This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Community FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Addressing NVD Insufficient Data - Impact on Vulnerability Assessments in Lansweeper

MariaOrellana
Product Team
Product Team

‎03-22-2024 10:53 AM - last edited a week ago

** Update 17th April 2024**

Lansweeper engineering has established a targeted completion date, set for June. We'll continue to keep you informed as we make progress.

** Update 5th April 2024**

Lansweeper has selected VulnCheck (https://www.vulncheck.com) to become our primary partner when it comes to vulnerability intelligence data. We are in the process of planning the integration and will update shortly on the expected timescales.

What is the problem?

Recently, Lansweeper has learned that the National Vulnerability Database (NVD), provided by the National Institute for Standards and Technology (NIST), has temporarily stopped analyzing most new vulnerabilities. From their website:
nvd2.png

Many organizations, including Lansweeper, have relied on the NVD to assist with vulnerability and risk management for nearly two decades. It For us, it contains the specific metadata needed to associate published vulnerabilities with specific products and systems in an IT environment.

While the above notice appeared on February 15th, it was not evident that the delay would be so impactful, particularly because NVD has offered no additional communication.

However, per this blog from Resilient Cyber, you can see for yourself how the data analyzed by NVD has dropped off considerably since that date:
chart.jpg

 

While this delay is an industry-wide issue, we are unable to procure a firm resolution date from NIST at this time.

The result is that Lansweeper has insufficient data from NVD to identify most vulnerabilities in your environment since February 15th.

What are we going to do about it?

To rectify this issue, Lansweeper is designing a new method of providing this vital information to our customers and has prioritized an engineering fix to resolve this issue.

What can you do in the meantime?

In the meantime, vulnerabilities prior to February 15th are not impacted. Similarly, our zero-day vulnerability and Patch Tuesday reports are available too.

Thank you for your patience while we make this transition, and we’ll keep you up to date as we make progress over the coming weeks. 

Best regards,
Maria Orellana

3 REPLIES 3
saikumark
Engaged Sweeper

Monday - last edited Monday

Hello, 

Thank you for the announcement.  We have been told that the rollout planned in Jun'24 addresses the observation mentioned below.  Please confirm if the rollout will fix the observation shared below. 

Note: This is just a sample, however, we found a host is reported with 800+ CVEs, but all of the applicable patches shared by the OS vendor are already applied and the host is clean.  There is a huge discrepancy in the findings by Lansweeper. 

Observation: Minor versions released by OS vendors (RHEL/CentOS) are not considered for vulnerability detection. 

  • Sample CVECVE-2016-4448
  • Affected Component: Libxml2
  • OS Platform: CentOS7
  • Patch released by vendor: libxml2-2.9.1-6.el7_2.3 9 (RHSA-2016:1292 - Security Advisory - Red Hat Customer Portal
  • Expected version by Lansweeper: 2.9.4 & Above
  • Installed version on the host: libxml2-2.9.1-6.el7_2.3 9
  • Is the host vulnerable with CVE: Yes (as per Lansweeper), No (as per the patch applied)
0 Kudos
ajlangendijk
Engaged Sweeper III

3 weeks ago

Can we get an update on this? I know 2 weeks in development is not long but we payed additional subscription costs mainly because of this feature. Do we get additional time on our license?

Obi_1_Cinobi
Lansweeper Tech Support
Lansweeper Tech Support
In response to ajlangendijk

3 weeks ago

Hello there!

In case you have any concerns regarding licensing, we kindly advise reaching out to your account owner or contacting our sales department at https://www.lansweeper.com/contact/contact-sales/.

They'll be happy to assist you in any way they can.

0 Kudos

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now