Overview

Aqua is introducing an update to how vulnerability severity is displayed for Azure Linux and CBL-Mariner CVEs. This change aligns Aqua’s severity values with Microsoft’s published vendor severity where available, improving data accuracy and consistency.

What’s Changing

Azure Linux Severity Alignment

  • Aqua will display Microsoft-published vendor severity for Azure Linux and CBL-Mariner CVEs when available.
  • Previously, Azure-based OS images effectively showed NVD-aligned severity, even when vendor data existed.

Customer Impact

After the update:

  • When the setting “Use NVD ratings for vulnerabilities in OS and programming language packages” is disabled, Aqua will display Azure (Microsoft) vendor severity for Azure Linux and CBL-Mariner findings.

Behavioral Change

  • Before: Azure-based OS images showed severity aligned with NVD in this flow.
  • After: Vendor severity (Azure) is used when available.

Scope of Impact

  • Only a small subset of CVEs (~6%) will show a visible severity difference.
  • 408 of 6,632 Azure-related CVEs differ between Azure and NVD severity.
  • ~94% of CVEs already align, so most findings will appear unchanged.

Impact is limited and concentrated in this subset.

Severity Difference Breakdown

  • 509 CVEs currently show a difference between Azure and NVD severity:
    • 367 CVEs: Azure severity is lower than NVD (NVD stricter)
    • 142 CVEs: Azure severity is higher than NVD (Azure stricter)

Important: Azure Vendor Data Limitations

Microsoft’s Azure Linux vulnerability feeds (e.g., OVAL and vuln-list JSON) currently provide:

  • Vendor severity
  • Reference URL

They do not provide full CVSS scoring details, including:

  • CVSS score
  • CVSS vector
  • Metric breakdown

How Aqua Handles This

  • When Azure vendor severity is displayed, CVSS scores and vectors continue to come from NVD (or another non-Azure source).
  • Aqua does not introduce a separate “Azure vendor” row, as this could incorrectly imply that all scoring data originates from Microsoft.

Why Most Findings Appear Unchanged

  • Most CVEs (~94%) already have matching severity between Azure and NVD.
  • Only a small subset (~6%) will show differences when vendor ratings are used.
  • Even when severity comes from Azure, CVSS score and vector remain NVD-based, which may create the appearance of mixed data sources.

Recommended Customer Actions

Before the Rollout

  • Review Azure Linux CVE delta files / KB documentation to assess impact.
  • Focus on environments where severity affects:
    • Policy gates
    • Compliance status
    • Reporting or alerting
  • Optionally, pre-acknowledge impacted CVEs with SLA-aligned expiration.

After the Rollout

  1. Rescan a representative sample of Azure Linux / CBL-Mariner workloads.
  2. Review:
    • Severity-based dashboards
    • Alerts
    • Reports
    • Policy enforcement behavior

Additional Resources

  • Release-specific delta files and CVE comparison dataset (Azure vs. NVD severity)

Offline CyberCenter Customers

For Offline CyberCenter customers, no additional action is required to receive this update.

The changes will be automatically incorporated into the daily offline build once the release goes live. Existing deployment configurations and update workflows can continue to be used without modification.

Summary

This update improves severity accuracy by incorporating Microsoft’s vendor assessments for Azure Linux and CBL-Mariner vulnerabilities. The impact is limited (~6% of CVEs), with most findings unchanged, and CVSS scoring continuing to rely on NVD data.