Viewing Common Vulnerability Exposures (CVEs) and associated Fixlets
The Manage Vulnerable Computers dashboard displays vulnerability data from QRadar®. The vulnerabilities detected by QRadar® are known as Common Vulnerability Exposures (CVEs). This CVE data is displayed in the dashboard for the computers that you control as an operator in BigFix. The Manage Vulnerable Computers dashboard does not display all CVEs detected for all computers by QRadar® Vulnerability Manager. Only CVEs with a risk score above a threshold defined in QRadar® are sent to the Manage Vulnerable Computers dashboard.
About this task
From the Manage Vulnerable Computers dashboard, you can view a list of CVEs for the computers that you manage. You can also view the BigFix Fixlets, including any superseded Fixlets, that are available to remediate any particular CVE. Fixlets are the BigFix actions that remediate or fix vulnerabilities. You can also filter to view only the CVEs for which there are relevant Fixlets.
BigFix provides a large number of Fixlets to patch endpoints and remediate vulnerabilities. For example, the BigFix patch sites contain Fixlets for different operating systems and application patches. For any particular computer to evaluate whether or not a Fixlet® is relevant, the computer must be subscribed to the site that contains the Fixlets. For many CVEs, there are Fixlets available to remediate the CVEs. For some CVEs, there might be one or more Fixlets available. By selecting a CVE, you can view any applicable Fixlets for the CVE.
The following graphic shows an example of the CVEs view. The list of CVEs is filtered to show only the CVEs for which there are relevant Fixlets.
Complete the following steps to view CVEs and applicable Fixlets that are available for a CVE.
Procedure
- From the Manage Vulnerable Computers dashboard, click the CVEs tab. The list of CVE data from QRadar® for the computers that you manage in BigFix is displayed.
-
Select a CVE. Any available Fixlets to correct the CVE are loaded.
You might not see any Fixlets for a CVE in the following cases:
- Scenario 1
- A Fixlet® might not have been developed for the particular CVE.
- Scenario 2
- A Fixlet® or Fixlets might already have been run to remediate the CVE, and there are no remaining relevant Fixlets.
- Scenario 3
- A Fixlet® is available for the CVE, but computers are not subscribed to the site that contains the Fixlet®. For Fixlets to be evaluated by computers, the computers must be subscribed to the site. The site must be enabled and the contents must be gathered.
- Scenario 4
- A Fixlet® is available for the CVE, but as an operator, you might not be subscribed to the site that contains the Fixlet®. If you are not subscribed to the site that contains the Fixlet, the Fixlet is not displayed.
- Scenario 5
- A Fixlet® is available for the CVE, but it might not be applicable to some computers. The CVE might have been remediated, rendering the Fixlet® not relevant on that computer. For example, an operator might have remediated the specific CVE, or an application might have been removed, an application or operating system might have been upgraded. The Actions tab might indicate if a Fixlet® was previously run for the CVE.
- Scenario 6
- In exceptional circumstances, a Fixlet® might have been archived by HCL. Typically if a Fixlet® has been archived, another Fixlet® is available that supersedes it, and the superseded Fixlet® is typically available.
- To view only CVEs for which there are relevant Fixlets, check the Show CVEs that have Relevant Fixlets check box.
- Click Open Fixlet to view the source Fixlet® or click Take Default Action to run the Fixlet to remediate the CVE. If you want to schedule the Fixlet® to run during a patch window, click the Execution tab and select the time and date that you want the Fixlet to run. Then click Submit to run the action. To view the processing status for actions, click the Actions tab.