Any reason why the java patches don’t have a source severity rating assigned to them? It has an impact on our patch reporting, specifically the “Top 10†report on the web reports dashboard. This rating comes from the vendor correct? Is Oracle really not assigning severity ratings to their Java patches?
Is there any documentation or explanation on how the Top 10 gets created, couldn’t find any. Also, is there a way to modify the list?
Same here, the same issue exists for Apple updates, even if a CVE is listed, and for Microsoft Security Updates and Security Advisories, even if there is a link to reference the security issue, and some other MS security patches.
Our policy on patch severity is to use what the vendor or CERT says, and use the higher severity when there’s a conflict. No severity statement should lead to . There’s a bit of data cleanup to do on the unspecified ones, but that’s the way it’s supposed to go. Changes in severity post-release may not get seen though, unlike changes in the patch binary. If we’ve missed a patch severity rating by setting it too low or unspecified, let us know and send the URL you’re getting the rating from.