Critical vs Critical, understanding the difference?

The CVSS scores rate those of 9.0 and up to be critical, whereas the patch impacts have shown critical with CVEs of scores much lower (have seen 7.7 as the highest for an old patch, never mind all the newer ones that don't have scores yet, or even show any CVEs)
It appears that 'Patch Impacts' of Critical, only means there is a CVE assigned to it, without regard of actual rating of that CVE (never mind factoring in KEV yet)
Could   or others confirm that understanding for me?  Perhaps we should update the help text for 'critical'?

This leads to some communications challenges between the security focused and those handling workstation management.

How do others handle this notable discrepancy, given that insurance tends to prioritize those CVSS of 9.0+ as needing to be patched within days, vs the lesser ones can be later(weeks)?

I have a dashboard dashlet of CVEs sorted by Most Severe/CVSS score, and use that to crack the whip the best I can (Internal is overly conflict avoidance, so getting restarts done to finish patches is such a challenge, and I as external can only do so much)

________________________

Andy of KonecnyConsulting.ca in Toronto
Please use the "Like" and/or "Verified Answers" as appropriate as that helps us all.

  • 0  

    Verifying a few things.....

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks

  • Suggested Answer

    0  

    The Impact rating of Critical or Recommended typically refers to whether the patch is a security patch or a non-security patch, with security patches being rated Critical and non-security patches being rated Recommended, as shown in the Content Report document I linked.

     CVSS score is separate from the Impact rating. It rates the severity of the vulnerability, as some vulnerabilities may have a greater impact or may be more exploitable. The vulnerability may require one or more patches to resolve it, most of which are likely to be security (Critical) patches.

     In general, if a Patch administrator applies Critical patches on a regular maintenance schedule he’ll take care of most CVEs. Likewise, if a CVE comes in, he can use its CVSS score (Low, Medium, High, Critical) to determine if he should apply the patches before his next maintenance cycle.

    https://www.microfocus.com/documentation/zenworks-resources/ZENworksPatchManagementContentReport_AdvancedPatchFeed.pdf

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks

  • 0   in reply to   

    So clearly our currently available method to meet escalated priority for those panic, 'patch now' problems, is all manual.  There must be a better way, automatable even, hence...  An Idea is born and in look of support to grow up to become a feature.  
    Also have commented on the docs that should have a part of that clip you provided included.

    ________________________

    Andy of KonecnyConsulting.ca in Toronto
    Please use the "Like" and/or "Verified Answers" as appropriate as that helps us all.

  • 0   in reply to   

    I'm not sure why you would need anything manual.  Most just add All Critical Patches to the policy.  Make sure it auto-approves in short order.  Most don't have teams dedicated to truly testing patches, so they generally keep the auto-approval time low and with a low patch age.  Usually, at least a day since the worst of the worst patch releases will get pulled in that frame.  Be willing to annoy your users and force them to patch/reboot if those on high deem it a priority.   Some check on every refresh.....Some Check once a month....

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks

  • 0   in reply to   

    Automating too many reboots does Not fly for most business.

    Given the increasing rate of patches that have a nod at security (so that ZPM considers them 'critical') and need restarts, many businesses want to keep the system restarts to a dull roar and are content with a weekly window, but apparently random happening during the week is reserved for truly critical, such as that CVE's with a CVSS of over 9.0.    Tools that can't manage that simple requirement are likely to get replaced, as IT is the tail, not the dog. 

    Currently, ZPM can only manage that manually, as ZPMs patch "critical" is not business critical, nor general InfoSec critical (I have a Discord chat going on this topic (vendor names withheld) at the moment, with a comment from some on this topic of "Sounds like willful ignorance to me... ")

    ________________________

    Andy of KonecnyConsulting.ca in Toronto
    Please use the "Like" and/or "Verified Answers" as appropriate as that helps us all.