Vulnerability Assessment FAQ

This document provides an overview of F5 Distributed Cloud App Infrastructure Protection (AIP)’s vulnerability assessments, describes the supported operating systems (OSs), and provides troubleshooting steps for possible issues.

How does Vulnerability Assessment work?

The Distributed Cloud AIP Agent retrieves a list of installed packages on the host and matches against all known Common Vulnerabilities & Exposures (CVEs) captured in the National Vulnerability Database (NVD). It then compares them against the published security notice and triage data from the specific Linux distribution. For more information, see Vulnerability Assessment Feature Overview.

Vulnerability Assessment Flow

This image depicts the flow of the Distributed Cloud AIP agent detecting packages, cross-referencing them against more than two million identified CVEs. It automatically categorize them according to security risk and displays which servers are affected by which vulnerabilities.

Note

For this illustration, 'TS' refers to Distributed Cloud AIP.

Vulns_-_Vulns_Workflow.png

Select the image to enlarge it.

Can I get a Vulnerability Assessment report?

Yes, you can subscribe to a daily vulnerability assessment email report. To enable these reports, see Enable Email Alerts and Automated Reports in Distributed Cloud AIP.

How do I remediate a vulnerability?

While Distributed Cloud AIP does not offer vulnerability remediation as a part of our services, we aim to provide contextual information to help you prioritize any necessary remediation actions.

Distributed Cloud AIP remediation recommendations:

  • Remove all unnecessary packages
  • Review the OS notice identified for the CVE and apply the best practice suggested
  • Confirm that your package is the lasted version

What does a security notice mean?

Distributed Cloud AIP leverages the Common Vulnerability Scoring System v2 (CVSS v2) listed in the National Vulnerability Database (NVD). The severity of a vulnerability can be high (H), medium (M), or low (L) as determined by the NVD.

However, there may be discrepancies between the severity that the CVSS assigns the vulnerability and the score that the vendor of the OS or package assigns.

Example:

CVSS v3 ranks CVE 2021-4217 as high severity. However, Ubuntu determines this to be low priority.

vulns_example.png

A security notice applies when the vendor determines that the vulnerability is severe enough to prioritize remediation.

Distributed Cloud AIP advises that you prioritize vulnerabilities that the Vulnerability Assessment flags with specific security notices.

How is severity determined?

The vulnerability score is based on the Common Vulnerability Scoring System v2 (CVSS v2) used by the NVD. The severity can be high (H), medium (M), or low (L) as determined by the NVD.

For more information, see the NVD Frequently Asked Questions or A Complete Guide to the Common Vulnerability Scoring System v2 on first.org.

How often do assessments run?

Vulnerability assessments occur within 15 minutes of package collection. Distributed Cloud AIP collects packages at the following times:

  • Daily between 12:00 a.m. and 2:00 a.m. UTC.
  • The first time an Agent starts and connects to the Distributed Cloud AIP platform.

Can I run an assessment on demand?

No, you cannot run an assessment on demand. This means it will take up to 24 hours for suppressions to remove alerts or unsuppressed vulnerabilities to display.

I removed a package; why am I still seeing the vulnerability?

Distributed Cloud AIP runs assessments every 24 hours. Removals and changes will not display until the next assessment completes.

Which Linux distributions are supported?

Distributed Cloud AIP supports the following OSs:

  • Amazon Linux
  • CentOS
  • Redhat
  • Ubuntu

How does Distributed Cloud AIP source vulnerabilities?

Distributed Cloud AIP sources vulnerabilities from the NVD’s published CVE reports.

What if I choose not to remediate a vulnerability?

You can choose to suppress a vulnerability, which prevents it from displaying in future assessments. See Suppress or Unsuppress Vulnerabilities for more about suppressing vulnerabilities.

Articles in the Vulnerability Assessment Series

Vulnerability Assessment Feature

Suppress or Unsuppress Vulnerabilities

Was this article helpful?
0 out of 0 found this helpful