CVE Maintenance

On a monthly basis, the master development branch of StarlingX is scanned for CVE’s and the reports that are generated are reviewed by the Security team.

For CVE’s which meet StarlingX’s CVE Fix Criteria Policy as documented below, fixes are provided for the CVE in the StarlingX master branch.

For Debian-based versions of StarlingX release 8.0:

• The third party tool Vulscan is used to scan for CVE’s to provide an unbiased view of vulnerabilities

• CVSS v3 base scores and base metrics are used in the CVE fix criteria

• The CVE Fix Criteria Policy is:

  • Main Fix Criteria

    • CVSS v3 Base score >= 7.0

    • Base Metrics has the following:

      • Attack Vector: Network

      • Attack Complexity: Low

      • Privileges Required: None or Low

      • Availability Impact: High or Low

      • User Interaction: None

    • A correction is available upstream

  • OR, visibility is HIGH and a correction is available upstream

For older CentOS-based versions of StarlingX:

• CVSS v2 base scores and base vectors are used in the CVE fix criteria

• The CVE Fix Criteria Policy is:

  • Main Fix Criteria

    • CVSS v2 Base score >= 7.0

    • Base Vector has the following:

      • Access Vector: Network

      • Access Complexity: Low

      • Authentication: None or Single

      • Availability Impact: Partial/Complete

    • A correction is available upstream

  • OR, visibility is HIGH and a correction is available upstream