Troubleshooting Tip: Understanding high severity for LW_VULN_103, a known security vulnerability when CVEs are medium or low

The LW_VULN_103 – Known Security Vulnerability policy is configured by design to generate High severity alerts regardless of the individual CVE severities included in the alert. This approach highlights that a host is actively running software with known vulnerabilities, which is treated as a high-priority risk.

Policy behavior:
By default, the policy uses the following filter criteria:

• CVE Severity INCLUDE *

• Package active INCLUDE 1

Key points:

• CVE Severity INCLUDE *
  The policy matches any CVE severity (Critical, High, Medium, Low, etc.).

• Package active = 1
  The policy only triggers when the vulnerable package is considered active on the host, based on host process statistics.

Because the policy severity is set to High, any alert generated by LW_VULN_103 will appear as High, even if all CVEs in the alert are Medium or Low.

Customizing Policy Behavior
To align alert severity with CVE severity, create a custom policy as follows:

1. Select Policies -> Vulnerability -> Host.

2. Locate LW_VULN_103 – Known Security Vulnerability and select Clone.

3. Adjust the filters as needed. For example, to match only higher-severity CVEs:

    

Note: Do not include spaces after the comma.
Optionally, remove Package active = 1 to alert on any installed vulnerable package.

1. Set the desired alert severity for the custom policy.

2. Save and enable the cloned policy.

3. Disable the default LW_VULN_103 policy to prevent duplicate alerts.

Example use cases:

• To generate High severity alerts only for High or Critical CVEs, clone the policy, set the filter to CVE Severity INCLUDE High,Critical, and set severity to High.

• To avoid High severity alerts for Medium or Low CVEs, clone the policy, set the filter to CVE Severity INCLUDE High,Critical, and set severity to High. Optionally, create a second policy for CVE Severity INCLUDE Medium with severity set to Medium.