1

We're formalizing our vulnerability management process and decided to use CVSS V2 to help decide what vulnerabilities to remediate. We're running into a situation where a vulnerability's severity score has crossed our remediation threshold, but the vulnerability will not, in practice, impact us.

The vulnerability that we're running into is CVE-2004-0230, which has the following CVSS vector string after adding environment metrics: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:TF/RC:C/CDP:L/TD:H/CR:ND/IR:ND/AR:M

In theory, this vulnerability could affect pretty much all of our systems (TD of high). In practice, we don't typically have long standing connections, and we don't use BGP on the vulnerable system. This lwn article makes it clear that this is just something we don't have to worry about.

If you (or your company) have ever run into a similar scenario, do you:

  • Remediate the vulnerability (since the CVSS score is above a remediation threshold)? We plan to have remediation have one of three outcomes; it could be mitigated, fixed or the risk could be formally accepted (which is what would happen in this case).
  • Modify the CVSS metrics to more closely resemble the risk associated with the vulnerability? (TD moved to low, or something similar)
  • Do something else?
anchovie
  • 23
  • 2

1 Answers1

1

If you are correct that the vulnerability really doesn't effect your systems then the proper thing in my opinion is as you mentioned. The business should formally accept the risk (which is negligible if you are correct in your assuming your systems are not effected).

DarkMatter
  • 2,671
  • 2
  • 5
  • 23
  • And document, document, document (to include the formal acceptance as @DarkMatter said) as well as making sure to re-evaluate the vulnerability and associated risk at the times specified in your SSP/Vulnerability management process. But perhaps that goes without saying? – jfran3 Feb 21 '19 at 04:07