Finding Application, Configuration, and Patch Vulnerabilities

Hello All,

We are looking for differentiating between if a vulnerability is an application, configuration or patch vulnerability. We are trying to pull high level numbers in our environment based on this filter.

Thanks in advance,
Jacob

In this case what you can do is get the solution that’s tied to the vulnerability, and then get that solution’s solution_type from the dim_solution table. The type will be something like “PATCH”, or “ROLLUP”, etc. to differentiate the types of vulns/vuln solutions.

Hi @holly_wilsey

I had a quick question on the vulnerability category. Does Rapid7 tag all of the web application vulnerabilities with ‘Web’ and all of the Microsoft Patch vulnerabilities with ‘Microsoft Patch’? I am noticing a trend with this and hoping to use a filter using this.

There is the dim_vulnerability_category table that has a lot of different vuln categories (200+ I think), things like Oracle, Adobe, Apple, etc. The “Web” and “Microsoft Patch” categories do exist in there, and the vuln ID’s are there to tie them directly to the vulnerabilities, so you could filter by those.

@holly_wilsey

Thank you for your suggestion. Is there any way to see if the vulnerability directly ties to the operating system on the system?

Hmm, what exactly do you mean by “directly ties to”? Because you can see the vulnerabilities of an asset, and you can see that asset’s OS, so there’s a tie in that way. But it sounds like you’re trying to accomplish something else here.

Yes, what we are trying to look for is if the vulnerability is just patch OS. Just been difficult trying to find a connection to that.

It’s going to be tough to write a query that perfectly captures vulns with a patch OS solution, since I don’t think any of the fields we have to work with will 100% convey that. But you can narrow things down with the “PATCH” and “ROLLUP” solution types, and then filter based on vuln categories that are OS-specific. Here’s an example query with that filtering.

SELECT dv.vulnerability_id, dv.title AS vuln, dvc.category_name,
       ds.solution_type, ds.summary AS solution
FROM dim_vulnerability dv
JOIN dim_vulnerability_category dvc USING (vulnerability_id)
JOIN asset_vulnerability_best_solution avbs USING (vulnerability_id)
JOIN dim_solution ds USING (solution_id)
WHERE (dvc.category_name = 'Microsoft Windows')
AND (ds.solution_type = 'PATCH' OR ds.solution_type = 'ROLLUP')
GROUP BY dv.vulnerability_id, dv.title, dvc.category_name,
         ds.solution_type, ds.summary

Sorry to comment on OPs topic but this sounds like what I’m researching. I’ve been asked to gather/build a report of assets that lists patches vs configuration issues. I need total patches missing (high/med/low).
I’ve tried combinations of the pre-built reports but not seeing exact what I’m looking for (I could easily be missing it).

Did you find a way to find assets with missing patches/Kb and config issues??

I have no yet. I found an SQL Example posted on Rapid7 but it keeps failing to finish a scan/report even though it validates correctly. @holly_wilsey

I’m not positive why it would fail to finish the report if the query is validating. My first thought is it’s pulling back too many vulnerabilities, and it hangs because of data overload. You could try further narrowing the query by interval, for instance.

tried using this query. getting " Error: The query is invalid" on validate. I’ve been tinkering with it for about 6 hrs and for the life of me i cant figure out why its invalid.

Hi christiansm,

I have been toying around with this as well.
I believe this is due to a typo. Because the asset_vulnerability_best_solution table does not exist, however the dim_asset_vulnerability_best_solution does exist.
Could you try the following query?:

SELECT dv.vulnerability_id, dv.title AS vuln, dvc.category_name,
       ds.solution_type, ds.summary AS solution
FROM dim_vulnerability dv
JOIN dim_vulnerability_category dvc USING (vulnerability_id)
JOIN dim_asset_vulnerability_best_solution avbs USING (vulnerability_id)
JOIN dim_solution ds USING (solution_id)
WHERE (dvc.category_name = 'Microsoft Windows')
AND (ds.solution_type = 'PATCH' OR ds.solution_type = 'ROLLUP')
GROUP BY dv.vulnerability_id, dv.title, dvc.category_name,
         ds.solution_type, ds.summary