How Ubuntu keeps you secure with KEV prioritisation

The Known Exploited Vulnerabilities Catalog (KEV) is a database published by the US Cybersecurity and Infrastructure Security Agency (CISA) that serves as a reference to help organisations better manage vulnerabilities and keep pace with threat activity.

Since its first publication in 2021, it has gone beyond its US federal agency scope and has been adopted by various organisations across the globe as guidance for their vulnerability management prioritisation frameworks.

The reason for this is two-fold and lies in effective vulnerability management and how the KEV entries are curated.

What is vulnerability management?

Vulnerability management is a continuous process to keep systems up to date against a consistent stream of emerging threats. Deciding on what to patch and how to patch requires a decision process on what vulnerabilities pose the greater risk, what patches lower that risk, and repeating it over all vulnerabilities of interest until a consensus over the patching order can be reached. 

As security research continues to improve, modern operations are faced with an ever-increasing amount of vulnerabilities which, in turn, creates prioritisation challenges. For example, the Ubuntu Security Engineering team currently tracks 16,898 active CVEs, with more being added each day. Every new CVE can cause a shift in priorities but it takes time to analyse the information and make those changes. That’s where the KEV can help. 

How KEV tracks vulnerabilities

While it represents a small subset of all tracked vulnerabilities, to be included in the catalogue a CVE number must have been assigned, so the vulnerability information is known, and, more importantly, evidence of active exploitation must exist. This means that threat actors are actively pursuing that vulnerability and, as cyber attackers know no physical borders, this should raise the risk associated with the vulnerability in question, bumping it in priority. These indicators are tracked across a wide chronological span, so you are as likely to find the latest vulnerability from 2024 as one from 2007 that suddenly became popular again.

In addition to that, the vulnerabilities contained in the KEV carry a patching mandate for US government agencies that follow CISA’s Binding Operational Directive (BOD) 22-01, so they are only added when a remediation strategy exists, be it a patch, a configuration change, or even a version update.

Companies using the KEV as reference can then see the vulnerability shows up in the catalogue, know that there is remediation, and proceed to prioritise them above all else.

How can Canonical help you with this process?

By having a commitment to prioritise vulnerabilities contained in the KEV, Ubuntu is placed in a strong position to help organisations meet compliance requirements.

The Security Engineering team is tracking all KEV entries, will prioritise them as High (or above), ensuring that those get worked on in a timely fashion, and will release a fix where possible.

Every Ubuntu LTS comes with security fixes for the core operating system (around 2,500 packages) for five years. But the whole ecosystem of software available with Ubuntu is far wider – over 30,000 packages, covering applications, databases and runtimes. Ubuntu Pro is a subscription on top of every Ubuntu LTS that provides security coverage for all of this software, which matches up directly with the CE requirements.  Learn more about Ubuntu Pro in this FAQ.

Are you using KEV in your vulnerability management? Talk to us so we can help you with Ubuntu Pro.

To learn more about open source vulnerability management, check out our introductory guide.