Overview

The end-to-end lifecycle for CVE handing consists of the following stages:

Figure: Lifecycle stages for CVE handling
StageDescription
InboundInbound channels for reporting potential CVEs that affect Solo.io products, including FedRAMP requirements for monthly vendor responses to security scans.
TrackingContinuous monitoring of reported CVEs with details on assessment and remediation status.
AnalysisDetermination of whether a given CVE affects Solo.io products, the CVE severity, and suggested remediation plan if required.
RemediationA change introduced to a product (code fix, dependency bump, etc.) that is incorporated into a product release.
ReportingCommunication of CVE-related information to parties outside of Solo.io, including customers.

CVE lifecycle stages

Learn more about each CVE lifecycle stage.

Inbound

The following sources are used to determine product exposure to CVEs:

  • Solo.io performs continuous CVE scanning of supported product components to detect vulnerabilities.
  • Solo.io customers may share output from their own security scanning tools for analysis and response from Solo.io.
  • Solo.io participates in early disclosure and security workgroups of multiple upstream communities.
  • Solo.io maintains a public security site that is open to all users to report potential security issues.
  • Solo.io customers with regulatory requirements for regular scans (e.g. FedRAMP) submit their scan output to Solo.io for vendor remediation response.

Tracking

All reported CVEs that meet the minimum threshold enter the tracking process step. The minimal threshold for tracking includes:

  • All CVEs reported with a severity of CRITICAL or HIGH.
  • Any CVEs with severity of MODERATE or LOW that are determined to have a significant impact on our security posture.

Embargoed CVEs are tracked in a separate repository and subject to the constraints set forth by the associated upstream security workgroup.

Analysis

Analysis of reported CVEs consists of the following steps:

  • Perform an initial review to filter out CVEs that do not apply to our products (e.g. false positives due to invalid scan results).
  • Conduct an initial assessment of the severity based on NIST scoring along with alternative scoring from the community.
  • Review each CVE that is eligible for remediation to determine if an attack vector exists in the context of Solo.io’s products. If no attack vector exists, then the CVE is downgraded with no further remediation activity.

Remediation

Remediation of a CVE involves introducing a fix to the affected code and releasing the associated component. The process and timing for these activities can be separated into two categories:

  • Direct control: Solo.io has the ability to contribute fixes and release the associated component. This is generally the case with code in the Gloo Gateway codebase.
  • Indirect control: Solo.io is subject to the contribution and release policies of a third-party community. This is generally the case with upstream dependencies that are included in Gloo Gateway.

Fixes for CVEs that impact dependencies are subject to the ability of the third-party community to accept these fixes and to incorporate them into a release.

Reporting

Security scan results for product images are published in the Solo.io product documentation with each release.

In addition to public reporting on security scanning, Solo.io works directly with customers on FedRAMP reporting and compliance requirements related to CVE scan results. Solo.io reviews customer scan reports, evaluates CVEs, remediates CVEs based on Solo.io’s analysis, and provides vendor responses to identified CVEs.

Certain CVEs require special attention due to their disclosure status, severity, or heightened awareness (e.g. Heartbleed, Log4j). In these cases, Solo.io may use additional reporting channels, including direct email and the Solo.io blog, to communicate CVE information.

Updates & Questions

Solo.io reserves the right to change this process in its sole discretion. Solo.io’s security processes are reviewed regularly to ensure compliance with industry standards and the current security landscape. For questions or additional details, email security@solo.io.