Venafi Vulnerability Severity Ratings
Venafi strives to provide customers with a software platform free of security vulnerabilities and issues, however the identification of vulnerabilities over time is inevitable. Once an issue is identified, we work to provide our customers with timely remediation steps or security-related patches to the Venafi platform to correct these issues. The details of security vulnerabilities may not be disclosed if Venafi believes that disclosure of the specific vulnerability will increase the risk to customers needing time to install and test the security patches provided by Venafi. To better assist our customers in the understanding the severity of vulnerabilities so that they can prioritize installation of patches, Venafi classifies security vulnerabilities into five vulnerability severity ratings based on industry-wide terminology.
Critical and High severity rated issues get released into the next available patch version cycle prioritized by the Patching and Security teams. Due to the complexity and range of type of issues each finding and patch release timing varies.
The terminology and application of the vulnerability severity ratings are designed for software issues determined to be of a security nature or impacting the security of the Venafi platforms and supporting infrastructure.
The vulnerability severity ratings, in order of importance, are:
Vulnerability severity ratings are provided as a baseline for determining the severity and impact of a specific issue identified by Venafi. Venafi will always err on the side of a higher severity ratings based on the sensitive nature of the platform and data being handled. In cases where a security patch includes fixes for multiple security vulnerabilities, the patch will be classified as the highest rated vulnerability in the patch.
The following section describes each of the vulnerability severity ratings, the methods for determining vulnerability severity rating, and examples that illustrate each type of vulnerability.
Critical vulnerabilities result in a complete compromise of the infrastructure, host, application, an impact to the availability of resources, or disclosure of sensitive secrets in the architecture. Critical vulnerabilities can be performed remotely, usually without prior authentication to the system. Critical vulnerabilities can be performed with relative ease, or low technical ability, or have the potential to be fully automated once a viable exploit has been created.
Vulnerabilities that are classified as a High severity rating are those vulnerabilities that can have a significant impact on the operational integrity of the architecture, but require either a high level of technical expertise or intrinsic knowledge of the system to exploit. High severity vulnerabilities usually have mitigating controls in place, such as requiring an existing account on the system or application to perform successful exploitation. High severity vulnerabilities are typically remotely exploitable.
Medium severity vulnerabilities are issues that require an exceptional level of technical expertise to successfully exploit, affect a limited number of users usually resulting in information disclosure, or provide attackers with information about the architecture that would not normally be provided through normal systems usage or documentation. Vulnerabilities classified as Medium may also include denial of service vulnerabilities that affect an isolated number of deployments with specific architectures and edge-case needs. Medium vulnerabilities may include remotely and locally exploitable vulnerabilities.
Vulnerabilities classified as a Low severity rating usually result in information disclosure about users or application architecture that does not result in a compromise of sensitive information about the system. Low severity issues can include things like the retrieval of user groups, supported web service modules, or host names. Issues in this category can most often be used to determine specific information about the architecture, without providing a direct means of attack against the system. Vulnerabilities that can only be exploitable by a trusted entity, such as a system administrator or other power user, may receive a Low severity classification based on the nature of the issue.
Informational vulnerabilities are vulnerabilities that provide specific bits of information to the end-user that were not designed to be released, yet have no specific security impact on the application, host, or environment. Informational vulnerabilities can provide attackers with additional information about the operational environment, but rarely result in the additional compromise of information or resources.