CVECenter: Industry Practice of Automated Vulnerability Management for Linux Distribution Community
Authors: 
Jing Luo, Heyuan Shi, Yongchao Zhang, Runzhe Wang, Yuheng Shen, Yuao Chen, Xiaohai Shi, Rongkai Liu, Chao Hu, Yu JiangAuthors Info & Claims
Jing Luo, Heyuan Shi, Yongchao Zhang, Runzhe Wang, Yuheng Shen, Yuao Chen, Xiaohai Shi, Rongkai Liu, Chao Hu, Yu JiangAuthors Info & ClaimsPages 329 - 339
Abstract
Vulnerability management is a time-consuming and labor-intensive task for Linux distribution maintainers. It involves the continuous identification, assessment, and fixing of vulnerabilities in Linux distributions. Due to the complexity of the vulnerability management process and the gap between community requirements and existing tools, there is little systematic study on automated vulnerability management for Linux distributions. In this paper, in collaboration with enterprise developers from Alibaba and maintainers from the Linux distribution community of OpenAnolis, we develop an automated vulnerability management system called CVECenter. We conduct the industry practice on the 3 versions of Linux distribution, which are responsible for many business and cloud services. We address the following challenges in developing and applying CVECenter to the Linux distribution: multi-source heterogeneous vulnerability record inconsistency, large-scale vulnerability retrieval response delay, manual vulnerability assessment cost, vulnerability auto-fixing tools absence, and continuous vulnerability management complexity. By CVECenter, we have successfully managed over 8,000 CVEs related to the Linux distribution and published a total of 1,157 security advisories, which reduces the mean time to fix vulnerabilities by 70% compared to the traditional workflow of the Linux distribution community.
References
[1]
Anolis os 23. https://package.openanolis.cn/release/Anolis Accessed: 2024-05-06.
[2]
Anolis os 7. https://package.openanolis.cn/release/Anolis Accessed: 2024-05-06.
[3]
Anolis os 7.7. https://package.openanolis.cn/release/Anolis 2024. Accessed: 2024-05-06.
[4]
Anolis os 7.9. https://package.openanolis.cn/release/Anolis 2024. Accessed: 2024-05-06.
[5]
Anolis os 8. https://package.openanolis.cn/release/Anolis Accessed: 2024-05-06.
[6]
Anolis os 8.2. https://package.openanolis.cn/release/Anolis 2024. Accessed: 2024-05-06.
[7]
Anolis os 8.4. https://package.openanolis.cn/release/Anolis 2024. Accessed: 2024-05-06.
[8]
Anolis os 8.6. https://package.openanolis.cn/release/Anolis 2024. Accessed: 2024-05-06.
[9]
Anolis os 8.8. https://package.openanolis.cn/release/Anolis 2024. Accessed: 2024-05-06.
[10]
Common vulnerability scoring system sig. https://www.first.org/cvss/, 2024. Accessed: 2024-05-10.
[11]
Cve - mitre. https://cve.mitre.org/, 2024. Accessed: 2024-05-10.
[12]
cve-manager: Collect cve security vulnerabilities, submit the vulnerabilities to the corresponding version on gitee, notify the warehouse manager to repair, and finally publish the repaired information to an automated tool on the openeuler website. https://gitee.com/openeuler/cve-manager, 2024. Accessed: 2024-02-05.
[13]
Cve-website. https://www.cve.org/, 2024. Accessed: 2024-05-13.
[14]
Cvss v3.1 specification document. https://www.first.org/cvss/v3.1/specification-document, 2024. Accessed: 2024-02-06.
[15]
Debian security team. https://security-team.debian.org/security_tracker.html, 2024. Accessed: 2024-01-10.
[16]
Developer security snyk. https://snyk.io/, 2024. Accessed: 2024-05-09.
[17]
dragonwell-project/dragonwell11: Alibaba dragonwell11 jdk. https://github.com/dragonwell-project/dragonwell11, 2024. Accessed: 2024-02-05.
[18]
Google online security blog: Understanding the impact of apache log4j vulnerability. https://security.googleblog.com/2021/12/understanding-impact-of-apache-log4j.html, 2024. Accessed: 2024-01-10.
[19]
How to fix cves efficiently with cvecenter - openanolis technology. https://www.openeuler.org/en/, 2024. Accessed: 2024-05-12.
[20]
Insightvm vulnerability management tool - rapid7. https://www.rapid7.com/products/insightvm/, 2024. Accessed: 2024-02-08.
[21]
Kata containers - open source container runtime software. https://katacontainers.io/, 2024. Accessed: 2024-02-05.
[22]
Microsoft defender vulnerability management | microsoft security. https://www.microsoft.com/en/security/business/threat-protection/microsoft-defender-vulnerability-management, 2024. Accessed: 2024-02-03.
[23]
Models - openai api. https://platform.openai.com/docs/models, 2024. Accessed: 2024-01-10.
[24]
Nvd - cve-2021-44228. https://nvd.nist.gov/vuln/detail/CVE-2021-44228, 2024. Accessed: 2024-01-10.
[25]
Nvd - cve-2022-32250. https://nvd.nist.gov/vuln/detail/CVE-2022-32250, 2024. Accessed: 2024-02-05.
[26]
Nvd - home. https://nvd.nist.gov/, 2024. Accessed: 2024-05-10.
[27]
Openanolis community. https://openanolis.cn/?lang=en, 2024. Accessed: 2024-05-09.
[28]
Openanolis community safety alliance. https://security.openanolis.cn/, 2024. Accessed: 2024-05-06.
[29]
openeuler. https://www.openeuler.org/en/, 2024. Accessed: 2024-05-10.
[30]
Red hat ansible. https://access.redhat.com/products/red-hat-ansible-automation-platform/, 2024. Accessed: 2024-02-05.
[31]
Red hat bugzilla. https://bugzilla.redhat.com/, 2024. Accessed: 2024-02-05.
[32]
Red hat insights. https://access.redhat.com/products/red-hat-insights/, 2024. Accessed: 2024-02-05.
[33]
Red hat product security risk report 2022. https://www.redhat.com/en/resources/product-security-risk-report-2022#section-4, 2024. Accessed: 2024-01-11.
[34]
Red hat satellite. https://access.redhat.com/products/red-hat-satellite/, 2024. Accessed: 2024-02-05.
[35]
Red hat’s open approach to vulnerability management. https://www.redhat.com/en/blog/red-hats-open-approach-vulnerability-management, 2024. Accessed: 2024-02-05.
[36]
Securitybasics - fedora project wiki. https://fedoraproject.org/wiki/SecurityBasics#Security_Measures_in_Fedora_Systems, 2024. Accessed: 2024-01-10.
[37]
Software supply chain platform for devops & security jfrog. https://jfrog.com/, 2024. Accessed: 2024-05-09.
[38]
Sonatype. https://www.sonatype.com/, 2024. Accessed: 2024-05-09.
[39]
Ubuntu pro - ubuntu. https://ubuntu.com/pro, 2024. Accessed: 2024-02-03.
[40]
Vulnerability statistics report in 2024 by edgescan - click to see vulnerability data and cyber security trends. https://www.edgescan.com/intel-hub/stats-report/, 2024. Accessed: 2024-02-08.
[41]
What is vulnerability management? rapid7 experts explain the process. https://www.rapid7.com/fundamentals/vulnerability-management-and-scanning/, 2024. Accessed: 2024-01-10.
[42]
Ehsan Aghaei, Ehab Al-Shaer, Waseem G. Shadid, and Xi Niu. Automated CVE analysis for threat prioritization and impact prediction. CoRR, abs/2309.03040, 2023.
[43]
Mike Anastasiadis, Georgios Aivatoglou, Georgios Spanos, Antonis Voulgaridis, and Konstantinos Votis. Combining text analysis techniques with unsupervised machine learning methodologies for improved software vulnerability management. In IEEE International Conference on Cyber Security and Resilience, CSR 2022, Rhodes, Greece, July 27-29, 2022, pages 273–278. IEEE, 2022.
[44]
Mike Anastasiadis, Georgios Aivatoglou, Georgios Spanos, Antonis Voulgaridis, and Konstantinos Votis. Combining text analysis techniques with unsupervised machine learning methodologies for improved software vulnerability management. In IEEE International Conference on Cyber Security and Resilience, CSR 2022, Rhodes, Greece, July 27-29, 2022, pages 273–278. IEEE, 2022.
[45]
Clément Elbaz, Louis Rilling, and Christine Morin. Fighting n-day vulnerabilities with automated CVSS vector prediction at disclosure. In Melanie Volkamer and Christian Wressnegger, editors, ARES 2020: The 15th International Conference on Availability, Reliability and Security, Virtual Event, Ireland, August 25-28, 2020, pages 26:1–26:10. ACM, 2020.
[46]
Soumyadeep Ghosh, Sourojit Bhaduri, Sanjay Kumar, Janu Verma, Yatin Katyal, and Ankur Saraswat. A semi-supervised vulnerability management system. In Kohei Arai, editor, Intelligent Systems and Applications - Proceedings of the 2022 Intelligent Systems Conference, IntelliSys 2022, Amsterdam, The Netherlands, 1-2 September, 2022, Volume 1, volume 542 of Lecture Notes in Networks and Systems, pages 97–113. Springer, 2022.
[47]
Thong Hoang, Julia Lawall, Richard Jayadi Oentaryo, Yuan Tian, and David Lo. Patchnet: a tool for deep patch classification. In Joanne M. Atlee, Tevfik Bultan, and Jon Whittle, editors, Proceedings of the 41st International Conference on Software Engineering: Companion Proceedings, ICSE 2019, Montreal, QC, Canada, May 25-31, 2019, pages 83–86. IEEE / ACM, 2019.
[48]
Soumyadeep Hore, Ankit Shah, and Nathaniel D. Bastian. Deep VULMAN: A deep reinforcement learning-enabled cyber vulnerability management framework. Expert Syst. Appl., 221:119734, 2023.
[49]
Atefeh Khazaei, Mohammad Ghasemzadeh, and Vali Derhami. An automatic method for CVSS score prediction using vulnerabilities description. J. Intell. Fuzzy Syst., 30(1):89–96, 2016.
[50]
Jiahuei Lin, Haoxiang Zhang, Bram Adams, and Ahmed E. Hassan. Vulnerability management in linux distributions. Empir. Softw. Eng., 28(2):47, 2023.
[51]
Xin Liu, Yuan Tan, Zhenghang Xiao, Jianwei Zhuge, and Rui Zhou. Not the end of story: An evaluation of chatgpt-driven vulnerability description mappings. In Anna Rogers, Jordan L. Boyd-Graber, and Naoaki Okazaki, editors, Findings of the Association for Computational Linguistics: ACL 2023, Toronto, Canada, July 9-14, 2023, pages 3724–3731. Association for Computational Linguistics, 2023.
[52]
Mustafizur R. Shahid and Hervé Debar. CVSS-BERT: explainable natural language processing to determine the severity of a computer security vulnerability from its description. In M. Arif Wani, Ishwar K. Sethi, Weisong Shi, Guangzhi Qu, Daniela Stan Raicu, and Ruoming Jin, editors, 20th IEEE International Conference on Machine Learning and Applications, ICMLA 2021, Pasadena, CA, USA, December 13-16, 2021, pages 1600–1607. IEEE, 2021.
[53]
Fan Shi, Shaofeng Kai, Jinghua Zheng, and Yao Zhong. Xlnet-based prediction model for cvss metric values. Applied Sciences, 12(18):8983, 2022.
[54]
siosulli. Microsoft defender vulnerability management - microsoft learn. https://learn.microsoft.com/en-us/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management?view=o365-worldwide, 2024. Accessed: 2024-01-11.
[55]
Jiamou Sun, Zhenchang Xing, Xin Xia, Qinghua Lu, Xiwei Xu, and Liming Zhu. Aspect-level information discrepancies across heterogeneous vulnerability reports: Severity, types and detection methods. ACM Trans. Softw. Eng. Methodol., 33(2):49:1–49:38, 2024.
[56]
Jiamou Sun, Zhenchang Xing, Xiwei Xu, Liming Zhu, and Qinghua Lu. Heterogeneous vulnerability report traceability recovery by vulnerability aspect matching. In IEEE International Conference on Software Maintenance and Evolution, ICSME 2022, Limassol, Cyprus, October 3-7, 2022, pages 175–186. IEEE, 2022.
[57]
Xinda Wang, Kun Sun, Archer Batcheller, and Sushil Jajodia. Detecting "0-day" vulnerability: An empirical study of secret security patch in oss. 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), Not available:Not available, JUN 2019.
[58]
Yang Wen, Jicheng Cao, and Shengyu Cheng. Ptracer: A linux kernel patch trace bot. In 34th IEEE/ACM International Conference on Automated Software Engineering, ASE 2019, San Diego, CA, USA, November 11-15, 2019, pages 1210–1211. IEEE, 2019.
Index Terms
- CVECenter: Industry Practice of Automated Vulnerability Management for Linux Distribution Community
Recommendations
Vulnerability management in Linux distributions: An empirical study on Debian and Fedora
AbstractVulnerabilities in software systems not only lead to loss of revenue, but also to loss of reputation and trust. To avoid this, software providers strive to remedy vulnerabilities rapidly for their customers. However, in open-source development, ...
Vulnerability Profile for Linux
AINA '05: Proceedings of the 19th International Conference on Advanced Information Networking and Applications - Volume 1A system with efficient security tools is not secured if its operating system is vulnerable. Various security enhancements for operating systems provide different security levels and profiles. Administrators have to choose the appropriate level or ...
A Study and Implementation of Vulnerability Assessment and Misconfiguration Detection
APSCC '08: Proceedings of the 2008 IEEE Asia-Pacific Services Computing ConferenceAccording to a study from Gartner Group [13], mostly successful attacks exploit software applications and operating systems that were not properly configured or vulnerability patched. Regarding enterprises, there are far reaching consequences if their ...
Comments
Information & Contributors
Information
Published In
Copyright © 2024 Copyright is held by the owner/author(s). Publication rights licensed to ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 10 July 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- NSFC Program
- Alibaba Innovative Research Project
- National Key R&D Program of China
- Hunan Provincial Natural Science Foundation
- Hunan Provincial 14th Five-Year Plan Educational Science Research Project
- Ministry of Education Industry-University Cooperation Collaborative Education Project
- High Performance Computing Center of Central South University
Conference
FSE '24
Sponsor:
FSE '24: 32nd ACM International Conference on the Foundations of Software Engineering
July 15 - 19, 2024
Porto de Galinhas, Brazil
Acceptance Rates
Overall Acceptance Rate 112 of 543 submissions, 21%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 141Total Downloads
- Downloads (Last 12 months)141
- Downloads (Last 6 weeks)33
Reflects downloads up to 21 Sep 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in