Where does the vulnerability severity score come from and how is it calculated? What are the effects on my patching?
Learn about the following topics here:
- Automox severity scoring
- When is severity information updated?
- Why am I patching more?
- What does a severity of High indicate and should I be concerned?
- What does a score of None indicate?
- What does a severity of No Known CVEs indicate?
- Vulnerability/severity data for third-party titles
Severity information used by Automox originates from OS and app providers. An independent group of security researchers calculates the CVSS severity score. How this is calculated is described in the National Vulnerability Database.
Automox severity scoring
The severity of CVEs are based on CVSS scores. These scores have different mappings to severity classifications. The following mapping table shows how Automox defines the previous version 2 and the new version 3 severity ratings of a package:
Other (Not scored)
In the event that there are multiple CVEs, with a mixture of scores, the highest possible CVSS score will determine the severity.
When is severity information updated?
When a device scan happens (either automatically or manually), the severity data presented in the console will be accurate to within the last 1-hour time span. Upon your group scan interval, this data will be presented.
Note: New severity information does not cause the device to patch. Your patching schedule determines when the patch is applied.
Why am I patching more?
The introduction of the Automox CVSSv3 severity scoring model can mean increased patching.
Policy scopes might change with the introduction of the categories High and None.
Depending on your configuration, the pending (or scheduled patch) counts can go up or down as a result.
With better severity information, legacy patches can suddenly appear, although they were not previously marked for patching.
What does a severity of High indicate and should I be concerned?
Yes, you should be concerned. A High patch score usually indicates severe exploits that might require additional complexity for a hacker to use. This refers to someone who gains physical access to the machine or relies on another unpatched exploit to gain access. These are serious and would have been considered Critical in the previous severity scoring. Unless you have a reason to not include High patches, you should patch them.
What does a score of None indicate?
A severity level of None is equal to a score of 0.0 as per CVSSv3.
What does a severity of No Known CVEs indicate?
We have advanced our Linux severity score coverage and enable customers to prioritize and patch the most severe vulnerabilities for Ubuntu, Red Hat, and Debian devices with newly added CVE data. This allows customers to understand and act on severity data to automate patching with more granularity.
If an Ubuntu, Red Hat, or Debian-related software package does not have any CVEs associated with it, Automox shows the severity score No Known CVEs. This only applies to Ubuntu, Red Hat, and Debian devices in Automox.
Vulnerability/severity data for third-party titles
We now include severity data for top third-party software packages. We are gradually adding more titles. Refer to this article to get the latest information.
List of supported vulnerability/severity data for these third-party titles:
Adobe Acrobat Reader
You can now use the Patch by Severity policy to update to the latest version.