Exclusive Student Offer

Prime for Young Adults

Get a 6-month trial with premium college perks & fast delivery.

Start Free Trial
Listen Anywhere

Audible Standard Trial

Get 30 days of audiobooks free. Cancel anytime, keep your books.

Claim Free Books

## CISA Overreach Makes CVSS Scores Useless

As administrators tasked with patching vulnerabilities, or as journalists aiming to inform stakeholders, reliable information sources are crucial. These sources must initially assist in prioritization: Which updates should be performed promptly to avert dangers, and which can wait?

### Understanding CVSS — A Double-Edged Sword

The Common Vulnerability Scoring System (CVSS) is intended to simplify this initial assessment. Scores ranging from 1.0 (“low”) to 10.0 (“critical”) evaluate severity. While this sounds straightforward, practical assessments often vary significantly across different sources.

### The Case of Tomcat and ActiveMQ — Confusing Signals

Originally, a potential headline for this post was: “Update Now: Critical Security Updates Available for Tomcat and ActiveMQ.” This alert stems from a warning issued by the CERT-Bund, referencing entries in the GitHub Advisory Database. Among the gathered security notices were two vulnerabilities in Apache Tomcat classified as critical: CVE-2026-53434 and CVE-2026-55276.

What seemed clear at first glance turned puzzling on further investigation. Discussion threads on the Apache mailing list suggested that an Apache team developer rated the threats posed by both vulnerabilities as low.

### Contextual Analysis of Vulnerabilities

The descriptions for these vulnerabilities are relatively brief. For instance, CVE-2026-53434 is exploitable only under very narrow conditions, specifically when admins have configured the FFM connector with Certificate Revocation Lists (CRLs). On the other hand, CVE-2026-55276 is described as a loosely defined authorization bug, further clarified by a separate Red Hat advisory: “This is a logging-only issue with no runtime security impact.”

### Scores in Question — The CISA Intervention

How do we reconcile the National Vulnerability Database (NVD) scores of 9.1 for both vulnerabilities? An examination of the NVD entries marked as “CISA-ADP” reveals that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has played a role in the scoring process. Since 2024, CISA has had the authority, in its capacity as an Authorized Data Publisher (ADP), to complete entries in the CVE database independently. This is done without consulting the CVE Numbering Authorities (CNAs) that originally posted the entries.

Developers have consistently criticized this practice. Daniel Stenberg, creator and lead developer of the open-source command-line tool cURL, noted that the CVSS scoring process inherently carries a high risk for misassessments. This risk is exacerbated when authorized entities like CISA create their own scoring metrics.

### The Complexity of CVSS — A Source of Confusion

Critiques of the CVSS system include opaque derivation methods, complexity stemming from various additional metrics, and the self-interests of those assigned to evaluate scores. If an ADP with seemingly arbitrary scores intervenes, a fundamentally sound concept devolves into mere time wastage. It might even become a liability for administrators, who may mistakenly prioritize patching based solely on a score rather than undertaking a critical review.

### Conclusion — A Call for Caution

Returning to Tomcat and ActiveMQ, it is critical to still apply the updates. However, this process should be done judiciously and perhaps while engaging with informed discussions, such as the latest episode of the password podcast by Heise Security, which delves into the effectiveness of CVSS and alternative classification systems.

In summary, reliance on CVSS scores, especially those altered by CISA’s intervention, may pose significant risks. It calls for practitioners to maintain a critical perspective and weigh their actions against a broader understanding of the vulnerabilities at hand.

Get Audible 30-Day Free Trial

As an Amazon Associate, we earn from qualifying purchases.