses.
The MITRE Corporation oversees the CVE. This not-for-profit organization operates through funding from the Cybersecurity and Infrastructure Security Agency (CISA) under the Department of Homeland Security (DHS).
This list does not include details regarding the flaws themselves. Instead, the index provides a way to identify and catalog these vulnerabilities to provide a common vocabulary. This is accomplished with identifying numbers provided through the CVE Numbering Authority (CNA). CNAs are some of the top technology companies globally, including IBM, Cisco, Microsoft, Red Hat Linux, and others, and are given authority to apply numbers to CVEs as they arise.
CVE identification numbers follow a basic format:
“CVE” + The Year of Discovery + Unique Serial Number
For example, the recent Log4Shell vulnerability discovered in the Log4j logging utility was given the CVE identification number “CVE-2021-44228”.
While the CVE doesn’t provide a repository for correcting flaws, it does help programmers, security specialists and white-hat hackers surface previously unknown vulnerabilities and provide visibility for these issues. In order to qualify as a CVE, however, a flaw must meet certain criteria. These include:
- Vendor Acknowledgement: Part of CVE assignment is that the creator of a given piece of software or a platform admits to knowing about the flaw and that it introduces negative impacts on security. To avoid conflicts of interest, this requirement can also be satisfied by the reporter of the vulnerability demonstrating the bug and that it violates the vendor’s security policies.
- Singular Codebases: A single CVE receives a single CVE number when it affects a single codebase. If the bug impacts multiple products, code libraries or other protocols, it will obtain a CVE number for each flaw.
- Independence: The flaw is autonomous and independent in that it can be fixed without having to rely on other bug fixes related to other vulnerabilities.
Documented CVEs with an identifier will appear in several databases for record keeping and reporting purposes. Two of the most important databases where CVEs appear are the U.S. National Vulnerability Database (NVD) and the CERT/CC Vulnerability Notes Database. While the numbers and naming of vulnerabilities will sync across the MITRE CVE listings and these databases, NVD and CERT/CC will typically add more information to describe vulnerabilities.
What Is the Common Vulnerability Scoring System?
While CVEs don’t specify much about the actual vulnerabilities themselves, they do provide visibility so that security experts can respond to issues. There is, however, a related rating system to help security experts understand the severity of a flaw. The Common Vulnerability Scoring System (CVSS) provides open standards for determining the impact of a CVE.
CVSS scores operate on a scale of 0.0 to 10.0, with higher numbers representing more severe threats. Databases like the NVD use these scores to demonstrate vulnerability importance and aid in searching. The NVD website lists the ratings following a specific tier ranking system:
|CVSS Score Range||Severity Ranking|
|0.1 – 3.9||Low|
|4.0 – 6.9||Medium|
|7.0 – 8.9||High|
|9.0 – 10.0||Critical|
CVSS metrics are broken into three groups:
- Base Metric Group: This group represents facets of the vulnerabilities that don’t change over time or the environment. These include individual metrics like attack vector and complexity, privileges, scope and impact to system confidentiality, integrity and availability.
- Temporal Metric Group: This metric group covers features of a vulnerability that may change over time, but not across different environments. This can include metrics like the maturity of the exploit code or the levels of remediation that have been put into practice.
- Environmental Metric Group: This metric group is relevant to specific environments. This can include environment-specific security controls or the system’s relationship with surrounding IT infrastructure.
Different aspects of these metric groups can raise or lower the CVSS score. For example, a zero-day vulnerability with a novel code injection might have a high CVSS number, but if the vendor releases a patch for their platform, it could significantly reduce the CVSS.
Why Are CVE and CVSS Important?
Generally speaking, hundreds of vulnerabilities show up every year. Following this fact, many open security vulnerability databases exist–some that adopt CVE numbering and some that do not. However, the critical job of systems like CVE and CVSS is to provide a common nomenclature around vulnerabilities as they arise.
It’s important to note that while CVE as an organizational tool is relatively uncontroversial, CVSS has been met with its fair share of criticisms. One of the primary criticisms is how decisions related to metrics are made, the knowledge needed to apply scores (especially with new, unknown vulnerabilities) and a lack of metric granularity.
CVSS scores aren’t legally binding designations, but they are created and maintained by government-supported organizations invested in combatting cybersecurity. However, even without knowledge of CVE or CVSS, it’s essential to understand that security experts, and even some compliance frameworks, use CVSS scores as a starting point. PCI DSS, for example, requires regular vulnerability scans. Requirements note that any scan that shows a CVE vulnerability with a CVSS score higher than 4.0.
Align Security and Compliance with Lazarus Alliance
Whether it’s understanding your vulnerability profile, getting real insights into modern security threats or developing risk and compliance strategies that suit both regulations and your business goals, Lazarus Alliance can help. We have the capabilities to offer audits and certifications (where relevant) under frameworks such as FedRAMP, PCI DSS and ISO 17021.
Call Lazarus Alliance at 1-888-896-7580 or fill our this form.