6 Replies Latest reply on Sep 6, 2017 2:52 AM by phoffmann

    Some Vulnerabilites don't have CVSS ratings

    bprocter Apprentice

      I have noticed in the Patch Management console that there are a number of vulnerabilities that don't have a CVSS Rating.

       

      Our Current policy states that we have to patch vulnerabilites with a rating of 7-10 within 2 weeks of release.

       

      Is there a reason why some of them don't display a rating but have a CVE-ID

        • 1. Re: Some Vulnerabilites don't have CVSS ratings
          phoffmann SupportEmployee

          Not all vulnerabilities are necessarily associated to a CVE-ID (for instance, most of the LANDesk patches aren't going to have one).

           

          If you'd care to highlight a few examples that are relevant to you, it may lead to a more beneficial conversation .

          • 2. Re: Some Vulnerabilites don't have CVSS ratings
            bprocter Apprentice

            Here is an example - one of many:

            ID:4034034_MSU

            Title:MS Security Update August 2017 – Security update for the Windows Search remote code execution vulnerability: August 8, 2017 (4034034)

            Capture.PNG

             

            Link to CVE-ID: https://nvd.nist.gov/vuln/detail/CVE-2017-8620

             

            Thanks

            • 3. Re: Some Vulnerabilites don't have CVSS ratings
              phoffmann SupportEmployee

              I shall poke the content folks & see what's what.

               

              As a general note - if you feel that we're either missing stuff or "doing things wrong" (false positives, etc) that can/is usually handled via support tickets. The Content Team gets notified by support if there's any issues with anything.

               

              I don't mind helping out informally on occasion (such as here) - just letting you know what the process is usually for content issues.

               

              I shall let you know what I hear back.

               

              Note - you may also want to update your content -- the CVE-ID is definitely there. (I've moved the CVE-ID column into the 2nd place so you can see it easier):

               

              Not sure how old your content is (I happened to update mine this morning (Aug 31st 2017) on an unrelated matter.

               

              EDIT: In case it's relevant - this is from a 2016.3 Core

               

              EDIT 2 - nevermind you were talking about the CVSS fields, not CVE-ID. My stupid. Right - correcting my poke to the content folks & going to see what's what .

              1 of 1 people found this helpful
              • 4. Re: Some Vulnerabilites don't have CVSS ratings
                bprocter Apprentice

                Thanks for your time phoffmann!

                 

                Yes it is the CVSS field that we are looking at here. i just took a look at our Global detected folder and we have a 132 of 674 CVE-ID's which don't currently have a CVSS rating.

                 

                Our content is updated daily along with a historical Gather.

                 

                I have also modified my Columns as you suggested

                 

                I will raise a ticket to cover the 132 (i have exported the data for review into a CSV)

                • 5. Re: Some Vulnerabilites don't have CVSS ratings
                  phoffmann SupportEmployee

                  OK - heard back from the content folks.

                   

                  It looks like the NIST (www-)side of things changed, and thus our harvesting of that data ran into issues. They're going to fix that up and improve processes so that we should be more conciously aware of stuff being changed. (WWW-sites changing stuff on us isn't new - LDDA runs into that a lot with hardware vendor stuff like warranty information).

                   

                  Should be a relatively simple fix (I'm told) and so you should be able to see the CVSS'es within content soon.

                   

                  Mystery solved .

                  • 6. Re: Some Vulnerabilites don't have CVSS ratings
                    phoffmann SupportEmployee

                    Got a poke from the content team - the content updates should be done. 1034 vulnerabilities have been updated ... so not a small amount .