Finding Application, Configuration, and Patch Vulnerabilities

Hello All,

We are looking for differentiating between if a vulnerability is an application, configuration or patch vulnerability. We are trying to pull high level numbers in our environment based on this filter.

Thanks in advance,
Jacob

In this case what you can do is get the solution that’s tied to the vulnerability, and then get that solution’s solution_type from the dim_solution table. The type will be something like “PATCH”, or “ROLLUP”, etc. to differentiate the types of vulns/vuln solutions.

Hi @holly_wilsey

I had a quick question on the vulnerability category. Does Rapid7 tag all of the web application vulnerabilities with ‘Web’ and all of the Microsoft Patch vulnerabilities with ‘Microsoft Patch’? I am noticing a trend with this and hoping to use a filter using this.

There is the dim_vulnerability_category table that has a lot of different vuln categories (200+ I think), things like Oracle, Adobe, Apple, etc. The “Web” and “Microsoft Patch” categories do exist in there, and the vuln ID’s are there to tie them directly to the vulnerabilities, so you could filter by those.

@holly_wilsey

Thank you for your suggestion. Is there any way to see if the vulnerability directly ties to the operating system on the system?

Hmm, what exactly do you mean by “directly ties to”? Because you can see the vulnerabilities of an asset, and you can see that asset’s OS, so there’s a tie in that way. But it sounds like you’re trying to accomplish something else here.

Yes, what we are trying to look for is if the vulnerability is just patch OS. Just been difficult trying to find a connection to that.

It’s going to be tough to write a query that perfectly captures vulns with a patch OS solution, since I don’t think any of the fields we have to work with will 100% convey that. But you can narrow things down with the “PATCH” and “ROLLUP” solution types, and then filter based on vuln categories that are OS-specific. Here’s an example query with that filtering.

SELECT dv.vulnerability_id, dv.title AS vuln, dvc.category_name,
       ds.solution_type, ds.summary AS solution
FROM dim_vulnerability dv
JOIN dim_vulnerability_category dvc USING (vulnerability_id)
JOIN asset_vulnerability_best_solution avbs USING (vulnerability_id)
JOIN dim_solution ds USING (solution_id)
WHERE (dvc.category_name = 'Microsoft Windows')
AND (ds.solution_type = 'PATCH' OR ds.solution_type = 'ROLLUP')
GROUP BY dv.vulnerability_id, dv.title, dvc.category_name,
         ds.solution_type, ds.summary