Print | Rate this content

HPE Security Notice HPSN-2008-002 rev.2 - CVSS Scoring Implementation in HPE Security Bulletins

SUPPORT COMMUNICATION - CUSTOMER NOTICE

Document ID: c01345499

Version: REQUIRED FIELD INADVERTENTLY LEFT BLANK

HPE Security Notice HPSN-2008-002 rev.2 - CVSS Scoring Implementation in HPE Security Bulletins
NOTICE: The information in this document, including products and software versions, is current as of the Release Date. This document is subject to change without notice.

Release Date: 2008-02-04

Last Updated: 2016-06-23


DESCRIPTION

The Common Vulnerability Scoring System (CVSS) is an industry standard for rating computer system software security vulnerabilities. This standard attempts to establish a numeric measure that represents the severity of the vulnerability. The resulting CVSS ‘score’ is based on an expert assessment of a series of metrics.

DETAILS

Overview:

Hewlett Packard Enterprise uses the Common Vulnerability Scoring System (CVSS) version 2 and will begin using version 3 as a standard for communicating the impact of security vulnerabilities in the software products sold and supported by HPE.

HPE Security Bulletins will provide the CVSS Base Score Metrics and actual Base Score for software vulnerabilities when and where applicable.

The CVSS Base Score represents the intrinsic and fundamental characteristics of the vulnerability that are typically constant over time and user environments.

NOTE: The CVSS scores are assessed by HPE product engineering and PSRT based on the complete product architecture including deployment and utilization details. HPE recommends that customers consider the CVSS scoring provided by HPE Security Bulletins as the authoritative source for HPE products.

Discussion:

The CVSS v3.0 Base Score Metrics consist of the following:

  • Exploitability Metrics

    • Attack Vector (AV)
    • Attack complexity (AC)
    • Privileges Required (PR)
    • User interaction (UI)
  • Scope

    • Scope (S)
  • Impact Metrics

    • Confidentiality impact: ConfImpact (C)
    • Integrity impact: IntegImpact (I)
    • Availability impact: AvailImpact (A)

The resulting Base Score Metrics are provided like the following Vector in each applicable Security Bulletin:

CVSS:3.0/AV:x/AC:x/PR:x/UI:x/S:x/C:x/I:x/A:x

The CVSS v3 scoring system calculator and other CVSS information are available at this URL:

The CVSS v2.0 Base Score Metrics consist of the following:

  • Exploitability Metrics

    • Related exploit range: AccessVector (AV)
    • Attack complexity: AccessComplexity (AC)
    • Level of authentication needed: Authentication (Au)
  • Impact Metrics

    • Confidentiality impact: ConfImpact (C)
    • Integrity impact: IntegImpact (I)
    • Availability impact: AvailImpact (A)

The resulting Base Score Metrics are provided like the following Vector in each applicable Security Bulletin:

(AV:x/AC:x/Au:x/C:x/I:x/A:x)

The CVSS v2 scoring system calculator and other CVSS information are available at this URL:

References:

For questions about the CVSS scoring for a particular HPE product vulnerability, please contact the HPE Product Security Response Team (PSRT) by sending email to security-alert@hpe.com

For additional and more detailed information on CVSS, please see the Forum for Incident Response and Security Teams (FIRST) documents:

HISTORY
Version: 1 (rev.1) - 04 February 2008 Initial release
Version: 2 (rev.2) - 23 June 2016 Added CVSS v3.0 information

Source: Hewlett Packard Enterprise, HPE Product Security Response Team
To contact the HPE Product Security Response Team (PSRT) send email to: security-alert@hpe.com


Hardware Platforms Affected: Not Applicable
Components Affected: Not Applicable
Operating Systems Affected: Not Applicable
Software Affected: Not Applicable
Third Party Products Affected: Not Applicable
Support Communication Cross Reference ID: IA01345499
©Copyright 2018 Hewlett Packard Enterprise Development LP
Hewlett Packard Enterprise Development shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HPE nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise Development and the names of Hewlett Packard Enterprise Development products referenced herein are trademarks of Hewlett Packard Enterprise Development in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

Provide feedback

Please rate the information on this page to help us improve our content. Thank you!
Document title: HPE Security Notice HPSN-2008-002 rev.2 - CVSS Scoring Implementation in HPE Security Bulletins
Document ID: emr_na-c01345499-2
How helpful was this document?
How can we improve this document?
Note: Only English language comments can be accepted at this time.
Please wait while we process your request.