The Common Vulnerability Scoring System (CVSS), which is used by many in the industry as a standard way to assess and score security vulnerabilities, is evolving to a new version known as CVSSv3. These changes addressed some of the challenges that existed in CVSSv2; CVSSv3 analyzes the scope of a vulnerability and identifies the privileges an attacker needs to exploit it. The enhancements to CVSS will allow vendors, such as Cisco, to better analyze security vulnerability impact. The changes will also more clearly define the urgency of responding to the vulnerability for our customers.
Cisco will begin to adopt CVSSv3 for assessing security vulnerabilities in the fourth quarter of calendar year 2016 (Q4CY16).
CVSS is the industry-open standard designed to convey the common attributes of vulnerabilities in computer hardware and software systems. Cisco uses it to provide a score for each vulnerability in security advisories. CVSS was developed as a cooperative effort between the National Infrastructure Advisory Council and a number of security industry vendors and research organizations, including Cisco. The Forum of Incident Response and Security Teams (FIRST) has been designated as the custodian of CVSS to promote its adoption globally. This new version was under development for 3 years, and Cisco was a contributor to the standard.
Effects of Introducing CVSSv3
The following study reviews the difference in scores when a vulnerability is assessed using CVSSv2 vs. CVSSv3. The stakeholders at FIRST have done a great job in this new version of the standard addressing some of the challenges faced with its predecessor (CVSSv2). As more organizations begin to adopt this new standard in their processes for evaluating vulnerabilities, there will be some visible changes in disclosure trends overall. The most notable is an increase in the total number of higher-rated vulnerabilities. This increase occurs because the metrics changes in the new system. As the threat landscape evolves, there are more cases where an increased sense of urgency is needed in customers’ responses.
This study analyzed the difference between CVSS version 2 and version 3 scores. This study uses CVSSv2 and CVSSv3 scores provided by the National Vulnerability Database (NVD). A total of 745 vulnerabilities were analyzed, and each vulnerability is identified by a Common Vulnerabilities and Exposures (CVE) identifier. All the vulnerabilities were disclosed in 2016.
The goal was to identify the percentage of vulnerabilities that had a score increase or decrease, based on the two versions of the protocol (CVSSv2 vs. CVSSv3).
Dear support , I need to help with access in to Eox API . i am using curl calling the access is forbbiden. Log here: HTTPError: 403 Client Error: Forbidden for url: https://api.cisco.com/supporttools/eox/rest/5/EOXBySerial...
Does the Cisco Support Software Suggestions API provide recommendations for Meraki devices? I have not been able to get a positive result, but my results in general with this API have been pretty poor, with what I would consider common PIDs not...
We requested client access token to access the CS-API inventory and customer API's. However, when we attempt to test the API in postman with the client ID and secret we receive a 403 forbidden response. We found this post that looked...