Since March 2016 patch day, SAP has started to publish CVSS Base scores in security notes based on CVSS version 3.0 standard. As a result of complete adoption of CVSS version 3.0, including recommended prioritization, security notes that were classified as ‘High’ in version 2.0 may now be classified as ‘Medium’. Customers are strongly advised to review their internal guidelines to IT teams in interpreting and analyzing the note priorities released by SAP.
Adoption of CVSS version 3.0 in SAP:
Across all (almost) vulnerability types, SAP expects a slight increase in CVSS Base Scores in version 3.0, compared to version 2.0. The CVSS version 3.0 documentation includes a list of comparisons of public vulnerabilities scored via CVSS version 2 and version 3.0. Listed below are some reasons for these differences in my opinion.
The version 3.0 standard provides a comprehensive assessment of potential risks associated with a vulnerability with more factors to consider than the CVSS version 2 standard. For example, most cross-site scripting (XSS) vulnerabilities, when exploited allows an attacker to inject and run malicious code in victim's browser. CVSS version 2 does not have a way to capture the change in impact from the vulnerable web server to the impacted browser. In version 3.0, the Scope metric allows us to assess the impact to the browser where a differentiation is made between vulnerable component and impacted component. A typical XSS vulnerability has a base score of 4.3 in version 2 whereas a base score of 6.1 is assigned in version 3.0.
Overall, SAP expects version 3.0 Base scores to be higher than CVSS version 2, but bear in mind that CVSS version 2 scores are always relative to the "target host operating system", whereas version 3.0 scores are relative to the vulnerable component, or the impacted component if there is a scope change. In other words, CVSS version 3.0 will provide a better indication of the relative severity of vulnerabilities because it better reflects the true impact of the vulnerability being rated in software components.
Why SAP provides only CVSS version 3 Base score in security notes?
The CVSS scores provided by SAP in security notes are CVSS Base scores. SAP does not provide Temporal or Environmental score for vulnerabilities fixed in the security notes. We believe the Temporal score would have limited value to customers where two of the three factors affecting the Temporal score would never change (The Remediation Level would always be "Official Fix", and the Report Confidence would always be "Confirmed"). Further, the third factor (Exploit code maturity) would be “Proof of Concept” in most cases. As a result, Base score deducted by a constant value of 0.7 (based on the above values) would always be the Temporal score. For example, a Base score of 7.0 will always yield to a Temporal score of 6.3. Finally, SAP cannot compute the Environmental Score because this score is specific to the customers' environment (about which SAP has no or very little insight).
Does SAP publish CVSS version 3.0 scores for all security notes released?
Starting from March 2016 patch day, All ‘patch day notes’ will carry CVSS version 3.0 Base scores. However, in extraordinary situations (like 0-day disclosures), the security note priority may be escalated to 'Very High' (Hot News) irrespective of the CVSS version 3.0 Base metric score.
For more information:
The CVSS version 3.0 documents are available online on FIRST’s website at https://www.first.org/cvss
Related blog posts:
Introduction to CVSS. How SAP uses it?
Changes to CVSS in version 3.0
