[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Question about CVE to vendor mappings

All,
 
During a recent debate on how we're going to fit the CVE into our database structure, one of the DBAs commented on how a specific vulnerability might not just have one CVE index, but several. Up to now, this group has discussed the potential of one CVE mapping to zero or more records of a VDB, but the opposite has not been discussed before; namely, a many-to-many relationship.
 
For example, "Windows NT 4.0 prior to Service Pack 4" involves many potential CVEs, possibly subsuming the CVEs in SP3, 2, and 1. How would a vendor handle these, considering that it is probably out of the scope of the CVE to reconcile these entries?
 
I envision this question raising several points:
- Can a vendor go about assigning multiple CVEs to a vulnerability or check outside of the framework of the CVE?
- Who verifies that the vendor is doing correct assignments?
- Do CVE indices get subsumed in later patches (for example NT SP3 is subsumed in SP4)? (My opinion on this one is 'no, they do not,' but YMMV.
- Can almost everything in a VDB get a CVE? I know there are rules on what a 'vulnerability' is, but the draft CVE is a lot less stringent about the definition than, say, the Common Criteria (CC).
 
I would appreciate your thoughts on this matter.
=====================================
Andre Frech
X-Force Security Research
afrech@iss.net

Internet Security Systems, Inc.
678.443.6241 / fax 678.443.6479
www.iss.net

Adaptive Network Security for the Enterprise
=====================================
 
Page Last Updated or Reviewed: May 22, 2007