RE: Question about CVE to vendor mappings
I wouldn't be thinking of, e.g., SP4 as a CVE. If you read the readme
files that come with each SP, they list out the individual entries in
the MS Knowledgebase that were addressed by the SP. These are not
duplicated (unless further issues arose with something previously fixed,
like TCPIP.sys), and would be the closest thing to an individual
vulnerability. So SP4 would incorporate a list of all previous CVE
numbers that previous service packs address, plus, any new ones.
Of course a bigger issue, in the case of MS SPs, is the fact that there
are quite a few fixes in an SP which are not documented in public...;-[
Russ - NTBugtraq Editor
FYI...I have not been actively discussing these issues due to a lack of
time right now. My conference starts tomorrow and, well, I'm still
trying to locate my underwear.
From: Andre Frech (ISS) [mailto:email@example.com]
Sent: Tuesday, June 29, 1999 5:57 PM
To: CVE Review List
Subject: Question about CVE to vendor mappings
During a recent debate on how we're going to fit the CVE into our
database structure, one of the DBAs commented on how a specific
vulnerability might not just have one CVE index, but several. Up to now,
this group has discussed the potential of one CVE mapping to zero or
more records of a VDB, but the opposite has not been discussed before;
namely, a many-to-many relationship.
For example, "Windows NT 4.0 prior to Service Pack 4" involves many
potential CVEs, possibly subsuming the CVEs in SP3, 2, and 1. How would
a vendor handle these, considering that it is probably out of the scope
of the CVE to reconcile these entries?
I envision this question raising several points:
- Can a vendor go about assigning multiple CVEs to a vulnerability or
check outside of the framework of the CVE?
- Who verifies that the vendor is doing correct assignments?
- Do CVE indices get subsumed in later patches (for example NT SP3 is
subsumed in SP4)? (My opinion on this one is 'no, they do not,' but
- Can almost everything in a VDB get a CVE? I know there are rules on
what a 'vulnerability' is, but the draft CVE is a lot less stringent
about the definition than, say, the Common Criteria (CC).
I would appreciate your thoughts on this matter.
X-Force Security Research
<?/color>Internet Security Systems, Inc.
678.443.6241 / fax 678.443.6479
Adaptive Network Security for the Enterprise