Atlassian security advisories include a severity level. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can learn more about CVSS at FIRST.org.
For CVSS v3 Atlassian uses the following severity rating system:
CVSS v3 score range
Severity in advisory
|0.1 - 3.9||Low|
|4.0 - 6.9||Medium|
|7.0 - 8.9||High|
|9.0 - 10.0||Critical|
Below are a few examples of vulnerabilities which may result in a given severity level. Please keep in mind that this rating does not take into account details of your installation and are to be used as a guide only.
Severity Level: Critical
Vulnerabilities that score in the critical range usually have most of the following characteristics:
- Exploitation of the vulnerability likely results in root-level compromise of servers or infrastructure devices.
- Exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials or knowledge about individual victims, and does not need to persuade a target user, for example via social engineering, into performing any special functions.
For critical vulnerabilities, is advised that you patch or upgrade as soon as possible, unless you have other mitigating measures in place. For example, a mitigating factor could be if your installation is not accessible from the Internet.
Severity Level: High
Vulnerabilities that score in the high range usually have some of the following characteristics:
- The vulnerability is difficult to exploit.
- Exploitation could result in elevated privileges.
- Exploitation could result in a significant data loss or downtime.
Severity Level: Medium
Vulnerabilities that score in the medium range usually have some of the following characteristics:
- Vulnerabilities that require the attacker to manipulate individual victims via social engineering tactics.
- Denial of service vulnerabilities that are difficult to set up.
- Exploits that require an attacker to reside on the same local network as the victim.
- Vulnerabilities where exploitation provides only very limited access.
- Vulnerabilities that require user privileges for successful exploitation.
Severity Level: Low
Vulnerabilities in the low range typically have very little impact on an organization's business. Exploitation of such vulnerabilities usually requires local or physical system access.
Back in April, I wrote a blog post about the new version of the Common Vulnerability Scoring System (CVSS). The changes made for CVSSv3 addressed some of the challenges that existed in CVSSv2. For example, CVSSv3 analyzes the scope of a vulnerability and identifies the privileges an attacker needs to exploit it. The CVSSv3 enhancements allow vendors to better analyze security vulnerability impact. The changes in CVSSv3 also help our customers more easily determine the urgency with which they need to respond to vulnerabilities
In my previous blog post, I shared the details of a study that analyzed the differences between CVSSv2 and CVSSv3 scores using scores provided by the National Vulnerability Database (NVD). I have continued to monitor the way vulnerabilities are scored using the new version of CVSS because Cisco will soon begin supporting the new version. In my previous study, back in April, I analyzed 745 vulnerabilities. I recently expanded the data set and this new analysis includes a total of 3862 vulnerabilities. I kept the scores and data vendor neutral and used only NVD’s CVSSv2 and CVSSv3 scores.
If you are not familiar with the CVSS metrics, you can read the CVSSv3 specification at FIRST’s website: https://www.first.org/cvss/specification-document. You can also use the CVSSv3 calculator: https://www.first.org/cvss/calculator/3.0
FIRST has also published several examples of CVSSv2 vs. CVSSv3 scores at: https://www.first.org/cvss/examples
I have included screenshots of the Base, Temporal, and Environmental metrics from FIRST below for your reference.
Figure 1 – CVSSv3 Base Metrics
Figure 2 – CVSSv3 Temporal Metrics
Figure 3 – CVSSv3 Environmental Metrics
The total number of vulnerabilities studied was 3862. These were vulnerabilities disclosed from January 1, 2016 thru October 6, 2016 and the source of the data is NVD.
The average base score increased from 6.5 (CVSSv2) to 7.4 (CVSSv3). This is illustrated in Figure 4.
Figure 4 – Average Base Score
Cisco adopted a Security Impact Rating (SIR) in 2015, which uses basically the same scale as the CVSSv3 qualitative severity rating scale. This was done to help organizations properly assess and prioritize their vulnerability management processes.
Figures 5 and 6 include high-level statistics for the qualitative severity differences between CVSSv2 and CVSSv3 scores for the vulnerabilities assessed in this study.
Figure 5 – Qualitative Metrics Change
Figure 6 – CVSSv2 vs. CVSSv3 Qualitative Metrics Distribution
There were several vulnerabilities whose base score decreased from a higher to a lower QM category when scored with CVSSv3. The following table depicts vulnerabilities for which the QM category increased (not just the score) when going from CVSSv2 to CVSSv3.
However, there were far more vulnerabilities whose CVSSv2 base score increased when scored with CVSSv3.
Seventy-four percent (74%) of the vulnerabilities that scored Low in CVSSv2 increased to Medium when scored with CVSSv3.
Figure 7– Low to Medium Change
The following table summarizes the top 3 Common Weaknesses Enumerators (CWEs) of the vulnerabilities that increased from Low to Medium when scored with CVSSv3.
Forty-four percent (44%) of the vulnerabilities that scored Medium in CVSSv2 increased to High when scored with CVSSv3.
Figure 8– Medium to High Change
The following table summarizes the top 3 CWEs of the vulnerabilities that increased from Medium to High when scored with CVSSv3.
Twenty-eight percent (28%) of the vulnerabilities that scored High in CVSSv2 increased to Critical when scored with CVSSv3.
Figure 9 – High to Critical Change
The following table summarizes the top 3 CWEs of the vulnerabilities that increased from High to Critical when scored with CVSSv3.
Why Should I Care?
One thousand seventy-seven (1077) vulnerabilities moved from Low or Medium to High or Critical. That is a 52% increase in High or Critical vulnerabilities.
As stated in our Security Vulnerability Policy in all of our security advisories:
“Cisco will provide an evaluation of the base vulnerability score, and in some instances, will provide a temporal vulnerability score. End users are encouraged to compute the environmental score based on their network parameters. The combination of all three scores should be considered the final score, which represents a moment in time and is tailored to a specific environment. Organizations are advised to use this final score to prioritize responses in their own environments. In addition, Cisco uses the Security Impact Rating (SIR) as a way to categorize vulnerability severity in a simpler manner. The SIR is based on the CVSS base score, adjusted by PSIRT to account for Cisco-specific variables, and will be included in every Cisco Security Advisory.”
Cisco takes a comprehensive approach to security and trust. Transparency and accountability in vulnerability management through Cisco’s Product Security Incident Response Team (PSIRT) is one of our core principles. This is why I want to share these results with you in anticipation of Cisco PSIRT using CVSSv3 in the first half of 2017.Tags: