[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Mapping Questions



All,

We need some guidance on how to more accurately
reference CVE numbers.

As CVE begins to focus more on configuration
issues (a.k.a. "exposures"), we have encountered
the following general question:

Q: Should a data element that deals with a configuration
issue reference:
  a) only the cve/can number related to that configuration
     issue or
  b) the cve/can number related to the configuration issue
     AS WELL AS ALL cve/can NUMBERS OF VULNERABILITIES
     THAT ARE REMOVED WHEN THE CONFIGURATION ISSUE IS 
     ADDRESSED?

As a motivating example, consider:
CAN-1999-0630: The NT Alerter and Messenger services are running. 

Disabling the Messenger service eliminates the following vulnerability:
CVE-1999-0224: Denial of service in Windows NT messenger service 
  through a long username.

As a second example, consider:
CAN-1999-0619: The Telnet service is running.

A partial list of vulnerabilities closed by disabling
this service is found here:
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=telnet




==========================================================
Dave Mann    
Product Manager, Policy & Compliance Products 
BindView Corporation
Office:  781.331.8148
Cell:    781.424.6003
e-mail:  dmann@bindview.com
==========================================================
Insight 2003 User Conference
October 15 - 17, Las Vegas
Pre-conference Workshops October 13 - 14
Early Bird Registration Available Now
BindView - Insight at Work
==========================================================


  


Page Last Updated or Reviewed: May 22, 2007