Published:
28 January 2022
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2022.0048 AusCERT Bulletin Impact/Access Assessment to CVSS Migration 28 January 2022 =========================================================================== OVERVIEW AusCERT's own Impact and Access Assessment is being replaced by the industry standard CVSS score in our Security Bulletins Service. You can filter (or use scripts) for "CVSS (Max)" and "ALERT" to prioritise vulnerability management. We've been planning changes and improvements to our Security Bulletins Service for quite some time, you might remember our AusCERT Security Bulletins survey released at the end of 2020. Through this process it was clear that Security Bulletins are very important to our members, however the detailed Impact and Access Vector assessment while "nice-to-have" is not essential, whereas the CVSS score certainly is. The Impact and Access Vector system is of AusCERT's own design many years ago, before CVSS Version 1 was released by NVD. For more information on CVSS, see https://nvd.nist.gov/vuln-metrics/cvss. CVSS has become a well-used worldwide standard, now in its third version. Therefore in place of the AusCERT Impact and Access Vector, beginning Monday 31 January 2022 bulletins will have a CVSS score which will make prioritisation and automation much more streamlined. A new line in each Security Bulletin "CVSS (Max)" will show the highest scoring CVE and its associated Vector String, as per CVSS guidelines. Some bulletins may not have any CVSS score available from the vendor (or NVD) at the time AusCERT redistributes them. Also, history has shown that a low-CVSS-scoring vulnerability can over time increase in severity for a variety of other reasons. This is where the AusCERT Analyst Team's expertise will continue to provide you relevant contextual information: the [ALERT] tag in the email subject line informs you the bulletin is particularly time critical or references an actively exploited vulnerability. As we continue to evolve the Security Bulletins Service you'll start to see more information and research from the Analyst Team in the form of AusCERT Security Bulletins (ASBs). If you'd like detailed information on AusCERT's implementation of CVSS in our Security Bulletins, please see our blog here: https://auscert.org.au/blogs/bulletin-impact-access-to-cvss-migration/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYfOOHuNLKJtyKPYoAQgUSQ/9Hep8Rl0vrgwjb8e7NdObBAvWr0MmkjAZ bA4jth4sg7vGBlgKsv/uxXOfkBmd9KEn/rnIuIsaTrFiVTQrnKhJLBCwb0dwRfgQ 3DFCxMeVToxsfAQ8InPWCDYlyhXmxTazh8T7GyRgHzTuBEuZ1VTlbR9cfeB71a1B 5ldUvdMiHU0ctz7Zfef7eY/9fb11VBhEGQ9Vfu07Irzqs1lbMiYjGV1MC7IRnlKf IL1I30EANqs10xjRhbe1PaaoXGi0ZSZu1bGy3UfIPeUHJRbm14KNCaSLC+po+QG0 O+F4RnizO7EIdcNfbB+LIlqlG4+4Jk4uAt/jUecpzDE1cExLnhUPd90Ia5IEx18z 3yNGmiYFu8nxMUpZTs6RaAY1X/ebs8lKOzzM0xgt0uXiZzh5nDn/FXCr+GGU2FWe 3ezDEQgcivdao9VtS8BjTH/QAjAIVTJZUPt+u1JE/3jhLD1W6ryxM8jcGatE5L+r mBvKQihVSWAg0iKSckD5fRNQ39ZHsMfvNoLcbZIJ/Nl1z+QhqykdTGU+djJRts8u vpHcbJrtgFLiGS5rMDw4XCE8JXYeG+GwrmRBap2DWQ1KGWgVnAvC9gnLO4bDGPIp wA0eXVS+L7k/rR7EwK4giHVuWT+b3p64rtRHJVgWZbk8BCsuTeiDC4fk4bo94Mbi lFeeYhnqTjA= =c0Vo -----END PGP SIGNATURE-----