CVE vulnerability check

qbee.io can create an inventory of all installed libraries. This is compared against the CVE number in the NIST security database. Any possible vulnerabilities are visualized with their according score and a link to additional information. Some of this information is displayed on the main page for a quick and easy overview:

qbee-vulnerability-check-CVE-1

A more dtailed analysis of CVE vulnerabilities in the system can be obtained in the devices inventory tab and in the CVE menu itself. All installed libraries on the different target devices are constantly monitored against the CVE database. This way qbee can immediately warn users if new vulnerabilities are detected. Not all vulnerabilities are critical or relevant. Therefore there is a rating score applied to each. This allows to quickly judge the severity. In addition reviewed vulnerabilities can be disabled or deleted. Disabling or deleting a CVE message will create log information in the audit trail. There the reason for disabling or deleting the CVE item can be stated such that also this is traceable.

CVE score from NIST

Not all CVE entries are critical. Please review and understand how the vulnerability impacts your device/system. If the impact is neligible the CVE entry can be disabled/deleted. We link to additional NIST information.

qbee-cve-analysis1

In the above example a CVE for openssl on 4 different Raspberry Pi devices is detected. This is always worth investigating. Clicking on the vulnerability will give additional information:

qbee-cve-analysis2

In this view you get the following information:

  • how many devices are impacted (4 out of 15, all Raspberry Pi)
  • which devices are impacted (raspberry-pi-1..5)
  • when was this detected
  • which package is impacted (1.0.1k-3+deb8u1)

Clicking on the NIST source gives detailed background information:

qbee-cve-analysis3

Tip

Here it is a clear recommendation to update those 4 impacted devices.

Available new libraries are indictated

If there are new library versions in the repository qbee will show this and it is recommended to update or investigate if the new library fixes the security issue.

Below available updates are shown in the software inventory tab (this is not for the Raspberry Pi but for the Systec ctr-700)

qbee-inventory-libraries