A Guide to Understanding Vulnerability Reporting and Scoring

To understand the world of cybersecurity vulnerability scoring, there is no better place to start than defining the most commonly used  acronyms.  These 4 acronyms are essential for understanding vulnerability reporting and scoring.  As you dig in on this topic you will uncover even more acronyms, but let’s start with these 4:

  • CVE: Common Vulnerabilities and Exposures
  • CNA: CVE Numbering Authority
  • KEV: Known Exploited Vulnerabilities
  • CVSS: Common Vulnerability Scoring System

These acronyms are used by many software companies, vulnerability management systems and aggregators and customers of software vendors.  They are used to identify and assess vulnerabilities, which is essential for keeping systems and data secure. Let’s see what they are in detail.

CVE

The Common Vulnerability and Exposure (CVE) is a unique identifier for publicly known cyber security vulnerabilities.

CVEs are important because they provide a common language for describing vulnerabilities. This allows security researchers, vendors, and organizations to quickly and easily identify and track vulnerabilities.

CNA

An organization can become a CVE Numbering Authority as “…vendor, researcher, open source, CERT, hosted service, and bug bounty provider organizations” according to CVE.org  A CNA is then “authorized by the CVE Program to assign CVE IDs to vulnerabilities and publish CVE Records within their own specific scopes of coverage.”

The CNAs work to ensure that CVEs are assigned in a consistent and reliable manner. The CNAs also work to promote the use of CVEs by security researchers, vendors, and organizations.

KEV

Known Exploited Vulnerabilities (KEVs) are vulnerabilities that have been publicly disclosed and for which there is known exploit code available. KEVs are a subset of all vulnerabilities, and they represent the most serious and immediate threats.

By giving higher priority to KEVs, organizations can reduce the risk of being actively exploited by attackers.

CVSS

The Common Vulnerability Scoring System (CVSS) is a method for assessing the severity of software vulnerabilities. The CVSS is based on multiple factors: impact of the vulnerability, ease of exploitation, and availability of exploit code.

A CVSS Score can also be used to prioritize security efforts and to make informed decisions about how to mitigate vulnerabilities.

Dig deeper on these acronyms and related topics at:  https://www.cve.org/ResourcesSupport/FAQs

Vulnerabilities and SAP

I have worked with SAP implementations for the past 18 years.  So, I will put these acronyms into the context of an SAP implementation.  This focus area of SAP Consulting is typically considered part of SAP Cybersecurity.

CVSS Moving to Version 4

The CVSS updated from version 3 (CVSS3) to version 4 (CVSS4) in June 2023. CVSS4 is a significant update with several new features:

  • Support for additional and more complex types of vulnerabilities
    • “Zero-Day” Vulnerabilities
    • Vulnerabilities that are manifested through multi-vector attacks.
  • A new scoring model that is more accurate and reliable
  • A new interface that is easier to use

SAP and CVEs

SAP is a global software company that provides a wide range of business software solutions. SAP manages its reporting of security vulnerabilities in coordination with the assignment of a CVE to each vulnerability.  SAP became a CNA in 2017.  So, vulnerabilities identified by SAP since that timeframe should include a CVE number whenever this is relevant.

SAP Security Patch Day is the second Tuesday of every month when SAP releases security patches for its software. These patches are designed to fix vulnerabilities that could be exploited by attackers.  When the monthly announcement of vulnerabilities is published, it includes the assigned CVE numbers, as well as the initial CVSS scoring.  Later, the scoring may be adjusted up or down based on further analysis or additional discoveries that might occur after the initial announcement.

Related:   The Big Cybersecurity Error Companies Make and Four Steps To Correct It

In SAP jargon, the Security Patches are called “Security Notes”.  Security notes include detailed information about the vulnerability.  They will also typically include correction code or manual instructions which the SAP Administrators (typically the SAP Basis Team) will implement according to the company’s change management process.

CVEs and a CVSS score for each security note are helpful tools that the SAP admins can use to review, triage, and remediate vulnerabilities.    The Basis Admins do not depend exclusively on the CVSS Score to triage the remediation tasks. The SAP Basis admins also have other training and contextual knowledge that they apply to the prioritization of remediation activities.

An SAP-focused Vulnerability Management System, from SecurityBridge, for example, can help to keep SAP customers on track for their SAP Security Notes. 

Impact of CVSS4 on SAP Security Notes

CVSS4 may have a significant impact on the analysis, triage, and application of SAP Security Notes. The CVSS scores of SAP security notes will be updated to reflect the new CVSS4 scoring methodology. This will allow organizations to make more informed decisions about security investments.

Vulnerability Management Companies and customers of SAP that track their applicable vulnerabilities in a platform, such as SecurityBridge, will need to know which “scoring method” is in use for their remediation teams.  So, for example, a remediation team might want to track vulnerabilities on the CVSS3 scoring system and then transition to the CVSS4 scoring system on a specified date, such as the end of a quarter.

I recommend to consult your vendor and they will work with you to understand any significant changes to the scores and when their software will reflect the CVSS4 data.  But, for the most part, there will be a reliance on SAP (and any other CNA) to guide their customer base for when the SAP CVEs will be displayed with a CVSS4-computed score.

Conclusion

Vulnerability reporting and scoring are important aspects of vulnerability management. By understanding these concepts and with the help of a Vulnerability Mgmt System, organizations can effectively assess the impact, complexity, and severity of vulnerabilities and then, prioritize remediation efforts.

Freelance SAP Consultant

Barry Snow has been working in the corporate IT industry since 1996. He focused his IT career on SAP in 2006. Barry's top two passions in SAP are Cybersecurity and Data. Barry has broad cross-module exposure in both SAP Security (Administration and Testing) and in the SAP Data Mgmt disciplines.

In the past 6 years, Barry has consulted on over 30 corporate implementations of SAP Vulnerability Management and Threat Detection solutions around the globe. He is a regular content creator in the SAP Community on LinkedIn, and he is now also writing occasional articles on SAP topics. Barry is currently working freelance on a long term contract with SecurityBridge, the pure-play leader in SAP Cybersecurity.

Leave a Reply

Your email address will not be published. Required fields are marked *