The SUSE Security Team uses industry standard rating systems for security vulnerabilities.
Simplified rating
The simplified rating is used by various software companies to allow administrators a quick decision on whether to apply updates and at what schedule. We publish our Update Notices labeled with this rating.
Rating | Definition |
---|---|
Critical | This rating is given to flaws that could be easily exploited by a remote unauthenticated attacker and lead to system compromise (arbitrary code execution) without requiring user interaction. These are the types of vulnerabilities that can be exploited by worms. Flaws that require an authenticated remote user, a local user, or an unlikely configuration are not classed as critical impact. |
Important | This rating is given to flaws that can easily compromise the confidentiality, integrity, or availability of resources. These are the types of vulnerabilities that allow local users to gain privileges, allow unauthenticated remote users to view resources that should otherwise be protected by authentication, allow authenticated remote users to execute arbitrary code, or allow remote unauthenticated users to cause a denial of service without user interaction. |
Moderate | This rating is given to flaws that may be more difficult to exploit but could still lead to some compromise of the confidentiality, integrity, or availability of resources, under certain circumstances. These are the types of vulnerabilities that could have had a critical impact or important impact but are less easily exploited based on a technical evaluation of the flaw, or affect unlikely configurations. Local, persistent (service needs to be restarted) denial of service conditions for basic system services (kernel, systemd, polkit, dbus, ...) with and without user interaction should also be rated "moderate". |
Low | This rating is given to all other issues that have a security impact. These are the types of vulnerabilities that are believed to require unlikely circumstances to be able to be exploited, or where a successful exploit would give minimal consequences. |
CVSS v3.1 Score
SUSE currently uses CVSS v3.1 scoring to assess the severity of vulnerabilities and to determine their impact. The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. It's being developped by the US-based non-profit organanization FIRST.org and its main goal is to assign the right score to a vulnerability to help security administrators prioritize responses and resources to specific threats. CVSS v3.1 scoring consists of three metric groups: Base, Temporal, and Environmental. The Base group represents the intrinsic qualities of a vulnerability that are constant over time and across user environments, the Temporal group reflects the characteristics of a vulnerability that change over time, and the Environmental group represents the characteristics of a vulnerability that are unique to a user's environment. The Base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics. A CVSS score is also represented as a vector string, a compressed textual representation of the values used to derive the score. Today, SUSE uses the Base score methodology to evaluate vulnerabilities throughout the support lifecycle of our products. SUSE keeps the right to adjust the final score of the vulnerability as more details become known and available throughout the analsys. The most current CVSS resources can be found at https://www.first.org/cvss/. The CVSS v3.1 calculator used by SUSE could be found at https://www.first.org/cvss/calculator/3.1
SUSE is following the industry standard CVSS 3.1 to perform vulnerability management, it is important to understand that a high severity vulnerability has a score of 7.0 and above, and not a severity 1 or 2 which is more related to operational incidents. The framework is measuring the severity of a given vulnerability, not the associated risk alone. The scoring of any vulnerability may vary with different analysts hence the final score could be slightly different between vendors impacted by that vulnerability. For a more accurate assessment of the impact, vendors and application owners must always consider factors outside of CVSS such as exposure or threat.