1、2023 Flexera|Company Confidential 1 FLEXERA 2022 Software Vulnerability and Threat Intelligence Report Jeroen Braak Based on data from Secunia Research 2023 Flexera|Company Confidential 2 Reuse We encourage the reuse of data,charts and text published in this report under the terms of this Creative C

2、ommons Attribution 4.0 International License.You are free to share and make commercial use of this work as long as you attribute the Flexera 2022 Software Vulnerability&Threat Intelligence Report as stipulated in the terms of the license.2023 Flexera|Company Confidential 3 Contents Reuse.2 Introduct

3、ion.5 2022 summary.7 Advisories breakdown.9 Compared to previous years.9 Advisory criticality and attack vector.10 Advisories and rejected advisories.11 Rejected advisories.11 Addressing awareness with vulnerability insights.13 Prevelance:.13 Asset sensitivity:.13 Criticality:.13 Threat intelligence

4、:.13 How do we know that more insights/data is needed?.14 Take away 1:.14 Take away 2:.14 Vendor view.15 Top vendors with most advisories.15 Top vendors with highest average threat score.16 Top vendors with zero-days.17 Top ten products with the most zero-days reported in 2022.18 Browser-related adv

5、isories.19 Advisories per browser.19 Browser zero-day vulnerabilities.19 Average CVSS(criticality)score per browser.20 Average threat score per browser.20 Networking-related advisories.21 Number of advisories per networking-related vendor.21 Average threat and CVSS score per networking-related vendo

6、r.21 Threat intelligence.22 Count of malware-exploited CVEs.22 Count of advisories by CVE threat score.22 Threat intelligence advisory statistics:.22 2023 Flexera|Company Confidential 4 Patching.23 Vulnerabilities that are vendor patched.23 SVM patch statistics.24 Updated patches per month in SVM.24

7、 How other Flexera solutions can help.25 2023 Flexera|Company Confidential 5 Introduction This Flexera 2022 Software Vulnerability&Threat Intelligence Report is based upon data from the Flexera Secunia Research Team who produces valuable advisories leveraged by users of Flexeras Software Vulnerabili

8、ty Research and Software Vulnerability Manager solutions.The report analyzes the evolution of software security from a vulnerability,threat intelligence and patch perspective.The report presents global data on the prevalence of vulnerabilities,exploits,the availability of patches and maps the securi

9、ty threats to IT infrastructures.What does the report cover?The annual Vulnerability Review is based on data from Flexeras Secunia Research.Secunia Research monitors more than 66,000 applications,appliances and operating systems,and tests and verifies the vulnerabilities reported in them.The systems

10、 and applications monitored by Secunia Research are in use in the environments of the customers of Flexera Software Vulnerability Management solutions.The vulnerability database covers vulnerabilities that can be exploited in all types of products,including software,hardware and firmware.The vulnera

11、bilities verified by Secunia Research are described in Secunia Advisories and listed in the Flexera Vulnerability Database,detailing what IT security teams need to know to mitigate the vulnerability risk posed in their environments.The Secunia Advisory descriptions include criticality,attack vector,

12、exploitability and solution status.How do we count vulnerabilities?Research houses in the vulnerability management space adopt different approaches to counting vulnerabilities.Secunia Research counts vulnerabilities per product in which the vulnerability appears.We apply this method to reflect the l

13、evel of information our customers need to keep their environments secure.We provide verified intelligence listing all products affected by a given vulnerability.2023 Flexera|Company Confidential 6 Secunia Research Software Vulnerability tracking process A vulnerability is an error in software which

14、can be exploited with a security impact and gain.Secunia Research validates,verifies and tests vulnerability information to author security advisories which provide valuable details by following consistent and standard processes that have been refined over the years.Whenever a new vulnerability is r

15、eported,its verified and a Secunia Advisory is published.A Secunia Advisory provides details,including description of the vulnerability,risk rating,impact,attack vector,recommended mitigation,credits,references and more,including additional details discovered during verification and testing,thus pro

16、viding the information required to make appropriate decisions about how to protect systems.Click here to learn more about Secunia Advisories and their contents.2023 Flexera|Company Confidential 7 2022 summary Total advisories:7,097 (2021:6,153)2022 was a busy year for cybersecurity,a record-breaking

17、 number of advisories were reported,and many significant vulnerabilities were the cause of data breaches,ransomware attacks and other types of threats.Top 3 most critical vulnerabilities:1.Log4Shell/Log4j(CVE-2021-44228),even with its disclosure in December 2021,many organizations are still struggli

18、ng to identify and patch the vulnerability.2.Spring4Shell(CVE-2022-22965),still many systems remain unpatched despite the risk.3.ProxyNotShell(CVE-2022-41040 and CVE-2022-41082)in Exchange Interesting facts and trends:2022 is the year with the most recorded Secunia Advisories since 2002 Average thre

19、at score of 2022:13.66(click here to learn how we calculate this)Average CVSS3 score of 2022:7.35 Fewer extreme critical advisories have been reported in 2022:44(2021:60)85 advisories reported a zero-day vulnerability(2021:81)More than 50 percent of all advisories are for vulnerabilities in Unix/Lin

20、ux operating systems More than 50 percent of all rejected advisories are also for Unix/Linux operating systems Almost 79 percent of all networking-related advisories are for Cisco,NetApp and Juniper About Microsoft:Four percent of all advisories were for Microsoft,which put them in eighth place in v

21、endor ranking More than 56 percent of all zero-days were related to Microsoft products(first place).None of the top four vendors with the most advisories(SUSE,IBM,Red Hat,Ubuntu)had any zero-day reported in 2022 2023 Flexera|Company Confidential 8 Log4j:131 advisories were related to Log4j Last advi

22、sory was released in November(eleven months later)for IBM Security QRadar SIEM 7.x 62 Log4j related advisories were linked to IBM products 33 of them were rejected advisories for various reasons,including“the respective product does not have the vulnerable log4j component.”Less than 11 percent of al

23、l advisories had a high to critical threat score which means that there was evidence of exploitation Using threat intelligence will help you prioritize what needs immediate patching Software Vulnerability and Patch Management are becoming increasingly important.Due to the ongoing Russia-Ukraine conf

24、lict,attacks on critical infrastructures in many countries are increasing.Back in 2019(just before COVID-19),patching was recommended within 30 days(or 14 days for CVSS score of seven or higher).Right now,hackers can deploy exploits within one week and even within 24 hours.This means organizations n

25、eed even better prioritization to quickly patch vulnerabilities(especially those with associated threats).2023 Flexera|Company Confidential 9 Advisories breakdown Compared to previous years 2022 total advisory count:7,097 (2021:6,153)As expected,2022 had the highest number of advisories since Secuni

26、a started writing these.Figure 1:Top ten years with most advisories Figure 2:Chart with advisory trendline over the years This year:#Change(last year)Total#of advisories 7,097 (6,153)Unique vendors 279 (263)Unique versions 1,801 (1,784)Rejected advisories*1,108 (1,042)increased lower same *1,108 adv

27、isories have received the“rejected”status which means in general that the vulnerability requires one or more violations of security best practices(e.g.,product not securely configured or not used securely)or that it was“too weak of a gain”(e.g.,administrative,local users already being too privileged

28、 so that additional gain becomes neglectable).2023 Flexera|Company Confidential 10 Advisory criticality and attack vector More information about the variables used in the above charts:Attack vector(from where)Criticality(severity)Though not in the chart,Secunia Research also provides information abo

29、ut the impact or consequence when a vulnerability has been exploited.There are twelve values that can be used(most advisories have one or more).Read more here.2023 Flexera|Company Confidential 11 Advisories and rejected advisories Rejected advisories There are a lot of vulnerabilities posted to the

30、National Vulnerability Database,by a lot of people and companies.Theyre not always valid,theyre not always assigned proper criticality,and in some cases,a vulnerability may be legitimate but not provide the attacker any benefit.The Flexera Secunia Research team evaluates vulnerabilities from hundred

31、s of sources,rescores them when necessary and even rejects vulnerabilities not worth your attention.Rejection advisories help you reduce the volume of vulnerabilities to be mitigated by helping you focus only on those that present reasonable risk to your environment.2023 Flexera|Company Confidential

32、 12 An advisory may be rejected for many reasons;the most common are:No reachability The vulnerability cannot be exploited because the affected systems cannot be reached by an attacker.No gain The vulnerability may be reached,but without any gain for the attacker.No exploitability The vulnerability

33、cannot be exploited because,for example,policy forbids installation of the affected software.Dependent on other The vulnerability cannot be exploited by itself but depends on another vulnerability being present.2023 Flexera|Company Confidential 13 Addressing awareness with vulnerability insights Pre

34、velance:How many systems would benefit from any given security update?Does it pose a risk?Is it on all systems?Patch Asset sensitivity:What systems would result in the most risk if compromised?Is it a high-risk device?Patch Criticality:The most popular method of thoughtful prioritization.If exploite

35、d,how bad could it affect your security?Is it designated to be of a high criticality?Patch Threat intelligence:The newest and most impactful method focuses on the likelihood of exploitation.Is it likely to be exploited?Patch 2023 Flexera|Company Confidential 14 How do we know that more insights/data

36、 is needed?Focusing on advisories with CVSS 7 or higher would address about 50 percent of exploits.Most exploits are CVSS scored between four and seven.Focusing on vulnerabilities for the top 20 vendors would address only about 20 percent.Take away 1:High and extreme critical advisories are not nece

37、ssarily those presenting the most risk.Leverage threat intelligence to better prioritize what demands your most urgent attention.Create a scoring mechanism that considers multiple variables.More about Secunia Criticality(severity)scoring Take away 2:Most vulnerabilities have a patch available(typica

38、lly within 24 hours after disclosure).2023 Flexera|Company Confidential 15 Vendor view Top vendors with most advisories 2023 Flexera|Company Confidential 16 Top vendors with highest average threat score 2023 Flexera|Company Confidential 17 Top vendors with zero-days 2023 Flexera|Company Confidential

39、 18 Top ten products with the most zero-days reported in 2022 Place#of Zero-days Product family 1 38 Microsoft Windows 2 9 Google Chrome 3 9 Microsoft Edge(Chromium-Based)4 7 Apple macOS 5 5 Apple iOS 6 2 Apple Safari 7 2 Mozilla Firefox 8 2 Fortinet FortiOS 9 1 Apex Central 10 1 Atlassian Confluenc

40、e 2023 Flexera|Company Confidential 19 Browser-related advisories Advisories per browser Browser zero-day vulnerabilities 2023 Flexera|Company Confidential 20 Average CVSS(criticality)score per browser Average threat score per browser 2023 Flexera|Company Confidential 21 Networking-related advisorie

41、s Number of advisories per networking-related vendor Average threat and CVSS score per networking-related vendor 2023 Flexera|Company Confidential 22 Threat intelligence A look at threat intelligence-related data Count of malware-exploited CVEs Count of advisories by CVE threat score Threat intellig

42、ence advisory statistics:2023 Flexera|Company Confidential 23 Patching Most of 2022s vulnerabilities were vendor patched.In fact,most vulnerabilities are patched within 24 hours after disclosure.The challenge remains that organizations dont have full visibility or awareness when a vulnerability is d

43、isclosed(time to awareness).Another big challenge is time to remediation(the time from having this information,correlating that with your environment and initiating the process to get the software updated to a secure version).Vulnerabilities that are vendor patched 2023 Flexera|Company Confidential

44、24 SVM patch statistics Flexera has the largest third-party patch catalog in the world.This helps you act quicker and save time by offering an integrated approach to effectively locate,prioritize and quickly remediate threats to lower the risk to your organization.Updated patches per month in SVM(Pa

45、tches per vendor)2023 Flexera.All rights reserved.All other brand and product names are trademarks,registered trademarks,or service marks of their respective owners.How other Flexera solutions can help To see how other Flexera solutions can help customers get immediate visibility of the impact of vu

46、lnerabilities,please go to this main article on the Community Hub where you can find complete details across all Flexera solutions.About Flexera Flexera delivers SaaS-based IT management solutions that enable enterprises to accelerate digital transformation and multiply the value of their technology

47、 investments.We help organizations inform their IT with definitive visibility into complex hybrid IT ecosystems,providing unparalleled IT insights that allow them to seize technology opportunities.And we help them transform their IT with tools that deliver actionable intelligence across an ever-increasing range of dimensions to effectively manage,govern and optimize their hybrid IT estate.More than 50,000 customers subscribe to our technology value optimization solutions,delivered by 1,300+passionate team members worldwide.To learn more,visit