Inferred CVEs - User Guide - 1.0 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse User Guide

Product
Cortex XPANSE
Version
1.0
Creation date
2022-08-25
Last date published
2024-03-14
End_of_Life
EoL
Category
User Guide
Abstract

Cortex Xpanse identifies Inferred CVEs by matching the service version information available to our scanners with CVE information from the NVD.

Common Vulnerabilities and Exposures (CVE) is a system for referencing publicly disclosed software security vulnerabilities. Individual vulnerabilities are commonly referred to as CVEs, and each one is uniquely identified by a CVE ID, such as CVE-2020-1234.

Cortex Xpanse attempts to match each service with CVEs that might be present on that service. We refer to any potential matches as Inferred CVEs. We perform this matching using the service name and version information that is available to our scanners.

Note

New CVEs will not be identified as Inferred CVEs in Assess until after a new assessment has been run and data is refreshed.

We categorize Inferred CVE matches as High, Medium, or Low Confidence based on the version information that is available on the service and from the National Vulnerability Database (NVD).

  • High Confidence—Precise version information is available both from the service and from NVD.

  • Medium Confidence—Part of the version information from the service matches the NVD entry for the CVE, but the version information from the service has additional characters

  • Low Confidence—Either the service or the NVD entry for the CVE does not have sufficient version information to be a higher confidence match.

The table below provides examples of Inferred CVE matches.

Service information available from Xpanse Scan

CVE information available from NVD

Match Result

Details

Apache v 2.4.50

CVE-2021-41773

Affects cpe:2.3:a:apache:http_server:2.4.49:*:*:*:*:*:*:*

No Match

Because the CPE information from NVD indicates a version of Apache that is different than the one we saw in the scan, this does not match.

Apache v 2.4.49

CVE-2021-41773

Affects cpe:2.3:a:apache:http_server:2.4.49:*:*:*:*:*:*:*

High Confidence Match

Because the CPE information from NVD matches the version of Apache indicated from the scan, this is a high confidence match.

Apache v 2.4.49c

CVE-2021-41773

Affects cpe:2.3:a:apache:http_server:2.4.49:*:*:*:*:*:*:*

Medium Confidence Match

Because the version numbers from the service and the NVD information match, except for the additional character in the version from the service, this is a medium confidence match.

Apache (no version number detected)

CVE-2021-41773

Affects cpe:2.3:a:apache:http_server:2.4.49:*:*:*:*:*:*:*

Low Confidence Match

Because the CPE information from NVD matches the software name of the service, but we do not have any information on the version, this is a low confidence match.

Apache v 2.4.50

CVE-2022-22719

Affects cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:* (up to and including 2.4.52)

High Confidence Match

Because the CPE information from NVD matches the version of Apache indicated from the scan, this is a high confidence match.

Apache v 2.4.50 (Running on Red Hat Enterprise Linux 6 (RHEL6), which is not affected by this CVE)

CVE-2022-22719

Affects cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:* (up to and including 2.4.52)

High Confidence Match

Because the CPE information from NVD matches the version of apache indicated from the scan, this is a high confidence match.Xpanse cannot determine if mitigating controls are in place or the underlying OS, so this pairing will still generate a high confidence match.

Apache (any version number)

CVE-2012-3526

Affects cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*

Low Confidence Match

Because this CVE does not indicate any specific version number, we consider it to be a low confidence match for any version of Apache http_server, regardless of version information.

In general, an Inferred CVE might impact your service, but additional investigation is required to confirm that the CVE is actually present.

Cortex Xpanse is making ongoing improvements to CVE version matching. In general, we aim to err on the side of overmatching, so you don’t miss a vulnerable service in need of patching. If you notice a version that is incorrectly matched or not matched, please contact your CSM and let them know.

Within the Services module of Cortex Xpanse you can search for a specific CVE ID and see the list of services the CVE may be impacting. You can also view the inferred CVEs that may be impacting a specific service. CVE information does not appear in the Issues module of Cortex Xpanse.