UPDATE: We have now changed the deployment date for this change to March 9, 2023.
In order to align with industry standards and vulnerability scoring in WithSecure Elements Endpoint Protection, Elements Vulnerability Management will introduce CVSSv3 vulnerability scoring.
What is happening?
Since the introduction of Elements Vulnerability Management, it has used CVSS v2 for vulnerability scoring.
Starting from March 1, 2023 Elements Vulnerability Management will start using CVSS v3.1.
As a consequence, the 4-level vulnerability severity scale (High/Medium/Low/Info) changes to 5-level, by adding “Critical” for the vulnerabilities with the highest score. The upcoming change will also affect color coding in the system - red color will be reserved for critical, while orange will be applied to a high severity vulnerabilities:
Why we need this change?
Firstly, a short introduction about CVSS.
The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of software and hardware security vulnerabilities. The specification and versioning of CVSS is owned and maintained by FIRST (the Forum of Incident Response and Security Teams). The CVSS has continued to evolve over the years and with the latest updated version the community works to improve the scoring system. While the first version of CVSS v3 was released in 2015, it was updated to CVSS v3.1 in 2019 to clarify and improve the existing standard.
NVD.NIST.GOV is a U.S. governmental agency maintaining standards and the known vulnerability database. Researchers assigns CVE numbers and examinate CVSS metrics to gain understanding on how hard an exploit is to carry out and the level of damage it can cause if the attacker is successful.
NVD stopped providing CVSSv2 classifications on new vulnerabilities in September 2022, and now exclusively uses CVSSv3.1 as it is the current industry standard.
Our Endpoint Protection products already use CVSSv3.x for their Software Updater feature, and by changing Elements Vulnerability Management to use the same standard will remove inconsistencies in scoring between Elements solutions.
CVSSv3.1 provides better visibility to the most critical vulnerabilities, out of high-severity vulnerabilities.
What you need to know
The most obvious change related to this for the administrators is that there is now a 5-level vulnerability severity score is a consequence of introducing CVSSv3
Figure 1 Source: https://nvd.nist.gov/vuln-metrics/cvss
Here is how it will look like in the EVM Portal after the change
Here is an example of a real world vulnerability, and you can see that the scoring has actually changed due to the change from CVSSv2 toCVSSv3.1
While shifting to a new standard helps organizations better assess the severity of given vulnerability, there are also some significant consequence of shifting to a the new standard that customers need to be aware of.
Unexpected changes in vulnerability counters
Because the numeric ranges for each of the categories has changed during the introduction of CVSSv3.1, some existing vulnerabilities detected may change their level of criticality. This may cause unexpected changes in the vulnerability counters.
After some use of the EVM system with the new version of CVSS, this will normalize and it is not anticipated that the level of criticality will change often for existing vulnerabilities. This is only expected to happen if NVD recategorize the level after further information is found.
Unexpected changes on the dashboard
For similar reasons, the dashboard view may become inconsistent for some time, as existing vulnerabilities are re-scored with the new values.
Tracking changes between previous and current week/month/quarter will be disrupted
If you rely on the ability to track changes between the previous and current time period, you should expect that this will be inconsistent for a while. Because there is no direct mapping between the CVSSv2 and CVSSv3 values, it is not possible to compare “like for like”.
Your custom-made integration via Elements VM API might need some changes
If you use the Elements API to retrieve information from Elements Vulnerability Management, and then process that data further in your own application, you should check that your own application can handle the 5-levels of criticality.
Ticketing system: vulnerability score in open tickets might change
If you use data from Elements Vulnerability Management ticketing system, you should be aware that the vulnerability score in open tickets might change as a result of the switch to CVSSv3.1
Technical risk score evaluation might change
While shifting towards a new standard, also asset risk score has to be re-calculated, taking into a list of detected vulnerabilities, which severity scoring might have changed.