CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
99.7%
About 5 years ago, we launched Qualys Patch Management to empower our customers to not just detect and prioritize vulnerabilities but also effectively remediate them. Since then, we have assisted our customers in addressing hundreds of millions of vulnerabilities, significantly enhancing the security of their environments
Now, we are leapfrogging forward and expanding our remediation capabilities to address vulnerabilities that do not have a patch or for which a patch cannot be deployed.
Our customers use Qualys Patch Management either as a complementary solution to their existing patch system or as a standalone solution. In both cases, they efficiently leverage patch automation at scale to address vulnerabilities in Windows, Linux, macOS, and third-party applications.
However, while patch management is a core capability for remediating vulnerabilities, it is not the only option, and in some cases, it may not be a viable option at all.** That’s why we’re excited to announce that we’re introducing Qualys TruRisk Eliminate so our customers can address all vulnerabilities—even those that can’t be patched.**
Sign up to be the first to find out when TruRisk Eliminate is live.
As our research shows and many of our customers told us, patching is not always the right answer to address a vulnerability. Here are a few reasons why:
At Qualys, our goal is to help our customers reduce risk. Recognizing that risk reduction extends beyond just applying patches, we are expanding our solutions to help customers address all vulnerabilities, even when a patch is unavailable or cannot be deployed.
Starting at the end of Q3 2024, Qualys TruRisk Eliminate will enable customers to use the same Qualys agent to deploy patches and map vulnerabilities to various actions that can be executed by the agent, addressing those vulnerabilities with or without deploying a patch.
Qualys TruRisk Eliminate Highlights:
Go to the TruRisk Eliminate product page
Let’s take a sample vulnerability, here CVE-2024-1086: Linux Kernel Use-After-Free Vulnerability (Flipping Pages), and an example of the situation a customer may be looking at in choosing how to handle this vulnerability. Based on anonymized Qualys data, CVE-2024-1086 has been detected more than 1.5M times, and only 20% of those detected instances are remediated in customer environments. Furthermore, for those organizations that were able to remediate this vulnerability, it took an average of 28 days to do so. As you can see, this vulnerability—which is part of CISA KEV—takes far too long to remediate!
With TruRisk Eliminate, Qualys customers will be able to address this vulnerability far more efficiently.
Assume a customer has CVE-2024-1086 detected on their Linux-based desktops and a few production servers. Qualys TruRisk Eliminate maps this CVE to several alternative actions to help customers address it.
Deploying the patch is considered less risky on Linux desktops. Therefore, the organization may choose to use the Qualys agent to test and deploy the patch to their desktops. However, applying the specific patch to production servers may be too risky at present. Instead, the organization may leverage the Qualys agent to apply the suggested mitigation, as the application owners consider the operational risk of blocking username space creation very low. Minimal manual work is required by the remediation teams for both actions, as all actions are pre-packaged and ready to be deployed by the Qualys agent. Once the customer utilizes Qualys to take these actions, the results will be automatically reflected in the VM reports, with the relevant QIDs marked as closed for all desktops and as mitigated for the production servers.
Qualys continues to evolve to meet the complex security needs of our customers. With the introduction of TruRisk Eliminate, we provide comprehensive solutions that go beyond traditional patch management, ensuring that all vulnerabilities can be effectively addressed. By leveraging our advanced mapping of vulnerabilities to various remediation actions, including non-patch solutions, we empower organizations to maintain robust security postures even in the face of the most challenging threats.
For more information and to experience these capabilities firsthand, visit our booth at Black Hat or contact your TAM.
Don’t miss the opportunity to enhance your security environment—join our waitlist to be the first to find out when TruRisk Eliminate is live.
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
99.7%