Common Vulnerability Scoring System v4.0 Summary:

Cyber Security Threat Summary:
FIRST, the Forum of Incident Response and Security Teams, will release this week version 4.0 of the Common Vulnerability Scoring System (CVSS). CVSS is an open framework that allows organizations and researchers to communicate specific characteristics and severities of software vulnerabilities. CVSS consists of four metric groups, Base, Threat, Environmental, and Supplemental, which FIRST says, “represents the intrinsic qualities of a vulnerability that are constant over time and across user environments, the Threat group reflects the characteristics of a vulnerability that change over time, and the Environmental group represents the characteristics of a vulnerability that are unique to a user's environment.”

Using CVSS, users are able to determine the severity of specific vulnerabilities by leveraging a score ranging from 0 to 10. It is important to note that CVSS is used to determine severity not risk to an organization. So users of CVSS, will need to determine how a vulnerability impacts software in their own environment, to determine the overall risk.

Security Officer Comments:
Some notable changes in CVSS v4.0 include:

    The CVSS Specification Document and User Guide have been updated with additional guidance to help CVSS analysts produce resulting severity scores that are consistent and defensible across various situations that were previously considered ambiguous. The concept of Scope has been replaced with the concepts of a vulnerable system (VC, VI, VA) and a subsequent system (SC, SI, SA), capturing impacts from both, where relevant. New guidance explains how to assess the impact of a vulnerability in a library. Guidance explicitly allows multiple CVSS Base Scores to be generated for a vulnerability that affects multiple product versions, platforms, and/or operating systems. The Environmental Metric Group includes three Security Requirement metrics: Confidentiality Requirement of the vulnerable system (CR), Integrity Requirement of the vulnerable system (IR), and Availability Requirement of the vulnerable system (AR). The User Interaction Base Metric has been updated to allow for additional granularity when considering the interaction of a user with a vulnerable component
    • None (N): The vulnerable system can be exploited without interaction from any human user, other than the attacker.
    • Passive (P): Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable component and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable component.
    • Active (A): Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable component and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability.
    Temporal renamed to the Threat Metric Group
    Several changes were made to the Temporal Metric Group:
    • Temporal Metric Group renamed to Threat Metric Group
    • Remediation Level (usually O) and Report Confidence (usually C) retired
    • Exploit Code Maturity renamed Exploit Maturity
    • Enhanced impact for Threat Metric values
    The CVSS 4.0 Specification introduces Vulnerable System and Subsequent System concepts. A new, optional metric group called the Supplemental metric group provides new metrics that describe and measure additional extrinsic attributes of a vulnerability. The usage of each metric within the Supplemental metric group is determined by the scoring consumer. This contextual information may be used differently in each consumer’s environment.
To see the full list of changes, please refer to FIRST’s CVSS v4.0 User Guide.