Exam CS0-003 topic 1 question 152 discussion

The only vulnerability with a (high) rating in the provided list is the Redis Vulnerability. CVSS Scores: None 0.0, Low 0.1 - 3.9, Medium 4.0 - 6.9, High 7.0 - 8.9, Critical 9.0 - 10.0. Another trick question by CompTIA. In the real-world there would be SLA for Critical as well if there is one for High. I am not 100% sure but I am going with C on this one as its my 6th CompTIA test.

According to CVSS, vulnerabilities are classified as follows: none (0.0), low (0.1-3.9), medium (4.0-6.9), high (7.0-8.9), critical (9.0-10.0) If The company has an SLA for patching that requires time frames to be met for high-risk vulnerabilities, means that the Redis vulnerability will be covered so it would not be a vulnerability that the analyst should be concerned about. It seems that the SLA does not cover Extremely High Risk (critical) vulnerabilities. Yes I know, it is a little hard to believe but you have to think about what CompTia wants us to think with the question. Since this is a resurfaced vulnerability and the number of days, the analyst should analyze whether this is a patched vulnerability or, on the contrary, a new vulnerability that has been found.

do not overthink, CompTIA will spank you!

If it were your company, would you tackle the critical 10 CVSS which likely means RCE with no complexity? Or would you tackle the 7.5 CVSS which is harder to exploit and less of a threat to your organization? Answer is easy. Its A.

The company has an SLA for patching that requires time frames to be met for high-risk vulnerabilities. In my opinion, okay, we have an SLA for high vulnerabilities, but that's just a smokescreen. Why? First of all, it states that the time frame must be met, but nowhere does it specify what that time frame is and whether we are late. Additionally, it says that we have been waiting 43 days for the remediation of this vulnerability. When it could wait for so long time, why should we prioritize it over critical CVSS 10? So, I am for A

Redis Server is high-risk (CVSS 7.5), but since it's been on the radar for 43 days, the assumption is that the team should have already handled it under normal SLA conditions for high-risk vulnerabilities. If it's still unremediated, it may indicate an oversight or a different issue, but it doesn't necessarily need to be the immediate focus unless it was missed or there's a problem with the patching process. Oracle JDK resurfacing as a critical vulnerability (CVSS 10) takes precedence here. The fact that it's resurfaced means it was likely addressed in the past but has now reappeared. Critical vulnerabilities can have severe impacts, and given its 4-day age, it falls within a much more urgent time frame for remediation, despite the question mentioning a high-risk policy. In this scenario, the resurfaced Oracle JDK vulnerability should be prioritized because: It's classified as critical, which can bypass or elevate priority over high-risk policies. Resurfaced vulnerabilities can indicate that a previous patch or remediation effort was incomplete or has failed, making it even more urgent.

I pick C over A based on the SLA mentioned. I know A is CVSS 10, but it is 4 days. If we have to follow the SLA, the 40+ days one has to get fixed first. IRL probably have to ask client what to prioritise.

C is correct due to the fact that the question ask about high vulnerabilities. There are the ones beween 7.0 - 8.9. so the examtopis answear is correct in my opinion

I have not taken the exam yet, but I believe this question is looking to see if you know what the CVSS scales are. SLA states "high" - so what does "high" equate to on scale === 7.0 --> 8.9. Which vulnerability has a score in this range?

CVSS is 10 so answer is A

Oracle JDK

High-severity vulnerabilities (especially those with a CVSS score of 10) are often easier to exploit and might already have exploits available in the wild. Attackers can leverage these vulnerabilities to gain privileged access or control over affected systems quickly.While the server has an active vulnerability, the lower CVSS score suggests it may be less likely to be exploited or might have mitigating factors that reduce its immediate impact.

age: 4 days CVSS of 10. what you mean option C? is A no questions asked.

I go with A

Id say C as it the only active vulnerability

From the output, the Oracle Java JDK / JRE 6 < Update 30 Multiple Vulnerabilities has the highest CVSS score of 10, which classifies it as a critical vulnerability. Given its high risk and the fact that it is a recent vulnerability (only 4 days old), this should be prioritized first for remediation.

I think this is a curveball question to look at more than just the vulneranility metrics. For the Redis line item, the CVE states that password authentication is ineffective- meaning its exploitable when only using a password 1fa and by that nature of the exploit itself is a higher priority than the rest.