Evaluating Vulnerability Impact

Navigation:  »No topics above this level«

Evaluating Vulnerability Impact

Previous pageReturn to chapter overviewNext page

In many cases you may want to learn more about a vulnerability before deciding whether to take action and what action to take. The CVE IDs on the vulnerability tab are linked to the OS vendor security information for each CVE, and this is a good place to look for more detailed information, including vendor specific vulnerability details and severity ratings.

 

Detailed information on CVEs is also available from the NVD website. The NVD data also includes CVSS (Common Vulnerability Scoring System) metrics, and references providing additional information from vendors and security analysts. You can also just search for the CVE ID on the Internet.

 

The vulnerability severity ratings in the extension are provided by the Imunify QuickPatch service, and can be understood as follows:

 

Severity

Definition

Recommended Action

10.0

Critical vulnerabilities with severe impact (e.g., gaining root access or crash), typically exploitable remotely, relatively easy to exploit and having known active exploits

Most externally visible servers should be fixed immediately, even if they are not hosting mission critical apps or apps storing personal information

9.0

Critical vulnerabilities with severe impact and known active exploits; unlike severity 10, these are harder to exploit on servers (e.g., man-in-the-middle attacks)

Servers in medium sensitivity environments will also want to fix these right away, while most others may schedule the update as part of a regular maintenance process

8.0

Critical vulnerabilities that are either hard to exploit or unlikely to be affect most typical server installations (e.g., Java vulnerabilities requiring custom code to exploit)

Highly sensitive apps and/or apps executing subscriber-uploaded code (e.g., PaaS) may need to be updated immediately; most others can be updated as part of a regular maintenance process

6.0-7.0

not defined

n/a

1.0-5.0

All other vulnerabilities; the severity value is based on the NVD CVSS base score and vendor-provided severity levels, with 5.0 being the highest risk/impact and 1.0 being the lowest.

Impact and vulnerability should be evaluated to determine whether immediate action is required; for most systems, updates/fixes can be applied in regular scheduled intervals batching multiple updates together

0.0

Unknown severity level, e.g., for new and not-yet-published vulnerabilities

Review/find more information to decide on update action. As we compile information from multiple sources, in many cases we can provide more information and severity evaluation even before details are published in the NVD database.