Fortra

01/17/2023: Alert Logic Support for CVSS Version 3.x

For each vulnerability found in your environment, Alert Logic assigns a severity rating based on the Common Vulnerability Scoring System (CVSS) scores set by the National Institute of Standards and Technology (NIST) and reported to the National Vulnerability Database (NVD). Previously, only CVSS v2 scores were supported. Now, Alert Logic also supports CVSS Version 3.x (CVSS v3) scores and severities for vulnerabilities found during scans. As a result of this update, Alert Logic supports both CVSS v2 and CVSS v3 scores in the Alert Logic console data and reports.

Severity rating 

CVSS v2 score range

CVSS v3 score range

Critical 

Not applicable 

9.0 – 10.0 

High 

7.0 – 10.0 

7.0 – 8.9 

Medium 

4.0 – 6.9 

4.0 – 6.9 

Low 

0.1 – 3.9 

0.1 – 3.9 

Informational 

0.0 

0.0 

Some vulnerabilities in the NIST NVD only have a CVSS v2 or v3 score and others have both CVSS v2 and CVSS v3 scores. Alert Logic displays scores and severities based on the following rules to ensure the most recent values are promoted:

  • If only one CVSS v2 score exists, Alert Logic displays the CVSS v2 score and severity rating. 
  • If only one CVSS v3 score exists, Alert Logic displays the CVSS v3 score and severity rating. 
  • If both CVSS v2 and CVSS v3 scores exist, Alert Logic displays the CVSS v3 score and severity rating. 

CVSS Scores and Severities in the Alert Logic Console

You can find CVSS v3 scores and severities in several places within the Alert Logic console (after your next scan), including: 

  • Exposures console – dashboards_menu_icon.jpg (navigation menu) > Respond Exposures

    Within the Exposure console, you can filter by Severity ratings via the left-hand Filters panel. CVSS scores and severity icons are displayed before the vulnerability name and the list can be sorted by Severity in descending or ascending order.

    Exposures_console_with_severity.png
  • Any vulnerability-related report – dashboards_menu_icon.jpgValidate Reports Vulnerability

    Wherever you find vulnerability distribution summaries in reports, you will now also find CVSS v3 scores and severities in filter sections, charts, and tables. For example, see the screenshot below of the Current Vulnerabilities Breakdown report.

    Current_Vulnerabilities_Breakdown.png
  • On several dashboards – dashboards_menu_icon.jpg > Dashboards

    CVSS scores and severities within the Vulnerability Summary and Managed Account Security Status dashboards have been updated to support CVSS v3.  

    CVSSv3_Dashboard.png

CVSS Versions in the Alert Logic Console

You can determine the specific CVSS version being displayed in several places within the Alert Logic console, including: 

  • Exposures Details – dashboards_menu_icon.jpg > Respond Exposures

    Within the Exposure console, CVSS version details are available by clicking Open for a specific vulnerability and viewing the CVSS Score section below the Description text.

    CVSSv3_Exposure_Details.png
  • Remediations Details – dashboards_menu_icon.jpg > Respond Exposures View Remediations

    Within the Exposure console, you can select View Remediations from the drop-down menu. CVSS version and score details are available via the preview by clicking View for a specific remediation.

    CVSSv3_Remediations.png
  • Vulnerability Library – dashboards_menu_icon.jpg > Investigate Vulnerability Library

    Within the Vulnerability Library, you can filter by Severity ratings via the left-hand Filters panel. CVSS scores and severity icons are displayed vulnerabilities are also available by clicking Open.

    Vulnerability_Library.png

Additional Resources

Learn more about CVSS scores and severities with the following Alert Logic documentation.

Documentation

Related articles

Comments

0 comments

Please sign in to leave a comment.

Copyright ©2023 Alert Logic, Inc.
All rights reserved. | Legal