Common Vulnerability Scoring System (CVSS)
By john.heimann on Oct 24, 2006
Hi, I'm Darius Wiles and I manage Oracle's Security Alerts team. The October 2006 Critical Patch Update contained a number of enhancements, as explained in Eric's recent blog posting, but the adoption of Common Vulnerability Scoring System (CVSS) is generating the most interest. In this post I explain our reason for adopting CVSS and some of the decisions we made when implementing it.
The CVSS standard, maintained by the Forum of Incident Response Teams (FIRST), provides an objective way to assess security vulnerabilities. The risk and severity of a vulnerability are captured by metrics, which are collected into three metric groups. Base metrics capture conditions required to exploit the vulnerability, and the impact of a successful exploit. They do not change over time. Temporal metrics capture time-dependent information and Environmental metrics capture information related to customers' specific environments.
Each metric has a defined list of values. Each of the three metric groups has a score based on these values. These are combined to form an overall CVSS score between 0 and 10, with 10 being the most serious type of vulnerability. We provide the values and score for the base metrics in the Critical Patch Update documentation. Customers can calculate temporal and environmental values to generate an overall CVSS score.
The scoring is the major reason we have adopted CVSS. Customers asked for a way to compare vulnerabilities so they can identify the most critical. CVSS allows us to order vulnerabilities for each product by their base score. CVSS also attracted us because it is a standard that is seeing increasing adoption, and it has some similarities to our previous system.
CVSS is straightforward when used for machines dedicated to one task, such as a firewall. For environments in which Oracle software is one of several critical applications running on one server, we made some decisions on how CVSS should be used. An explanation can be found in the �Use of Common Vulnerability Scoring System (CVSS) by Oracle� document available on MetaLink and Customer Connection (see links at the end of this note). This document also explains the new Partial+ metric value which I'll discuss now.
CVSS defines three standard values of None, Partial and Complete. These values measure the impact of a vulnerability on the confidentiality, integrity and availability of data in an affected environment; in turn, these metrics form part of the base score. Complete indicates that an entire system is affected and it is therefore unlikely that we would use Complete very often. We would only do so when Oracle vulnerabilities affect the underlying operating system, for example by providing an attacker root privilege on the targeted platform. However, we recognize that for certain customers, compromise of Oracle software is as serious as a compromise of the operating system. To help those customers, we provide more information than required by the CVSS standard for the confidentiality, integrity and availability metrics. In addition to the three CVSS standard values, we use Partial+. Partial indicates an impact that has limited effect, e.g. access to one user's data, whereas Partial+ indicates an impact that has wide effect, e.g. access to all users' data. Rather than alter the CVSS standard scoring formula to accommodate Partial+, we simply treat them as Partial. In environments where compromise of Oracle applications are as serious as compromise of the underlying operating system, we recommend treating the Partial+ values as Complete and recalculate the base score.
CVSS base scores are not spread evenly across the possible range of 0 to 10, but tend to cluster at the lower end. People new to CVSS maybe surprised that serious problems do not score more highly, but people will get used to �critical� problems having lower base scores than they initially expect. From our point of view, the relative scoring between vulnerabilities is more important than an absolute score. The different threat environments and interpretations of the CVSS standard make it unsafe to simply compare base scores between products from different vendors, as some customers have proposed.
I hope to have offered you an insight into our adoption of CVSS. We are pleased to be an early adopter of CVSS; the feedback to date has been positive, and we are hopeful that this will continue to provide benefits to customers. We have made a number of decisions on our implementation of CVSS that we will be reviewing in light of customer feedback and the evolution of CVSS. I strongly encourage you to spend a few minutes playing with the CVSS calculator on NIST's web site (see references at end for a link), as it is a great way to get a feel for the standard.
CVSS Calculator on National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) web site
Oracle October 2006 Critical Patch Update advisory (containing risk matrices with CVSS information)
Oracle October 2006 Critical Patch Update advisory references to more information (requires MetaLink or Customer Connection login)
Use of Common Vulnerability Scoring System (CVSS) by Oracle: