Skip to main content

IBM X-Force Exchange v2

This Integration is part of the IBM X-Force Exchange Pack.#

IBM X-Force Exchange lets you receive threat intelligence about applications, IP addresses, URls and hashes

Configure XFE v2 in Cortex#

ParameterDescriptionRequired
urlServer URL (e.g. https://api.xforce.ibmcloud.com)True
credentialsAPI KeyTrue
Source ReliabilityReliability of the source providing the intelligence data. The default value is C - Fairly reliable.True
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
ip_thresholdIP Threshold. Minimum risk score for the IP to be consodered malicious (ranges from 1 to 10).False
url_thresholdURL Threshold. Minimum risk score for the URL to be consodered malicious (ranges from 1 to 10).False
cve_thresholdCVE Threshold. Minimum risk score for the URL to be consodered malicious (ranges from 1 to 10).False

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ip#


IP to check

Base Command#

ip

Input#
Argument NameDescriptionRequired
ipIP to checkRequired
thresholdscore thresholdOptional
Context Output#
PathTypeDescription
IP.AddressUnknownThe IP address.
IP.Malicious.VendorUnknownFor malicious IPs, the vendor that made the decision.
IP.Malicious.DescriptionUnknownFor malicious IPs, the reason for the vendor to make the decision.
IP.Malicious.ScoreUnknownFor malicious IPs, the score from the vendor.
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ScorenumberThe actual score.
XFE.IP.ReasonStringThe reason for the given score from X-Force Exchange.
XFE.IP.ReasondescriptionStringAdditional details of the score's reason.
XFE.IP.SubnetsUnknownThe subnets of the IP.
Command Example#

!ip ip=8.8.8.8

Context Example#
{
"DBotScore": {
"Indicator": "8.8.8.8",
"Score": 1,
"Type": "ip",
"Vendor": "XFE"
},
"IP": {
"Address": "8.8.8.8",
"Geo": {
"Country": "United States"
},
"Score": 1
},
"XFE": {
"IP": {
"Reason": "Regional Internet Registry",
"Reasondescription": "One of the five RIRs announced a (new) location mapping of the IP.",
"Subnets": [
{
"asns": {
"3356": {
"cidr": 8,
"removed": true
}
},
"categoryDescriptions": {},
"cats": {},
"created": "2018-04-24T06:22:00.000Z",
"ip": "8.0.0.0",
"reason": "Regional Internet Registry",
"reasonDescription": "One of the five RIRs announced a (new) location mapping of the IP.",
"reason_removed": true,
"score": 1,
"subnet": "8.0.0.0/8"
},
{
"asns": {
"3356": {
"cidr": 9,
"removed": true
}
},
"categoryDescriptions": {},
"cats": {},
"created": "2020-03-22T07:54:00.000Z",
"geo": {
"country": "United States",
"countrycode": "US"
},
"ip": "8.0.0.0",
"reason": "Regional Internet Registry",
"reasonDescription": "One of the five RIRs announced a (new) location mapping of the IP.",
"reason_removed": true,
"score": 1,
"subnet": "8.0.0.0/9"
},
{
"asns": {
"15169": {
"cidr": 24,
"removed": true
}
},
"categoryDescriptions": {},
"cats": {},
"created": "2020-03-22T07:54:00.000Z",
"ip": "8.8.8.0",
"reason": "Regional Internet Registry",
"reasonDescription": "One of the five RIRs announced a (new) location mapping of the IP.",
"reason_removed": true,
"score": 1,
"subnet": "8.8.8.0/24"
}
]
}
}
}
Human Readable Output#

X-Force IP Reputation for: 8.8.8.8#

https://exchange.xforce.ibmcloud.com/ip/8.8.8.8 |Reason|Score|Subnets| |---|---|---| | Regional Internet Registry:One of the five RIRs announced a (new) location mapping of the IP. | 1 | 8.0.0.0/8, 8.0.0.0/9, 8.8.8.0/24 |

url#


Check the given URL reputation

Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.

Base Command#

url

Input#
Argument NameDescriptionRequired
thresholdIf the score is above the given threshold, will be considered malicious. If threshold is not specified, the default URL threshold, as configured in the instance settings, will be used.Optional
urlThe URL to checkRequired
Context Output#
PathTypeDescription
URL.DataStringThe given URL from the user.
URL.Malicious.VendorStringFor malicious URLs, the vendor that made the decision.
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ScorenumberThe actual score.
Command Example#

!url url="https://www.google.com"

Context Example#
{
"DBotScore": {
"Indicator": "https://www.google.com",
"Score": 1,
"Type": "url",
"Vendor": "XFE"
},
"URL": {
"Data": "https://www.google.com"
}
}
Human Readable Output#

X-Force URL Reputation for: https://www.google.com#

https://exchange.xforce.ibmcloud.com/url/https://www.google.com |Categories|Score| |---|---| | Search Engines / Web Catalogues / Portals | 1 |

file#


Check file reputation

Base Command#

file

Input#
Argument NameDescriptionRequired
fileThe file hash md5/sha1/sha256 to checkRequired
Context Output#
PathTypeDescription
File.MD5StringThe file's MD5.
File.SHA1StringThe file's SHA1.
File.SHA256StringThe file's SHA256.
File.Malicious.VendorStringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionStringFor malicious files, the reason for the vendor to make the decision.
File.Relationships.EntityAStringThe source of the relationship.
File.Relationships.EntityBStringThe destination of the relationship.
File.Relationships.RelationshipStringThe name of the relationship.
File.Relationships.EntityATypeStringThe type of the source of the relationship.
File.Relationships.EntityBTypeStringThe type of the destination of the relationship.
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ScorenumberThe actual score.
XFE.File.CnCServersUnknownC&C servers related to the given file.
XFE.File.emailsUnknownEmails related to the given file.
XFE.File.downloadServersUnknownDownload servers related to the given file.
XFE.File.subjectsUnknownSubjects related to the given file.
XFE.File.externalUnknownAdditional information about the given file.
Command Example#

!file file="f2b8d790dab6d2c6945f9a0bce441921"

Context Example#
{
"DBotScore": {
"Indicator": "f2b8d790dab6d2c6945f9a0bce441921",
"Score": 3,
"Type": "file",
"Vendor": "XFE"
},
"File": {
"MD5": "f2b8d790dab6d2c6945f9a0bce441921",
"Malicious": {
"Description": null,
"Vendor": "XFE"
}
},
"XFE": {
"File": {
"CnCServers": {},
"Family": "kryptik",
"FamilyMembers": null,
"downloadServers": {},
"emails": {
"count": 1,
"rows": [
{
"count": 1,
"domain": "dtest.com",
"filepath": "Case File 5368.zip",
"firstseen": "2018-08-13T07:15:00Z",
"ip": "217.76.151.72",
"lastseen": "2018-08-13T07:15:00Z",
"md5": "F2B8D790DAB6D2C6945F9A0BCE441921",
"origin": "SPM",
"type": "SPM",
"uri": "Case File 5368.zip"
}
]
},
"external": {
"detectionCoverage": 34,
"family": [
"kryptik"
],
"firstSeen": "2018-08-13T07:48:30Z",
"lastSeen": "2018-08-14T09:22:00Z",
"malwareType": "Trojan",
"platform": "ByteCode",
"source": "reversingLabs",
"subPlatform": "JAVA"
},
"subjects": {
"count": 1,
"rows": [
{
"count": 1,
"firstseen": "2018-08-13T07:15:00Z",
"ips": [
"217.76.151.72"
],
"lastseen": "2018-08-13T07:15:00Z",
"md5": "F2B8D790DAB6D2C6945F9A0BCE441921",
"origin": "email",
"subject": "Court Order",
"type": "email"
}
]
}
}
}
}
Human Readable Output#

X-Force md5 Reputation for f2b8d790dab6d2c6945f9a0bce441921#

https://exchange.xforce.ibmcloud.com/malware/f2b8d790dab6d2c6945f9a0bce441921 |Created Date|Source|Type| |---|---|---| | 2018-08-13T07:48:30Z | reversingLabs | Trojan |

domain#


Check domain reputation

Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.

Base Command#

domain

Input#
Argument NameDescriptionRequired
domainThe domain to checkRequired
thresholdIf the score is above the given threshold, will be considered malicious. If threshold is not specified, the default URL threshold, as configured in the instance settings, will be used.Optional
Context Output#
PathTypeDescription
Domain.NameStringDomain.
Domain.Malicious.VendorStringFor malicious URLs, the vendor that made the decision.
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ScorenumberThe actual score.
Command Example#

!domain domain="google.com"

Context Example#
{
"DBotScore": {
"Indicator": "google.com",
"Score": 1,
"Type": "domain",
"Vendor": "XFE"
},
"Domain": {
"Name": "google.com"
}
}
Human Readable Output#

X-Force Domain Reputation for: google.com#

https://exchange.xforce.ibmcloud.com/url/google.com |Categories|Score| |---|---| | Search Engines / Web Catalogues / Portals | 1 |

cve-search#


Search for details about the given CVE

Base Command#

cve-search

Input#
Argument NameDescriptionRequired
cve_idThe cve to search forRequired
Context Output#
PathTypeDescription
CVE.IDStringThe ID of the CVE.
CVE.CVSSStringThe CVSS of the CVE.
CVE.PublishedDateThe date this was published.
CVE.DescriptionUnknownThe CVE description.
XFE.CVE.XfdbidStringThe XFBID of the CVE.
XFE.CVE.RiskLevelNumberThe risk level of the CVE.
XFE.CVE.ReportedDateThe reported date of the CVE.
XFE.CVE.CvssUnknownThe CVSS information of the CVE.
XFE.CVE.StdcodeUnknownThe CVE stdcodes.
XFE.CVE.TitleStringThe title of the CVE.
XFE.CVE.DescriptionStringThe description of the CVE.
XFE.CVE.PlatformsAffectedUnknownThe affetcted platforms due to the CVE.
XFE.CVE.ExploitabilityStringThe exploitability of the CVE.
Command Example#

!cve-search cve_id="CVE-2020-3142"

Context Example#
{
"CVE": {
"CVSS": "3.0",
"Description": "Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites could allow a remote attacker to obtain sensitive information, caused by unintended meeting information exposure in a specific meeting join flow for mobile applications. By accessing a known meeting ID or meeting URL from the mobile device\u0092s web browser, an attacker could exploit this vulnerability to join a password-protected meeting without providing the meeting password.",
"ID": "CVE-2020-3142",
"Malicious": {
"Description": "Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites could allow a remote attacker to obtain sensitive information, caused by unintended meeting information exposure in a specific meeting join flow for mobile applications. By accessing a known meeting ID or meeting URL from the mobile device\u0092s web browser, an attacker could exploit this vulnerability to join a password-protected meeting without providing the meeting password.",
"Vendor": "XFE"
},
"Published": "2020-01-24T00:00:00Z"
},
"DBotScore": {
"Indicator": "CVE-2020-3142",
"Score": 3,
"Type": "cve",
"Vendor": "XFE"
},
"XFE": {
"CVE": {
"Cvss": {
"access_complexity": "Low",
"access_vector": "Network",
"availability_impact": "None",
"confidentiality_impact": "High",
"integrity_impact": "None",
"privilegesrequired": "None",
"remediation_level": "Official Fix",
"scope": "Unchanged",
"userinteraction": "None",
"version": "3.0"
},
"Description": "Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites could allow a remote attacker to obtain sensitive information, caused by unintended meeting information exposure in a specific meeting join flow for mobile applications. By accessing a known meeting ID or meeting URL from the mobile device\u0092s web browser, an attacker could exploit this vulnerability to join a password-protected meeting without providing the meeting password.",
"Exploitability": "Unproven",
"PlatformsAffected": [
"Cisco Webex Meetings Suite sites 39.11.0",
"Cisco Webex Meetings Suite sites 40.1.0",
"Cisco Webex Meetings Online sites 39.11.0",
"Cisco Webex Meetings Online sites 40.1.0"
],
"Reported": "2020-01-24T00:00:00Z",
"RiskLevel": 7.5,
"Stdcode": [
"CVE-2020-3142"
],
"Tagname": "cisco-webex-cve20203142-info-disc",
"Title": "Cisco Webex Meetings Suite sites information disclosure",
"Xfdbid": 175033
}
}
}
Human Readable Output#

X-Force CVE Reputation for CVE-2020-3142#

https://exchange.xforce.ibmcloud.com/vulnerability/search/CVE-2020-3142 |Access Vector|Affected Platforms|Complexity|Description|Exploitability|Reported|Risk Level|STD Code|Title|Version| |---|---|---|---|---|---|---|---|---|---| | Network | Cisco Webex Meetings Suite sites 39.11.0
Cisco Webex Meetings Suite sites 40.1.0
Cisco Webex Meetings Online sites 39.11.0
Cisco Webex Meetings Online sites 40.1.0
| Low | Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites could allow a remote attacker to obtain sensitive information, caused by unintended meeting information exposure in a specific meeting join flow for mobile applications. By accessing a known meeting ID or meeting URL from the mobile deviceÂ’s web browser, an attacker could exploit this vulnerability to join a password-protected meeting without providing the meeting password. | Unproven | 2020-01-24T00:00:00Z | 7.5 | CVE-2020-3142 | Cisco Webex Meetings Suite sites information disclosure | 3.0 |

cve-latest#


Return the latest vulnerabilities found

Base Command#

cve-latest

Input#
Argument NameDescriptionRequired
limitThe number of results to returnOptional
start_dateThe start of the date range for searching.
The format should be YYYY-MM-DDThh:mm:ssZ (e.g. 2016-01-01T00:00:00Z).
Optional
end_dateThe end of the date range for searching.
The format should be YYYY-MM-DDThh:mm:ssZ (e.g. 2016-01-01T00:00:00Z).
Optional
Context Output#
PathTypeDescription
CVE.IDStringThe ID of the CVE.
CVE.CVSSStringThe CVSS of the CVE.
CVE.PublishedDateThe date this was published.
CVE.DescriptionUnknownThe CVE description.
XFE.CVE.XfdbidStringThe XFBID of the CVE.
XFE.CVE.RiskLevelNumberThe risk level of the CVE.
XFE.CVE.ReportedDateThe reported date of the CVE.
XFE.CVE.CvssUnknownThe CVSS information of the CVE.
XFE.CVE.StdcodeUnknownThe CVE stdcodes.
XFE.CVE.TitleStringThe title of the CVE.
XFE.CVE.DescriptionStringThe description of the CVE.
XFE.CVE.PlatformsAffectedUnknownThe affetcted platforms due to the CVE.
XFE.CVE.ExploitabilityStringThe exploitability of the CVE.
Command Example#

!cve-latest limit=2

Context Example#
{
"CVE": [
{
"CVSS": "3.0",
"Description": "Sunnet eHRD could allow a remote attacker to obtain sensitive information, caused by improperly storing system files. By using a specific URL, a remote attacker could exploit this vulnerability to obtain sensitive information.",
"ID": "CVE-2020-10508",
"Published": "2020-03-27T00:00:00Z"
},
{
"CVSS": "3.0",
"Description": "Sunnet eHRD is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.",
"ID": "CVE-2020-10509",
"Malicious": {
"Description": "Sunnet eHRD is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.",
"Vendor": "XFE"
},
"Published": "2020-03-27T00:00:00Z"
}
],
"DBotScore": [
{
"Indicator": "CVE-2020-10508",
"Score": 2,
"Type": "cve",
"Vendor": "XFE"
},
{
"Indicator": "CVE-2020-10509",
"Score": 3,
"Type": "cve",
"Vendor": "XFE"
}
],
"XFE": {
"CVE": [
{
"Cvss": {
"access_complexity": "Low",
"access_vector": "Network",
"availability_impact": "None",
"confidentiality_impact": "Low",
"integrity_impact": "None",
"privilegesrequired": "None",
"remediation_level": "Official Fix",
"scope": "Unchanged",
"userinteraction": "None",
"version": "3.0"
},
"Description": "Sunnet eHRD could allow a remote attacker to obtain sensitive information, caused by improperly storing system files. By using a specific URL, a remote attacker could exploit this vulnerability to obtain sensitive information.",
"Exploitability": "Unproven",
"PlatformsAffected": [
"Sunnet eHRD 9.0",
"Sunnet eHRD 8.0"
],
"Reported": "2020-03-27T00:00:00Z",
"RiskLevel": 5.3,
"Stdcode": [
"CVE-2020-10508"
],
"Tagname": "sunnet-ehrd-cve202010508-info-disc",
"Title": "Sunnet eHRD information disclosure",
"Xfdbid": 178668
},
{
"Cvss": {
"access_complexity": "Low",
"access_vector": "Network",
"availability_impact": "None",
"confidentiality_impact": "Low",
"integrity_impact": "Low",
"privilegesrequired": "None",
"remediation_level": "Official Fix",
"scope": "Changed",
"userinteraction": "Required",
"version": "3.0"
},
"Description": "Sunnet eHRD is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.",
"Exploitability": "High",
"PlatformsAffected": [
"Sunnet eHRD 9.0",
"Sunnet eHRD 8.0"
],
"Reported": "2020-03-27T00:00:00Z",
"RiskLevel": 6.1,
"Stdcode": [
"CVE-2020-10509"
],
"Tagname": "sunnet-ehrd-cve202010509-xss",
"Title": "Sunnet eHRD cross-site scripting",
"Xfdbid": 178664
}
]
}
}
Human Readable Output#

X-Force CVE Reputation for CVE-2020-10508#

https://exchange.xforce.ibmcloud.com/vulnerability/search/CVE-2020-10508 |Access Vector|Affected Platforms|Complexity|Description|Exploitability|Reported|Risk Level|STD Code|Title|Version| |---|---|---|---|---|---|---|---|---|---| | Network | Sunnet eHRD 9.0
Sunnet eHRD 8.0 | Low | Sunnet eHRD could allow a remote attacker to obtain sensitive information, caused by improperly storing system files. By using a specific URL, a remote attacker could exploit this vulnerability to obtain sensitive information. | Unproven | 2020-03-27T00:00:00Z | 5.3 | CVE-2020-10508 | Sunnet eHRD information disclosure | 3.0 |

X-Force CVE Reputation for CVE-2020-10509#

https://exchange.xforce.ibmcloud.com/vulnerability/search/CVE-2020-10509 |Access Vector|Affected Platforms|Complexity|Description|Exploitability|Reported|Risk Level|STD Code|Title|Version| |---|---|---|---|---|---|---|---|---|---| | Network | Sunnet eHRD 9.0
Sunnet eHRD 8.0 | Low | Sunnet eHRD is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. | High | 2020-03-27T00:00:00Z | 6.1 | CVE-2020-10509 | Sunnet eHRD cross-site scripting | 3.0 |

xfe-whois#


Gets information about the given host address

Base Command#

xfe-whois

Input#
Argument NameDescriptionRequired
hostThe host or address to search inside X-Force Exchange (e.g. google.com)Required
Context Output#
PathTypeDescription
XFE.Whois.HostStringThe given host from the user.
XFE.Whois.RegistrarNameStringThe domain name registrar of the host.
XFE.Whois.CreatedDateThe date the host was created.
XFE.Whois.UpdatedDateThe date the host's information has been updated.
XFE.Whois.ExpiresDateThe date the host will be expired.
XFE.Whois.EmailStringThe contact email of the host owners.
XFE.Whois.ContactUnknownContact information of the host's organization.
Domain.NameStringThe name of the domain.
Domain.CreationDateDateThe creation date of the domain.
Domain.ExpirationDateDateThe expiration date of the domain.
Domain.UpdatedDateDateThe date the domain has been updated.
Domain.OrganizationStringThe organizaton which owns the domain.
Domain.Registrant.CountryStringThe country of the domain's registrant.
Domain.Registrant.NameStringThe name of the domain's registrant.
Domain.WHOIS.Registrar.NameStringThe name of the domain's registar.
Domain.WHOIS.Registrar.EmailStringThe email of the domain's registar.
Domain.WHOIS.UpdatedDateStringThe date the domain has been updated.
Domain.WHOIS.ExpirationDateUnknownThe date the domain has been updated.
Domain.WHOIS.CreationDateStringThe creation date of the domain.
Domain.WHOIS.Registrant.CountryStringThe country of the domain's registrant.
Domain.WHOIS.Registrant.NameStringThe name of the domain's registrant.
Command Example#

!xfe-whois host="google.com"

Context Example#
{
"Domain": {
"CreationDate": "1997-09-15T07:00:00.000Z",
"ExpirationDate": "2028-09-13T07:00:00.000Z",
"Name": "google.com",
"Organization": "Google LLC",
"Registrant": {
"Country": "United States",
"Name": "Google LLC"
},
"UpdatedDate": "2019-09-09T15:39:04.000Z",
"WHOIS": {
"CreationDate": "1997-09-15T07:00:00.000Z",
"ExpirationDate": "2028-09-13T07:00:00.000Z",
"Registrant": {
"Country": "United States",
"Name": "Google LLC"
},
"Registrar": {
"Email": "abusecomplaints@markmonitor.com",
"Name": "MarkMonitor, Inc."
},
"UpdatedDate": "2019-09-09T15:39:04.000Z"
}
},
"XFE": {
"Whois": {
"Contact": [
{
"Country": "United States",
"Organization": "Google LLC",
"Type": "registrant"
}
],
"Created": "1997-09-15T07:00:00.000Z",
"Email": "abusecomplaints@markmonitor.com",
"Expires": "2028-09-13T07:00:00.000Z",
"Host": "google.com",
"RegistrarName": "MarkMonitor, Inc.",
"Updated": "2019-09-09T15:39:04.000Z"
}
}
}
Human Readable Output#

X-Force Whois result for google.com#

ContactCreatedEmailExpiresHostRegistrarNameUpdated
{'Type': 'registrant', 'Organization': 'Google LLC', 'Country': 'United States'}1997-09-15T07:00:00.000Zabusecomplaints@markmonitor.com2028-09-13T07:00:00.000Zgoogle.comMarkMonitor, Inc.2019-09-09T15:39:04.000Z

xfe-search-cves#


Gets list of all vulnerabilities associated with the search term.

Base Command#

xfe-search-cves

Input#
Argument NameDescriptionRequired
qThe query for the search.
(https://exchange.xforce.ibmcloud.com/api/doc/?#Vulnerabilities_get_vulnerabilities_fulltext)
Required
start_dateThe start of the date range for searching.
The format should be YYYY-MM-DDThh:mm:ssZ (e.g. 2016-01-01T00:00:00Z).
Optional
end_dateThe end of the date range for searching.
The format should be YYYY-MM-DDThh:mm:ssZ (e.g. 2016-01-01T00:00:00Z).
Optional
bookmarkBookmark used to page through results.
(https://exchange.xforce.ibmcloud.com/api/doc/?#Vulnerabilities_get_vulnerabilities_fulltext)
Optional
Context Output#
PathTypeDescription
CVE.IDStringThe ID of the CVE.
CVE.CVSSStringThe CVSS of the CVE.
CVE.PublishedDateThe date this was published.
CVE.DescriptionUnknownThe CVE description.
XFE.CVE.XfdbidStringThe XFBID of the CVE.
XFE.CVE.RiskLevelNumberThe risk level of the CVE.
XFE.CVE.ReportedDateThe reported date of the CVE.
XFE.CVE.CvssUnknownThe CVSS information of the CVE.
XFE.CVE.StdcodeUnknownThe CVE stdcodes.
XFE.CVE.TitleStringThe title of the CVE.
XFE.CVE.DescriptionStringThe description of the CVE.
XFE.CVE.PlatformsAffectedUnknownThe affetcted platforms due to the CVE.
XFE.CVE.ExploitabilityStringThe exploitability of the CVE.
XFE.CVESearch.TotalRowsStringThe total rows received after search.
XFE.CVESearch.BookmarkStringBookmark used to page through results.
Command Example#

!xfe-search-cves q="Heartbleed"

Context Example#
{
"CVE": [
{
"CVSS": "2.0",
"Description": "IBM WebSphere Application Server is not vulnerable to the Heartbleed vulnerability (CVE-2014-0160) where secure data might not be protected. However, there is a potential denial of service on IBM WebSphere Application Server Version 6.1 and 6.0.2 when running the Heartbleed scanning tools or if sending specially-crafted Heartbeat messages.",
"ID": "CVE-2014-0964",
"Malicious": {
"Description": "IBM WebSphere Application Server is not vulnerable to the Heartbleed vulnerability (CVE-2014-0160) where secure data might not be protected. However, there is a potential denial of service on IBM WebSphere Application Server Version 6.1 and 6.0.2 when running the Heartbleed scanning tools or if sending specially-crafted Heartbeat messages.",
"Vendor": "XFE"
},
"Published": "2014-05-08T00:00:00Z"
},
{
"CVSS": "2.0",
"Description": "HP Integrated Lights-Out 2 (iLO 2) is vulnerable to a denial of service, caused by an error when scanned by vulnerability assessment tools scan for the Heartbleed vulnerability. A remote attacker could exploit this vulnerability to cause the server to crash.",
"ID": "BID-67054",
"Malicious": {
"Description": "HP Integrated Lights-Out 2 (iLO 2) is vulnerable to a denial of service, caused by an error when scanned by vulnerability assessment tools scan for the Heartbleed vulnerability. A remote attacker could exploit this vulnerability to cause the server to crash.",
"Vendor": "XFE"
},
"Published": "2014-04-24T00:00:00Z"
},
{
"CVSS": "2.0",
"Description": "OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the TLS/DTLS heartbeat functionality. An attacker could exploit this vulnerability to remotely read system memory contents without needing to log on to the server. Successful exploitation could allow an attacker to retrieve private keys, passwords or other sensitive information.\r\n\r\nThis vulnerability is commonly referred to as \"Heartbleed\".",
"ID": "CVE-2014-0160",
"Published": "2014-04-07T00:00:00Z"
}
],
"DBotScore": [
{
"Indicator": "CVE-2014-0964",
"Score": 3,
"Type": "cve",
"Vendor": "XFE"
},
{
"Indicator": "BID-67054",
"Score": 3,
"Type": "cve",
"Vendor": "XFE"
},
{
"Indicator": "CVE-2014-0160",
"Score": 2,
"Type": "cve",
"Vendor": "XFE"
}
],
"XFE": {
"CVE": [
{
"Cvss": {
"access_complexity": "Medium",
"access_vector": "Network",
"authentication": "None",
"availability_impact": "Complete",
"confidentiality_impact": "None",
"integrity_impact": "None",
"remediation_level": "Official Fix",
"version": "2.0"
},
"Description": "IBM WebSphere Application Server is not vulnerable to the Heartbleed vulnerability (CVE-2014-0160) where secure data might not be protected. However, there is a potential denial of service on IBM WebSphere Application Server Version 6.1 and 6.0.2 when running the Heartbleed scanning tools or if sending specially-crafted Heartbeat messages.",
"Exploitability": "Unproven",
"PlatformsAffected": [
"IBM WebSphere Application Server 6.0.2",
"IBM WebSphere Application Server 6.1"
],
"Reported": "2014-05-08T00:00:00Z",
"RiskLevel": 7.1,
"Stdcode": [
"CVE-2014-0964",
"BID-67322"
],
"Tagname": "ibm-websphere-cve20140964-dos",
"Title": "IBM WebSphere Application Server and Scanning Tool denial of service",
"Xfdbid": 92877
},
{
"Cvss": {
"access_complexity": "Low",
"access_vector": "Network",
"authentication": "None",
"availability_impact": "Complete",
"confidentiality_impact": "None",
"integrity_impact": "None",
"remediation_level": "Official Fix",
"version": "2.0"
},
"Description": "HP Integrated Lights-Out 2 (iLO 2) is vulnerable to a denial of service, caused by an error when scanned by vulnerability assessment tools scan for the Heartbleed vulnerability. A remote attacker could exploit this vulnerability to cause the server to crash.",
"Exploitability": "Unproven",
"PlatformsAffected": [
"HP Integrated Lights-Out 2 (iLO2) 2.23"
],
"Reported": "2014-04-24T00:00:00Z",
"RiskLevel": 7.8,
"Stdcode": [
"BID-67054",
"SA58224",
"CVE-2014-2601"
],
"Tagname": "hp-ilo-cve20142601-dos",
"Title": "HP Integrated Lights-Out 2 Heartbleed denial of service",
"Xfdbid": 92744
},
{
"Cvss": {
"access_complexity": "Low",
"access_vector": "Network",
"authentication": "None",
"availability_impact": "None",
"confidentiality_impact": "Partial",
"integrity_impact": "None",
"remediation_level": "Official Fix",
"version": "2.0"
},
"Description": "OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the TLS/DTLS heartbeat functionality. An attacker could exploit this vulnerability to remotely read system memory contents without needing to log on to the server. Successful exploitation could allow an attacker to retrieve private keys, passwords or other sensitive information.\r\n\r\nThis vulnerability is commonly referred to as \"Heartbleed\".",
"Exploitability": "Functional",
"PlatformsAffected": [
"OpenSSL OpenSSL 1.0.1A",
"OpenSSL OpenSSL 1.0.1B",
"OpenSSL OpenSSL 1.0.1c",
"OpenSSL OpenSSL 1.0.1D",
"OpenSSL OpenSSL 1.0.1E",
"OpenSSL OpenSSL 1.0.1f"
],
"Reported": "2014-04-07T00:00:00Z",
"RiskLevel": 5,
"Stdcode": [
"CVE-2014-0160",
"US-CERT VU#720951",
"BID-66690",
"SA57347",
"RHSA-2014-0376",
"SA57742",
"SA57785",
"SA57805",
"RHSA-2014-0396",
"SA57887",
"SA57858",
"SA57863",
"SA57894",
"SA57881",
"SA57774",
"SA57866",
"SA58176",
"BID-67206"
],
"Tagname": "openssl-cve20140160-info-disc",
"Title": "OpenSSL heartbeat information disclosure",
"Xfdbid": 92322
}
],
"CVESearch": {
"Bookmark": "g1AAAAEpeJzLYWBgYM5gTmFQS0lKzi9KdUhJMjTXy0zK1a1Iyy9KTjUwMNRLzskvTUnMK9HLSy3JAapnSlIAkkn2____zwLzc4GEiJGBoYmuARCZhxgYWIFRVBIDg7NqFsh4VbjxJoRMz2MBkgwNQApowXwsNhiZoNjArY9mgylxNiyA2LAfwwZTXQMLFBs492RlAQAvQE_q",
"TotalRows": 3
}
}
}
Human Readable Output#

X-Force CVE Reputation for CVE-2014-0964#

https://exchange.xforce.ibmcloud.com/vulnerability/search/CVE-2014-0964 |Access Vector|Affected Platforms|Complexity|Description|Exploitability|Reported|Risk Level|STD Code|Title|Version| |---|---|---|---|---|---|---|---|---|---| | Network | IBM WebSphere Application Server 6.0.2
IBM WebSphere Application Server 6.1 | Medium | IBM WebSphere Application Server is not vulnerable to the Heartbleed vulnerability (CVE-2014-0160) where secure data might not be protected. However, there is a potential denial of service on IBM WebSphere Application Server Version 6.1 and 6.0.2 when running the Heartbleed scanning tools or if sending specially-crafted Heartbeat messages. | Unproven | 2014-05-08T00:00:00Z | 7.1 | CVE-2014-0964
BID-67322 | IBM WebSphere Application Server and Scanning Tool denial of service | 2.0 |

X-Force CVE Reputation for BID-67054#

https://exchange.xforce.ibmcloud.com/vulnerability/search/BID-67054 |Access Vector|Affected Platforms|Complexity|Description|Exploitability|Reported|Risk Level|STD Code|Title|Version| |---|---|---|---|---|---|---|---|---|---| | Network | HP Integrated Lights-Out 2 (iLO2) 2.23 | Low | HP Integrated Lights-Out 2 (iLO 2) is vulnerable to a denial of service, caused by an error when scanned by vulnerability assessment tools scan for the Heartbleed vulnerability. A remote attacker could exploit this vulnerability to cause the server to crash. | Unproven | 2014-04-24T00:00:00Z | 7.8 | BID-67054
SA58224
CVE-2014-2601 | HP Integrated Lights-Out 2 Heartbleed denial of service | 2.0 |

X-Force CVE Reputation for CVE-2014-0160#

https://exchange.xforce.ibmcloud.com/vulnerability/search/CVE-2014-0160 |Access Vector|Affected Platforms|Complexity|Description|Exploitability|Reported|Risk Level|STD Code|Title|Version| |---|---|---|---|---|---|---|---|---|---| | Network | OpenSSL OpenSSL 1.0.1A
OpenSSL OpenSSL 1.0.1B
OpenSSL OpenSSL 1.0.1c
OpenSSL OpenSSL 1.0.1D
OpenSSL OpenSSL 1.0.1E
OpenSSL OpenSSL 1.0.1f | Low | OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the TLS/DTLS heartbeat functionality. An attacker could exploit this vulnerability to remotely read system memory contents without needing to log on to the server. Successful exploitation could allow an attacker to retrieve private keys, passwords or other sensitive information.

This vulnerability is commonly referred to as "Heartbleed". | Functional | 2014-04-07T00:00:00Z | 5 | CVE-2014-0160
US-CERT VU#720951
BID-66690
SA57347
RHSA-2014-0376
RHSA-2014-0378
SA57692
SA57764
SA57759
SA57758
SA57756
SA57786
SA57755
SA57683
SA57810
SA57386
SA57715
SA57822
SA57833
SA57816
SA57772
SA57799
SA57742
SA57785
SA57805
RHSA-2014-0396
SA57887
SA57858
SA57863
SA57894
SA57881
SA57774
SA57866
SA57884
SA57251
SA57775
SA57890
SA57701
SA57888
SA57738
SA57909
SA57900
SA57853
SA57770
SA57773
SA57735
SA57958
SA57483
SA57744
SA57757
SA57850
SA57876
SA57869
SA57921
SA57920
SA57454
SA57628
SA57793
SA57857
SA57972
SA57970
SA57836
SA57966
SA57968
SA58004
SA58005
SA58028
SA57864
SA57979
SA58032
SA57954
SA57999
SA57763
SA57982
SA58024
SA57824
SA58009
SA58033
SA57974
SA58049
SA58046
SA57817
SA58098
SA58048
SA58040
SA58062
SA57815
SA58102
SA58052
SA57941
SA57807
SA57852
SA58113
SA58107
SA58114
SA58115
SA58008
SA57983
SA57969
SA57961
SA57851
SA57960
SA57789
SA57985
SA57984
SA58056
SA58029
SA57512
SA58164
SA58184
SA57911
SA58183
SA58175
SA58166
SA57951
SA57947
SA58171
SA58178
SA57963
SA58167
SA57949
SA58146
SA58019
SA58172
SA57826
SA58182
SA58244
SA58162
SA58188
SA58185
SA58069
SA58058
SA58148
SA58223
SA58124
SA58204
SA58187
SA58190
SA58161
SA58017
SA58195
SA58053
SA58007
SA58022
SA58176
BID-67206 | OpenSSL heartbeat information disclosure | 2.0 |