From a professional software company, you can expect security to get a lot of attention. Needless to say, GX has started registering CVEs for XperienCentral (XC) since Q4 of 2022.
What is a CVE?
Common Vulnerabilities and Exposures (CVEs) are vulnerabilities that are common to a system, along with the dangers created by exposure to them. The vulnerabilities are administered centrally, using a standardised system, so that every user of that particular system is aware of the commonly known vulnerabilities in a version. The aim is to inform organisations and users about the vulnerabilities so that appropriate measures can be taken to stay one step ahead of malicious attackers.
Where does GX register a CVE?
GX registers CVEs with Mitre.org: the company that maintains the database in which information about vulnerabilities in computer systems and networks is secured. At the time of writing, this database contains more than 18,000 registered vulnerabilities.
What do you need to know as an XC user?
GX notifies you about the future publication of a CVE. Such a notification contains:
- a description of the vulnerability;
- an estimate of the impact, so that you can determine the severity yourself;
- an explanation of how the vulnerability can be exploited;
- a patch, so that a solution is also immediately available.
Timeframe and required actions
From the time of notification, there is one (1) month to install the supplied patch. This can be done by, for example:
- including the patch on the own development team's backlog;
- putting the patch on the backlog with the GX scrum team;
- in collaboration with Customer Services.
GX does not send an additional reminder for installing the patch.
One (1) month after notification, GX shall publish the CVE on this portal. At that publication, GX publicly explains:
- Which XC Releases are affected by the vulnerability;
- What are the (global, not exact) "Attack Vectors" (a path/manner/means by which an attacker or hacker can gain access);
- The link to the CVE on Mitre.org.
To get an idea of what such a CVE looks like on Mitre.org, you can view an example here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42889.
For security reasons, GX encourages the use of up-to-date software. Besides recommending that you use an XC version that is not older than one (1) year, we even stipulate this agreement contractually: the moment you use an XC version that is older than one (1) year, some agreements from the Support contract expire. One of the consequences with a CVE in an outdated Release, is that required support time falls outside the contract. If you use an XC Release that is not older than one (1) year, support is of course within the contract.
If you have any questions about this procedure, please contact Customer Services. They will be happy to look into your specific situation.