One aspect of IT security is risk assessment and risk management. Newly announced or discovered vulnerabilities need to be evaluated and put into context to understand the impact they have. A widely-used framework to measure such issues is the Common Vulnerability Scoring System (CVSS).
In practice currently two versions – CVSS v2 released in 2007 and CVSS v3 released in 2015 – are used and coexist. SUSE is rating all security issues affecting our products with our own CVSS v2 score. That score can vary from the originally reported scoring value as we assess the vulnerability in context of our products and configurations. Sometimes only certain features are affected that are not part of our shipped products, in other cases the severity can even be higher for various reasons.
Because of some short comings in version 2 and the constantly evolving demands to assess security threats, SUSE will move to CVSS v3.0 in the next couple of months. It is not set when this transition will be completed and we will inform you about the progress in upcoming announcements.
So, what’s new in CVSS version 3.0?
Both v2 and v3 have three main metric groups. The Base Score, the Temporal Score and the Environmental Score Metrics. As the Temporal Score can change over time and the Environmental Score depends on the affected system and its environment, SUSE is using only the base score for threat assessment.
The main difference to CVSS v2 are the new metric fields such as Scope (S), which can be used to indicate that the affected resources are not part of the vulnerable component, and User Interaction (UI), that allows to specify that exploitation is only possible when a user takes some action. Furthermore the Access Complexity (AC) has now only two values (Low or High) and the Attack Vector (AV) got extended with the value “Adjacent Network” covering issues where attacks are limited to the same shared physical or logical network.
The final numerical result of both CVSS v2 and CVSS v3 are between 0.0 and 10.0 still and represent a very similar scoring, so if you are using the final numerical score there is not much need to change for you.