CVSS 3.1 vs CVSS 4.0: A Look at the Data
Like the cost of groceries and everything else, CVSS scores seem to have experienced some inflation recently. CVSS 4.0 promises to be a better calculator of risk than previous iterations of the system, but that’s only true if you use it in its full capacity to calculate your specific risk within your specific environment. Most of us aren’t using it that way.
In this blog we’ll look at the common use of CVSS scores to prioritize open source software vulnerability remediation and some original Mend.io data on how CVSS 4.0 differs from CVSS 3.1 in such an endeavor.
Where are your priorities?
The CVSS base score is the score a CVE gets when the only information known is from the vendor or researcher who reported the CVE plus whatever the National Vulnerability Database added without any specific-to-you information. When we’re using CVSS scores to rank OSS vulnerabilities and decide what should get our attention, we’re looking at thousands of CVEs and we’re not going to investigate and assess them all individually because there’s just too many of them.
Whenever CVSS is criticized for having scores too high, defenders will tell you that you’re just looking at the base score and if you only went through and used all of the sliders and buttons to get a more accurate score for your own environment and situation, then CVSS would be, if not excellent, at least pretty close to the mark. But, again, there’s no time to do that with thousands of vulnerabilities.
By the way, it’s not that using CVSS base scores to prioritize a very large number of OSS vulnerabilities is unsanctioned. In fact, the FIRST CVSS FAQ makes it patently clear they’re not telling you how to use or not use CVSS scores. Prioritizing CVEs by base score is very much a valid way to use CVSS scores and don’t let anyone tell you otherwise.
The main issue with this use is that without that specific information we end up with only worst-case scenario scores. And with those hyped up scores, we may spin our wheels trying to update a package with a critical CVE that can’t even be exploited in our environment while we’re ignoring a medium CVE that absolutely can. In this scenario we have done plenty of work and achieved a whopping zero percent improvement in risk posture.
So it’s not a great system. But it’s a system. And it’s a widely used system. The US government makes use of it, as does the private sector. FedRAMP and other SLAs can put very specific timelines on remediating vulnerabilities based on CVSS scores. Whether or not CVSS scores are reflecting real risk, we’re forced to consider them for compliance purposes.
So when we’re looking at CVSS base scores, how does the latest and greatest CVSS, version 4.0, compare with its predecessor, version 3.1?
Will CVSS 4.0 improve the lives of AppSec teams?
We’re sorry to report that it’s not looking good. There’s no getting around it: CVSS 4.0 base scores are higher than CVSS 3.1 base scores.
There was already a lot of suspicion within the AppSec community that CVSS scores were on the rise with the release of CVSS 4.0, but the limited datasets made it difficult to tell by how much and if the story changed at all when looking at larger numbers of CVEs.
So Mend.io wanted to do some research with a very big dataset. We took a look at 18 months of our customer data—that’s over 81 million alerts—to see how CVSS scores changed between versions 3.1 and 4.0. The data gives more weight to the most commonly used packages and, in turn, gives us a better picture of how these score changes affect application security practitioners in the real world.
Alert % over 7.0 (High and Critical)
CVSS 3.1: 53 percent
CVSS 4.0: 63 percent
If you only care about high and critical CVEs, CVSS 4.0 gives you more to care about. 63 percent of SCA alerts are for high or critical CVEs when using CVSS 4.0 scores, versus 53 percent when using version 3.1 scores.
The average increase across all of the CVSS scores in customer alerts went up by nearly 0.8. While this may not sound like a giant number, it was enough to move a large number of CVEs over the line into the next severity level. When CVSS 4.0 was released, it seemed to be the general understanding within the application security community that scores would go down overall, but we’re not sure where that idea came from. We saw an almost 10 percent decrease in the average scores of CVEs that were rated critical under CVSS 3.1 when rated under CVSS 4.0. That would be good news if we didn’t see roughly equal or greater increases across all of the other levels of severity.
Using CVSS 4.0 scores results in 27 percent more critical-severity alerts and 18 percent more high-severity alerts than using CVSS 3.1. If you’re prioritizing vulnerabilities only by CVSS scores, CVSS 4.0 will definitely add more CVES to your list of vulnerabilities to address ASAP.
Final thoughts
CVSS 4.0 base scores may be higher but your actual risk hasn’t changed. Following CVSS 4.0 will make you less likely to miss that exploitable medium CVE (because it’s a “high” now) but more likely to add more vulnerabilities to your high and critical list in general.
The clear takeaway here is that when we’re talking about actual risk, using only CVSS scores of any version to prioritize remediation isn’t the best way forward. Instead, look at reachability, whether or not a CVE has been exploited in the wild, and the likelihood of exploitation via EPSS scores.
When we’re talking about compliance… if you have the option of choosing which specific version of CVSS your SLAs ride on, you might want to choose 3.1.
*** This is a Security Bloggers Network syndicated blog from Mend authored by Lisa Haas. Read the original post at: https://www.mend.io/blog/cvss-3-1-vs-cvss-4-0-a-look-at-the-data/
