Vulnerability Assessment Feature Overview
Supported OS Distributions
F5 Distributed Cloud App Infrastructure Protection (AIP) currently supports the Vulnerability Assessment feature on the following Linux distributions:
- Amazon
- CentOS
- RedHat
- Ubuntu
For more information, see System Requirements.
Vulnerability Assessment Overview
Distributed Cloud AIP runs a daily Vulnerability Assessment that analyzes all packages that are installed on the operating system (OS) against the Common Vulnerabilities and Exposures (CVEs) listed in the National Vulnerability Database (NVD) run by the National Institute of Standards and Technology (NIST).
For each vulnerability, the severity score is based only on the Common Vulnerability Scoring System v3 (CVSS v3) used by the NVD. The severity can be high (H), medium (M), or low (L) as determined by the NVD.
At the end of the assessment, Distributed Cloud AIP displays a list of vulnerable packages, associated CVEs, and impacted servers. As a security management best practice, Distributed Cloud AIP recommends that you review and analyze the assessment results, using the suggested documentation provided by the supported OS security notices and NVD articles. Distributed Cloud AIP will not manage or remediate package vulnerabilities on your behalf.
The assessment flags and displays only CVEs that are registered in the NVD. If a vulnerability is not registered in the NVD, Distributed Cloud AIP does not log it in the Vulnerabilities tab in Distributed Cloud AIP. Once a vulnerability is registered in the NVD, Distributed Cloud AIP begins to scan for the CVE within one day of its registration.
You can view information about flagged vulnerabilities in your Distributed Cloud AIP environment in the Servers > Vulnerabilities tab. In the CVE column, click the link for the vulnerability you want to investigate. The corresponding CVE details page opens on the NVD website.
Note
Distributed Cloud AIP analyzes vulnerabilities by matching the NVD CVE name with the actual package name listed in the OS documentation. If there is a discrepancy between the name of the CVE in the NVD data records and the package name, Distributed Cloud AIP will not be able to flag the CVE given the nature of our NVD-based approach to vulnerability assessment.
Example: Distributed Cloud AIP does not flag policykit (ubuntu) because the NVD refers to that package with its updated name, polkit.
Vulnerability Assessment Results
Distributed Cloud AIP provides a holistic understanding of potential vulnerabilities by assessing all packages installed using the package manager. Distributed Cloud AIP will not remediate or manage package vulnerabilities on your behalf.
You can resolve these vulnerabilities at the host level or suppress the vulnerability within Distributed Cloud AIP.
If you find vulnerabilities and deem them low risk, such as OS-defined will not fix/low priority, etc., you have the ability to suppress the vulnerability. Learn more about Suppressing Vulnerabilities.
To resolve the vulnerability at the host level, implement the suggested remediation steps according to the supported OS security notice. Confirm on the next daily scan that you are no longer vulnerable.
For more information, see NVD Frequently Asked Questions or A Complete Guide to the Common Vulnerability Scoring System v3.
Subscribe to Assessment Results
Vulnerability assessments occur within 15 minutes of package collection. Distributed Cloud AIP collects packages at the following times:
- Daily between 12:00 a.m. and 2:00 a.m. UTC.
- The first time an Agent starts and connects to the Distributed Cloud AIP platform.
You can subscribe to a daily vulnerability report email. To enable these reports, go to Settings > Profile Settings tab > Notifications Settings section.
Vulnerability Package Assessment Workflow
This image depicts the flow of the Distributed Cloud AIP Agent detecting packages, cross-referencing them against more than two million identified CVEs.
Select the image to enlarge it.