Some CVEs may lack the required security updates for all or a subset of affected software, which prevents successful remediation efforts. Today, we are excited to announce that support and reporting on the availability of security updates for CVEs is now in public preview in Microsoft Defender Vulnerability Management.
This new feature will show security update availability information for each CVE and actively exclude software lacking updates from the recommendations tab. (Note: Before the introduction of this feature, CVEs missing security updates were not shown in the Defender Vulnerability Management portal. Once a customer enables this feature in public preview, these CVEs will be reported in the Inventory and Weaknesses pages.)
Below is a detailed overview of the new functionality.
Update as of October 24
Several Linux platforms have high numbers of CVEs that are reported in official channels as not having a fix available (Red Hat, CentOS, Debian, and Ubuntu). While some of these CVEs reflect true exposure, visibility into a high volume of non-actionable exposure is undesired by most customers.
To address this going forward, these CVEs, on the above Linux platforms, will not be reported on by Microsoft Defender Vulnerability Management.
Note: The new behavior may lead to reporting of fewer exposed devices and lower organization exposure score.
Within the Weaknesses tab, there is a new “Update availability” column in the “Exposed devices” and “Related software” tabs of the CVE details pane.
Selecting on a CVE on the Weaknesses page will show CVEs tagged with one of the following tags:
No security update – there are no security updates that remediate the vulnerability for any of the related software packages. This CVE will not appear in the Recommendations tab.
Some updates available – security updates that fix the vulnerability are available only for a subset of all related software packages.
Figure 1: Last column indicates availability of security update for specific device.Figure 2: Last column indicates availability of security update for specific software.Figure 3: Last column indicates availability of security update for specific device.Figure 4: Last column indicates availability of security update for specific software.
Update availability tags also appear in Tags column of the Discovered vulnerabilities tab in the device page.
Recommendations will include only devices and software packages for which security updates are available.
A new column CveTags was added to table DeviceTvmSoftwareVulnerabilities. The column type is dynamic. The column value is an array of tags relevant to the CVE. The tags that are currently supported are “ZeroDay” and “NoSecurityUpdate”.