When a vulnerability scanner such as QualysGuard reports its results, it includes mitigation recommendations. These recommendations must be incomplete; for example, the scanner cannot be aware of any constraints you may have placed upon network access or traffic, such as access control lists. A vulnerability scanner can report what it sees. The suggested remediation and mitigation measures it provides help clarify what it is reporting.
Nonetheless, suggested remediation measures should not be misleading. If, for example, a vulnerability in OpenSSH is detected, a simple recommendation such as “upgrade to OpenSSH 3.6.2 (or later)” would be incorrect for any Linux distribution which includes OpenSSH. Instead, the recommendation should be “install vendor update or upgrade to OpenSSH 3.6.2 (or later).” That is, you should install the operating system vendor’s update unless you have a very good reason not to. This is due to a vendor practice known as “back porting.”
- A patch for the vulnerability is made available.
- The operating system vendor (such as Red Hat) incorporates the patch into their maintenance release, assigning a product number such as 22.214.171.124.
- The open source product (such as OpenSSH) incorporates the patch into its release (such as 3.6.2).
In this way, an operating system will often include a patched version of an open source product with a lower version number than the patched version of the general product. Following a vulnerability scanner’s recommendation to upgrade to OpenSSH 3.6.2 (or later) would introduce maintenance issues that hamper your ability to incorporate future patches. While you could install the general product, the operating system vendor’s update is a managed update. The vendor will have difficulty supporting you when you introduce component variation. You will have difficulty incorporating future patches.
Thank the vulnerability scanner for bringing the vulnerability to your attention. Use the CVE number of the vulnerability to learn when the operating system vendor incorporated the patch. The vendor’s web site or the CVE website (https://cve.mitre.org/) can provide that information. Base your remediation decision upon the operating system vendor component version not the general product version.
There are many examples of mitigation recommendations which could be clearer. I began assembling them into a Microsoft Word document “Vulnerability Remediation Synopsis.docx“. It is not complete, but may be of value to anyone reviewing mitigation measures.
Use a tool to plan the remediation work. See, for example, Threadfix.