http://people.ubuntu.com/~ubuntu-security/cve/CVE-XXXX 上的 CVE 页面中的优先级字段

http://people.ubuntu.com/~ubuntu-security/cve/CVE-XXXX 上的 CVE 页面中的优先级字段

http://people.ubuntu.com/~ubuntu-security/软件包的安全补丁已公布并与 Mitre 相应的 CVE 关联。

我只是想知道“优先级”是如何设置的。例如,jdk 包中的漏洞利用 cvss v2 基值为 10.0(点击链接至 NVD这里),但从 ubuntu 视图来看,优先级只有“中等”,而心血基于 5.0 的 cvss v2 具有“高”优先级。

这个优先级字段只是人工调查的结果吗,还是我混合了任何东西?

答案1

还有安装基础和使用情况的考虑。Bash 几乎存在于每个 Ubuntu 安装中,是大量脚本的核心,而 Java ... 则不然。我任何时候都认为 bash 漏洞比 Java 漏洞更受重视。(而且听人们说,Java 漏洞时不时就会出现。)


安全团队维基CVE Tracker 的链接自述,其中描述了优先级:

negligible        Something that is technically a security problem, but is
                  only theoretical in nature, requires a very special
                  situation, has almost no install base, or does no real
                  damage.  These tend not to get backport from upstreams,
                  and will likely not be included in security updates unless
                  there is an easy fix and some other issue causes an update.

low               Something that is a security problem, but is hard to
                  exploit due to environment, requires a user-assisted
                  attack, a small install base, or does very little damage.
                  These tend to be included in security updates only when
                  higher priority issues require an update, or if many
                  low priority issues have built up.

medium            Something is a real security problem, and is exploitable
                  for many people.  Includes network daemon denial of service 
                  attacks, cross-site scripting, and gaining user privileges.
                  Updates should be made soon for this priority of issue.

high              A real problem, exploitable for many people in a default
                  installation.  Includes serious remote denial of services,
                  local root privilege escalations, or data loss.

critical          A world-burning problem, exploitable for nearly all people
                  in a default installation of Ubuntu.  Includes remote root
                  privilege escalations, or massive data loss.

在这种情况下,Shellshock 是一个影响默认安装软件(bash)的错误。因此,它具有很高的优先级。

据我所知,优先事项是由人们在错误分类

相关内容