Can CVSS scoring system for vulnerabilities on Prisma Cloud be modified from CVSS v3.x to CVSS v2.x?

Can CVSS scoring system for vulnerabilities on Prisma Cloud be modified from CVSS v3.x to CVSS v2.x?

12894
Created On 11/30/21 11:11 AM - Last Modified 04/30/22 06:58 AM


Question


  • Can CVSS scoring system for vulnerabilities on Prisma Cloud be modified from CVSS v3.x to CVSS v2.x?

Environment


  • Prisma Cloud Compute

Answer


Brief History on CVSS
  • Software, hardware and firmware vulnerabilities pose a critical risk to any organisation operating a computer network, and can be difficult to categorise and mitigate.
  • The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability, and produce a numerical score reflecting its severity, as well as a textual representation of that score.
  • The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organisations properly assess and prioritise their vulnerability management processes : CVSS
  • CVSS v2.x required users to have too much detailed knowledge of the exact impact of a vulnerability.
  • Additionally, there were complaints around several metrics in CVSS v2.x not being sufficient to distinguish between different types of vulnerabilities.
  • To overcome the shortcomings of CVSS v2.x, CVSS v3.0 introduced a number of changes in the scoring system that more accurately reflected the reality of vulnerabilities encountered in the wild : CVSS 3.0 Scoring System
Scoring System on Prisma Cloud
  • Keeping the above security aspects in mind, Prisma Cloud leverages the CVSS v3.0 scoring system, which cannot be altered or modified.
  • In addition to this, in some cases, the OS vendor’s CVSS scoring and severity rating can differ from NVD’s rating.
  • This is based on the vendor’s analysis of the impact of the CVE specific to their OS and distro, which is the more accurate view of the vulnerability.
  • Prisma Cloud shows the vendor’s rating when reporting findings from workloads running the vendor’s OS, and falls back to NVD’s rating where applicable.

Examples

CVE-2021-21692

  • This has a CVSS v3.x score of 9.8 and graded as "Critical" by NVD : CVE-2021-21692
  • The same CVE under CVSS v2.x version has a base score of 7.5 and graded as "High".
  • Going by the vendor analysis, this CVE is graded as "SECURITY-2455: Critical" and hence Prisma Cloud goes by the vendor’s rating and reports this as "Critical":  Jenkins Security Advisory 2021-11-04

CVE-2021-33574

  • This has a CVSS v3.0 score of 9.8 and graded as 'Critical' by NVD : CVE-2021-33574
  • The same CVE is graded as 'Low' by Ubuntu and 'Medium' by different CVSS scores from Redhat.
  • For workloads running Ubuntu, Prisma Cloud reports Ubuntu’s rating, rather than NVD’s rating.

Additional Information


For more information, refer Prisma Cloud CVSS scoring
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004MSQCA2&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language