Impact Object
An impact is a recognized result of an action taken for a given vulnerability scenario.
Semantics
An impact is either logical or physical.
A logical impact is a virtual effect, resulting from an action, that affects information processed by a device or the operational state of a device that processes information.
Common examples include loss, disclosure, or corruption of information, or unexpected changes to the execution state of hardware or software.
Logical impacts are defined using the
hasLogicalImpact
property.A physical impact is an effect, resulting from an action, that affects something tangible, such as a physical device, machinery, the surrounding environment, or person.
Common examples include damage to assets, people or loss of resources.
Physical impacts are defined using the
hasPhysicalImpact
property.
Given that an impact is associated with an action, the impact is considered to be relative to the action’s context. Thus, the impact’s criticality needs to be considered relative to the action’s context. For a given context, such as Guest OS
or Application
, the criticality should reflect how significant an associated impact could be for the specific context.
For example, an impact in a Guest OS
context may be of lower significance than the same impact in a Host OS
context, which should be reflected accordingly by the impact’s criticality.
Properties
An impact MUST define either a hasLogicalImpact
or hasPhysicalImpact
property.
An impact has the following properties.
Identifier
Name
id
Cardinality one
Description A globally unique identifier for the impact.
The impact identifier distinguishes the impact from other impacts related to the same vulnerability.
This identifier MUST be a version 4 (random) or 5 (SHA-1 based) Universally Unique Identifier (UUID) as defined by RFC 4122.
Scope
Name
hasScope
Cardinality one
Description A coarse measure of the extent of impact an exploit could have on a target.
The value of hasScope
MUST be a value from the scope value list.
Impacts with an Unlimited
scope SHOULD assign a hasCriticality
property value of High
.
Criticality
Name
hasCriticality
Cardinality one
Description A measure of the relative significance of the associated Scope.
The value of hasCriticality
MUST be a value from the criticality value list.
Logical Impact
Name
hasLogicalImpact
Cardinality one
Description A virtual effect, resulting from an action, that affects information processed by a device or the operational state of a device that processes information.
Logical impact is considered for assessing traditional notions of confidentiality, integrity and availability.
The property hasLogicalImpact
MUST NOT be used in combination with the property hasPhysicalImpact
. These properties are mutually exclusive.
The value of hasLogicalImpact
MUST be a value from the logical impact value list.
Location
Name
hasLocation
Cardinality zero or one
Description Designating the specific area or location impacted. Serves as supplemental information for a logical impact.
The property hasLocation
MAY be used in combination with the property hasLogicalImpact
.
The property hasLocation
MUST NOT be used in combination with hasPhysicalImpact
. The property hasLocation
only applies to logical impacts.
The value of hasLocation
MUST be a value from the location value list.
Physical Impact
Name
hasPhysicalImpact
Cardinality one
Description A tangible impact to a physical device, machinery, the surrounding environment, or people.
The property hasPhysicalImpact
MUST NOT be used in combination with the property hasLogicalImpact
. These properties are mutually exclusive.
The value of hasPhysicalImpact
MUST be a value from the physical impact value list.
Relationships
None
Example
{
"id": "S1A2I3",
"hasLogicalImpact": "Privilege Escalation",
"hasScope": "Limited",
"hasCriticality": "Low",
"gainedPrivileges": "Administrator"
}
{
"id": "S1A2I4",
"hasPhysicalImpact": "Physical Resource Consumption",
"hasScope": "Limited",
"hasCriticality": "Low"
}