4 Replies Latest reply: Dec 11, 2012 7:07 AM by theall RSS

How the Severity is calculated?

Hi,


I am searching for informations how the tenable Risk Factor / Serverity is calculated.

 

It seams to not only rely on the CVSS, there also are Vulnerabilities that do not contain any CVSS Score like:

 

Synopsis: The remote host is missing Sun Security Patch number 146672-10


Description
SunOS 5.10_x86: ssl patch. 

Date this patch was last updated by Sun : Aug/07/12
Solution
You should install this patch for your system to be up-to-date.

See Also
https://getupdates.oracle.com/readme/146672-10
Risk Factor: High


We want to include this information in a contract and need a solid baseline for the mapping.

Best Regards

Knight

  • Re: How the Severity is calculated?
    theall

    Knight wrote:

     

     

    Hi,


    I am searching for informations how the tenable Risk Factor / Serverity is calculated.

     

    It seams to not only rely on the CVSS, there also are Vulnerabilities that do not contain any CVSS Score like:

     

    Synopsis: The remote host is missing Sun Security Patch number 146672-10


    Description
SunOS 5.10_x86: ssl patch. 

    Date this patch was last updated by Sun : Aug/07/12
    Solution
You should install this patch for your system to be up-to-date.

See Also
https://getupdates.oracle.com/readme/146672-10
    Risk Factor: High


    We want to include this information in a contract and need a solid baseline for the mapping.

    Best Regards

    Knight

     

     

    We generally use the highest CVSS base score in our plugins. In the case of plugins that are generated automatically from vendor security advisories, we fall back to using a "High" risk factor if there are no CVEs or NIST hasn't scored and of them yet.

     

    George

    • Re: How the Severity is calculated?

      Hi George,

      Thank you very much for your reply.

       

      So you are saying if there are CVSS-Scores you are using the highest one of the vendor CVSS and if there is no one you take a risk approach and say it is a high vulnerability -correct?

      Regarding the CVSS-Scores, where does the high severity begins and ends as well as the critical one?

       

      Best Regards,

      Knight

      • Re: How the Severity is calculated?
        theall

        Knight wrote:

         

        Hi George,

        Thank you very much for your reply.

         

        So you are saying if there are CVSS-Scores you are using the highest one of the vendor CVSS and if there is no one you take a risk approach and say it is a high vulnerability -correct?

         

        More or less. First, we use CVSS base scores for assigning severity; temporal or environmental scores don't enter into it. And we use the scores that NIST has in the NVD rather than whatever the vendor might have for the plugins generated from vendor advisories. [For example, if Red Hat scores a CVE differently from NIST, we go with NIST's.]

         

        George

  • Re: How the Severity is calculated?
    rwalchuck

    It's based on the NVD Vulnerability Severity Ratings  (http://nvd.nist.gov/cvss.cfm)

     

     

    Critical: CVSS = 10.0

    High: 7.0 <= CVSS < 10.0

    Medium:  4.0 <= CVSS < 7.0

    Low:  0.0 < CVSS < 4.0

    Info:  CVSS = 0

     

    -Rich