CVE Dashboard available

Hi everyone,

I have a CVE console dashboard that was published on the IBM X-Force AppExchange yesterday.
Please check in out - but sorry you have to log in to download.

I created it because the QRadar integration we have is popular for managing vulnerabilities/patches via CVEs. However, QRadar is obviously needed, so this dashboard attempts to provide similar info from within BigFix without the need for QRadar.

Link to download the package.

[This link is no longer active, please use the link above]
Link to the CVE Dashboar on IBM X-Force AppExchange.

In general this is how it works.

  • There is a command line utility that is scheduled via a Fixlet. You can also run it manually.
  • The utility downloads any CVEs from the National Vulnerability Database (NVD) if there are corresponding Fixlets.
  • The Console Dashboard is then used to browse and search the data.

Lee Wei

12 Likes

I just realized that I have not seen any questions and issues posted on this.
Has anyone tried it with success?
I am always worried about performance, so if you have tried this in your deployment of a few thousand computers, please let me know.

Feel free to let me know of any snags that you might have ran into while setting this up and running it.

2 Likes

I am running into Error: The remote server returned an error: (503) Server Unavailable.
Any ideas?

Running bigfix_cve_util version: 1.3.0.0
Connected to BigFix Server successfully
Downloading GZ file: http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2016.xml.gz
Downloading completed
File name: nvdcve-2.0-2016.xml.gz, Size: 816.5KB
Decompressing file
Decompress completed
File name: C:\temp\CVEDashboard\CVEDashboard\importer\nvdcve-2.0-2016.xml, Size: 14.1MB
Starting XML processing
Removed 5336 items of //vuln:vulnerable-configuration
Removed 3147 items of //vuln:vulnerable-software-list
Removed 8974 items of //vuln:references
Removed 3169 items of //vuln:last-modified-datetime
Removed 2327 items of //vuln:cwe
Removed 3147 items of //cvss:access-vector
Removed 3147 items of //cvss:access-complexity
Removed 3147 items of //cvss:authentication
Removed 3147 items of //cvss:confidentiality-impact
Removed 3147 items of //cvss:integrity-impact
Removed 3147 items of //cvss:availability-impact
Removed 3147 items of //cvss:source
Removed 3147 items of //cvss:generated-on-datetime
Removed 0 items of //vuln:assessment_check
Removed 0 items of //vuln:scanner
Error: The remote server returned an error: (503) Server Unavailable.

@sstrain, I have seen the same error in my environment. For that system, it would fail randomly with this error.
What version of the BigFix Server are you using and on what platform (Windows or Linux)?
We have a bug filed and have not figured out the root cause.

BigFix Server 9.2.6.94

Great tool Lee Wei - definitely brings a lot of added value for our customer who uses BigFix to integrate with their own vulnerability tracking system. Currently, the customer associates fixlet ID’s to CVEs for what they call their VPR Dashboard. The one thing that would be great to see in your dashboard is the fixlet ID and/or source ID when viewing the relevant fixlets. Also, if there was a way where from that view, you could only display fixlets with applicable computers instead of just all fixlets relevant to the CVE.

Loaded this up in our lab environment yesterday and it worked great - going to test in production this week with 125k+ endpoints. Will let you know how that goes.

1 Like

Using Lee Wei’s approach, we have a BigFix action that downloads all xml’s from nvd, extracts all the relevant data into a master txt file, which we import back into SQL. We then join by cve id and present the data in our dashboard giving fixlet id and name/cve/cvss/severity/release date etc … pretty slick. Obviously this data is for presentation outside of the console dashboard.

2 Likes

sounds awesome nick - our customer does have their own vulnerability tracking system which is linked to their primary security posture dashboard. they have a unique IDs called VPRs which they want user’s to be able to track in BigFix. hence the correlation of CVE IDs to Fixlets ID. It would be nice to see Fixlet/Source IDs in Lee Wei’s dashboard.

Hi Lee Wei,

I’ve been having issues running the bigfix_cve_util.exe in Server 2012r2 - I keep getting ‘this app can’t run on your PC’ error and ‘access denied’ in the terminal, tried various attempts at fixing but to no avail yet. What environment did you have it working on?

Actually I’ve just got it to work - not sure what the issue was but a reboot seemed to give it some life!

@GwyndafDavies, I don’t recognize the errors. It is a .NET app and that should be the only dependency.
I personally developed it on Windows Server 2012R2.
Anyhow, glad you got it to work.

1 Like

Hi Lee,

I was able to get this going in my small lab and it worked well. I just tried our real test lab and I received the following

Running bigfix_cve_util version: 1.3.0.0
Connected to BigFix Server successfully
Downloading GZ file: http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2016.xml.gz
Error: The remote server returned an error: (407) Proxy Authentication Required.

If I was able to specify a specific proxy and port, I should be able to get this to work as we have a configuration to allow some processes to access the internet through the proxy without credentials.

Thanks.

Great work Lee Wei. I was able to get it to work and verifying the data now. One issue that I have is with the ‘Show Computer’ tab. When clicked nothing shows up.

Sidenote: I used a desktop to import CVEs using bigfix_cve_util.exe and specified our server. Worked like a charm.

@sstrain, engineering has been trying to reproduce the error. At this point, our guess is some resource exhaustion on the BigFix Server side causing the server to become unavailable. Can you please help make sure that the server has enough paging/swap and memory. Or increase that for the purpose of testing this for this error.

@dhaataja, I don’t recall this behavior and where the error might be coming from. Is this still a problem and can you please give me a screen shot?

This is Awesome Lee! I successfully installed the dashboard and reviewed the data. Is there any way to have the CVSS score show on the relevant Fixlets? Also, where in the database is the CVE data stored?

@arionda - There is not an easy way for me to show CVSS score for the relevant Fixlets for 2 reasons.
The first main screen with the CVEs that you are looking at is generated and then stored in the system. It is being generated by the bigfix_cve_util.
The util does not update existing Fixlets to include the CVSS scores.
Furthermore, a Fixlet might reference multiple CVEs, so there might be more than one CVSS scores. Of course arguably we should show the highest score.

The data is stored in “dashboard variables”, which can be accessed via the REST API:
https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli%20Endpoint%20Manager/page/RESTAPI%20Dashboard%20Variables

Good Morning.

A little late to the game on this but I am running into the same issue as @sstrain. Was there a fix for this?

Thank you!

-Matt

edit
I should have been a bit more specific. The error I’m running into is a ‘(503) Server Unavailable’.

1 Like

@mmangan, the best I can determine thus far is resource (memory) constrains for Web Reports. Is the Server a VM and can we allocated more resources? The application is doing REST API calls and obviously successful most of the time until the server stops processing with 503.