Professional Documents
Culture Documents
Vulnerability Report
Issued August, 2019
Data as of July, 2019
1|Vulnerability Intelligence Copyright ©Risk Based Security, Inc. All rights reserved.
Key Findings
Risk Based Security’s VulnDB® team aggregated 11,092 newly-disclosed
vulnerabilities during the first half of 2019.
2|Vulnerability Intelligence Copyright ©Risk Based Security, Inc. All rights reserved.
Table of Contents
3|Vulnerability Intelligence Copyright ©Risk Based Security, Inc. All rights reserved.
How Does 2019 Compare to Previous Years, So Far?
The first half of 2019, in the world of vulnerability disclosures and VulnDB, was mostly business as usual. As
researchers look to new technology to assess security weaknesses, vendors continue to patch incredible
numbers of vulnerabilities (e.g. Adobe disclosed 86 in their May release alone). In addition to monitoring the
common sources of disclosures, the VulnDB team has steadily broadened our coverage through our own
continuous improvement processes as well as by working closely with customers to better understand their
third-party dependencies.
Similar to the small dip in the last chart, June shows a dip
in vulnerabilities largely due to the process of aggregating
the information. As new sources of information are
processed, the prior period (e.g. month in this case)
will continue to grow.
Figure 2: The number of vulnerabilities disclosed by Q2 2019 .
4|Vulnerability Intelligence Copyright ©Risk Based Security, Inc. All rights reserved.
What This Means for You & CVE
5|Vulnerability Intelligence Copyright ©Risk Based Security, Inc. All rights reserved.
How Bad Has 2019 Been?
The severity distribution of vulnerabilities in the first half of 2019, when looking at CVSSv2 scores, is on par with
prior years. In figures 5 and 6, one can see a bias in CVSS scoring causing certain ranges to be less frequent, for
example at 1.0 – 1.9 and 8.0 – 8.9.
While a significant number of organizations still use the venerable version 2 of the scoring standard, many are
considering a move to version 3. RBS has written an extensive blog series analyzing the pros and cons of each
version. As seen when we compare the two figures there is an incredible disparity between the two versions of
CVSS.
Figure 5: The distribution of CVSSv2 severity in vulnerabilities disclosed by Q2. Figure 6: The distribution of CVSSv3 severity in vulnerabilities disclosed by Q2.
With this view of CVSSv3 severity, we see that a considerable number of vulnerabilities are scored much higher
than version 2. For organizations that remediate primarily based on risk scoring, using CVSSv3 may cause a
considerably higher workload as they have to remediate many more vulnerabilities than if they were to use the
prior version.
6|Vulnerability Intelligence Copyright ©Risk Based Security, Inc. All rights reserved.
What Did Vulnerabilities Look Like So Far in 2019?
2018
2018 4%
2019
Like every prior year, input manipulation remains
the top cause for vulnerabilities. While it may seem
an easy problem to tackle, summed up with “we’ll
just sanitize input!”, it is often more complicated in
practice. Many organizations still do not have a
rigorous procedure for testing their source code for
such issues despite many having an otherwise
mature process.
7|Vulnerability Intelligence Copyright ©Risk Based Security, Inc. All rights reserved.
2018
2018
2019
view of the impact of the vulnerabilities
disclosed. As usual, vulnerabilities impacting
integrity, which range from cross-site scripting
to SQL injection to remote code execution,
dominate the landscape.
8|Vulnerability Intelligence Copyright ©Risk Based Security, Inc. All rights reserved.
2018
2018
2019
presence of an exploit. VulnDB breaks this out as a
proof-of-concept (PoC), public exploit, private
exploit, commercial exploit, if the exploit has been
used in known malicious activity, and if the exploit
status is unknown. With the heavy weighting toward
higher risk scores, when using CVSSv3, this
additional metric gives another way for
organizations to better prioritize remediation.
9|Vulnerability Intelligence Copyright ©Risk Based Security, Inc. All rights reserved.
Table 1 aims to show the levels of correlation between two classifications of a vulnerability. It can be read as
follows: what’s the probability of the classification in blue being true, given that the classification in green is true?
As a trivial example, the probability of a vulnerability being Remotely exploitable, given that it is known to be
Remotely exploitable, is 100% and colored darkest. More interestingly, the probability that a vulnerability will be
Context Dependent, for example, when we know it is Web related is 28%. Conversely, the probability that a
vulnerability will be Web related given that we know it’s Context Dependent is about twice as much (54%). In
this way, knowing that a vulnerability is Context Dependent means it’s more likely than not Web related, but the
same can’t be said of a vulnerability we know only to be Web related. In that case, it’s very likely to be Remote
and just as likely to involve Authentication than to be Context Dependent.
Physical 0% 0% 1% 5% 0% 0% 100% 0%
Table 1: Probability of a classification in the row being true of a vulnerability, given that the classification in the column is true of that vulnerability, by mid-year 2019.
In some cases, as in the relationship between Remotely exploitable and Unauthenticated vulnerabilities, one is
equally likely to be true given that the other is known to be true. In another case, we can be very sure that an
issue would require Authentication if it can only be exploited Locally, but an issue known to require
Authentication is only 42% likely to be only Locally exploitable. We can't presume to know everything about
your organization's vulnerabilities, but you can make assumptions about them based on what you do know and
act accordingly.
Name Rank Vuln Count Severity Old Rank Old Count Old Sev.
Software in the Public Interest 1 602 6.13 4 677 6.06
(Debian and more)
SUSE 2 562 6.05 2 847 5.91
Oracle Corporation 3 533 5.77 3 777 6.06
IBM 4 507 5.33 7 615 5.54
Microsoft 5 468 6.18 9 425 5.86
Canonical (Ubuntu) 6 443 6.18 6 634 6.29
Google 7 347 6.78 1 910 7.2
Red Hat 8 341 5.95 5 649 5.83
Cisco 9 335 5.99 > 10 274 6.09
Adobe 10 227 7.14 > 10 154 6.91
Table 2: Top ten vendors for this year, as well as how their standings compare to last year, by mid-year 2019.
Table 3: All named/notable vulnerabilities that were disclosed in the first half of 2019.
The first half of 2019 gave us nine high-profile “named” vulnerabilities. Despite the naming and hype behind
some of them, the severity and risk is rather low. Over half of the named vulnerabilities have a CVSSv2 score
under 3.0. In contrast, two of these vulnerabilities have a score of 10.0, meaning full remote code execution
without user interaction is possible. This is a great reminder that news cycles and hype don’t mean the
vulnerability is critical, and that those news cycles may distract us from other higher risk vulnerabilities
disclosed the same day.
Closing Thoughts
“One of our clients operates nuclear power plants, while another writes
software used on a majority of desktops. The diversity in these two clients
and the software or hardware that is important to them is eye-opening.”
In the eight years RBS has been operating, our own database has evolved as we collaborate with our clients to
better understand what software is critical to them. As you can imagine, not all organizations have the same
concerns!
Vulnerability intelligence isn’t about collecting random disclosures and turning a blind eye to those who use it. It
is about collecting as many vulnerability reports as possible, and working with those who use that information
to better support their individual needs. We are thankful to our clients who take the time to share their stories
and needs, so we can better assist them.
One of the fundamental objectives of VulnDB is to expand our search methods and collect as many
vulnerabilities as possible, to provide our clients with the most comprehensive vulnerability intelligence
available, allowing them to determine which vulnerabilities are important to their organization.
While we maintain a curated list of over 3,000 sources that are monitored on an hourly, daily and weekly basis,
new sources are discovered and/or are brought to our attention every day. CVE on the other hand, issues CVE
IDs when requested by a vendor or researcher. Their mission is not to search for vulnerabilities like a
vulnerability intelligence company. Rather, they are charged with assigning IDs and keeping minimal records.
Why then do organizations, scanning companies, risk platforms, and security service providers continue to use
CVE/NVD as a vulnerability intelligence service and continue to insist that it is “good enough”? Who is best
served by this approach? Certainly not those organizations, government agencies and consumers victimized by
the increasing number of data breaches from exploited sofware vulnerabilities.
VulnDB counts only distinct vulnerabilities. Products sharing the same vulnerable codebase are considered only
one unique vulnerability. We do not consider vulnerabilities that affect multiple products as unique
vulnerabilities as some vulnerability databases do. To be clear, a vulnerability in a third-party library such as
OpenSSL is treated as one vulnerability within VulnDB. While additional products known to leverage OpenSSL
will be documented as affected by that vulnerability, the multiple products using and integrating that code do
not constitute additional unique vulnerabilities, and are not included in any VulnDB counts.
About VulnDB
VulnDB is the world’s most comprehensive, detailed and timely source of vulnerability intelligence and third-
party library monitoring. It provides actionable intelligence about the latest in security vulnerabilities through
an easy-to-use SaaS portal, RESTful APIs, and e-mail alerting. Leveraging VulnDB is simpler than ever with our
connectors to Splunk, RSA Archer, ServiceNow, GitHub, Polarity, Brinqa, Device42, Recorded Future, and more.
No Warranty
Risk Based Security, Inc. makes this report available on an “As-is” basis and offers no warranty as to its accuracy,
completeness or that it includes all the latest vulnerabilities. The information contained in this report is general
in nature and should not be used to address specific security issues. Opinions and conclusions presented
reflect judgment at the time of publication and are subject to change without notice. Any use of the information
contained in this report is solely at the risk of the user. Risk Based Security, Inc. assumes no responsibility for
errors, omissions, or damages resulting from the use of or reliance on the information herein. If you have
specific security concerns please contact Risk Based Security, Inc. for more detailed data loss analysis and
security consulting services.