Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

  1. Blog
  2. Article

Diogo Sousa
on 21 August 2024

How Ubuntu keeps you secure with KEV prioritisation


The Known Exploited Vulnerabilities Catalog (KEV) is a database published by the US Cybersecurity and Infrastructure Security Agency (CISA) that serves as a reference to help organisations better manage vulnerabilities and keep pace with threat activity.

Since its first publication in 2021, it has gone beyond its US federal agency scope and has been adopted by various organisations across the globe as guidance for their vulnerability management prioritisation frameworks.

The reason for this is two-fold and lies in effective vulnerability management and how the KEV entries are curated.

What is vulnerability management?

Vulnerability management is a continuous process to keep systems up to date against a consistent stream of emerging threats. Deciding on what to patch and how to patch requires a decision process on what vulnerabilities pose the greater risk, what patches lower that risk, and repeating it over all vulnerabilities of interest until a consensus over the patching order can be reached. 

As security research continues to improve, modern operations are faced with an ever-increasing amount of vulnerabilities which, in turn, creates prioritisation challenges. For example, the Ubuntu Security Engineering team currently tracks 16,898 active CVEs, with more being added each day. Every new CVE can cause a shift in priorities but it takes time to analyse the information and make those changes. That’s where the KEV can help. 

How KEV tracks vulnerabilities 

While it represents a small subset of all tracked vulnerabilities, to be included in the catalogue a CVE number must have been assigned, so the vulnerability information is known, and, more importantly, evidence of active exploitation must exist. This means that threat actors are actively pursuing that vulnerability and, as cyber attackers know no physical borders, this should raise the risk associated with the vulnerability in question, bumping it in priority. These indicators are tracked across a wide chronological span, so you are as likely to find the latest vulnerability from 2024 as one from 2007 that suddenly became popular again.

In addition to that, the vulnerabilities contained in the KEV carry a patching mandate for US government agencies that follow CISA’s Binding Operational Directive (BOD) 22-01, so they are only added when a remediation strategy exists, be it a patch, a configuration change, or even a version update.

Companies using the KEV as reference can then see the vulnerability shows up in the catalogue, know that there is remediation, and proceed to prioritise them above all else.

How can Canonical help you with this process?

By having a commitment to prioritise vulnerabilities contained in the KEV, Ubuntu is placed in a strong position to help organisations meet compliance requirements.

The Security Engineering team is tracking all KEV entries, will prioritise them as High (or above), ensuring that those get worked on in a timely fashion, and will release a fix where possible.

Every Ubuntu LTS comes with security fixes for the core operating system (around 2,500 packages) for five years. But the whole ecosystem of software available with Ubuntu is far wider – over 30,000 packages, covering applications, databases and runtimes. Ubuntu Pro is a subscription on top of every Ubuntu LTS that provides security coverage for all of this software, which matches up directly with the CE requirements.  Learn more about Ubuntu Pro in this FAQ.

Are you using KEV in your vulnerability management? Talk to us so we can help you with Ubuntu Pro.

To learn more about open source vulnerability management, check out our introductory guide.

Related posts


eslerm
19 November 2024

Needrestart local privilege escalation vulnerability fixes available

Ubuntu Article

Qualys discovered vulnerabilities which allow a local attacker to gain root privileges in the needrestart package (CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, and CVE-2024-11003) and a related issue in libmodule-scandeps-perl (CVE-2024-10224). The vulnerabilities affect Debian, Ubuntu and other Linux distributions. Canonical’s securit ...


Lech Sandecki
23 October 2024

6 facts for CentOS users who are holding on

Cloud and server Article

Considering migrating to Ubuntu from other Linux platforms, such as CentOS? Find six useful facts to get started! ...


Luci Stanescu
26 September 2024

CUPS Remote Code Execution Vulnerability Fix Available

Ubuntu Article

Four CVE IDs have been assigned that together form an high-impact exploit chain surrounding CUPS: CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177. Canonical’s security team has released updates for the cups-browsed, cups-filters, libcupsfilters and libppd packages for all supported Ubuntu LTS releases. The updates remedi ...