2006 News & Events (Archive)
December 7, 2006
Content Decisions Document and Working Group Members List Added to CCE Section of CVE Web Site
A CCE Content Decisions document and a list of current CCE Working Group members have been added to the "Common Configuration Enumeration (CCE)" section of the CVE Web site.
CCE is the part of the CVE Initiative that focuses on security configuration issues and exposures. CCE provides unique identifiers to system configurations in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. As an example, CCE Identifiers could be used to associate checks in configuration assessment tools with statements in configuration best-practice documents such as the Center for Internet Security (CIS) benchmark documents, National Institute of Standards and Technology (NIST) NIST Security Configuration Guides, National Security Agency (NSA) NSA Security Configuration Guides, and Defense Information Systems Agency (DISA) DISA Security Technical Implementation Guides (STIGS).
The section also includes the current preliminary version of the CCE List; a CCE Status section detailing the status of the current version; a description of How to Participate for organizations and individuals interested in contributing; and the newly revised CCE Working Group section for those interested in actively participating in this new community initiative.
Vulnerability Types Distributions in CVE White Paper Posted on CVE Web Site
A white paper entitled Vulnerability Type Distributions in CVE has been posted on the CVE Documents page. Written by CVE Editor Steve Christey, this October 2006 technical white paper discusses the high-level types of vulnerabilities that have been publicly reported over the past five years, such as buffer overflows, cross-site scripting (XSS), SQL injection, and PHP file inclusion. The paper identifies and explains trends such as the rapid rise of web application vulnerabilities, covers the distribution of vulnerability types in operating system vendor advisories, and compares the issues being reported in open and closed source advisories.
CVE Mentioned in Article on Software Development Times
CVE was mentioned in a November 15, 2006 article entitled "The Rise of Cross-Site Scripting" on the Software Development Times Web site. The article is about a report on trends in the types of CVEs: "[CVE List] data shows that the number of buffer overflow reports is holding steady at between 250 and 450 per year. Web vulnerabilities, on the other hand, have skyrocketed beginning in 2003. (In total, there were three times as many vulnerabilities reported in 2005 as there were in 2001.)"
CVE Mentioned in Article on SearchSecurity.com
CVE was mentioned in a November 9, 2006 article entitled "Software security flaws begin and end with Web application security" on SearchSecurity.com. The article is about a report on trends in the types of CVEs: "According to a recent report published by the Common Vulnerabilities and Exposures (CVE) project, flaws in Web software are among the most reported security issues so far this year. It's easy to see why. After all, hackers are known to search for an easy target. Poorly configured or written Web applications are not only an easy target, taking the attacker straight to their goal — data, and lots of it — but also can be used to spread malware to anyone else who visits the compromised site."
November 1, 2006
CVE List Surpasses 20,000+ CVE Identifiers; New CVE Version Released
The CVE Web site now contains 20,074 unique information security issues with publicly known names. Of these, 3,052 have CVE entry status and 17,022 have candidate status pending approval by the CVE Editorial Board. CVE identifiers are used by information security product/service vendors and researchers as a standard method for identifying vulnerabilities and for cross-linking with other repositories that also use CVE identifiers.
In addition, a new version of the CVE List has been released to update the format of the Open Vulnerability and Assessment Language (OVAL) identifiers (OVAL-IDs) that are included as references for CVE identifiers: CVE Version: 20061101. The new CVE Version includes updates for existing CVE entries only. No candidates were updated to entry status. Some CVE descriptions may also be modified and some identifiers will have other changes in their references in addition to the OVAL changes. (Review the Version Difference Report.)
Each CVE Identifier includes the following: the CVE identifier number (i.e., "CVE-1999-0067"); indication of "entry" or "candidate" status; brief description of the security vulnerability; and pertinent references such as vulnerability reports and advisories or OVAL-ID. Previously, OVAL-IDs included an OVAL prefix followed by four digits. OVAL identifiers now use an "oval:Organization DNS Name:ID Type:ID Value" format where organization DNS Name is of the form 'org.mitre.oval'; ID Type denotes the entity to which the ID is being applied (and can be one of the following values: def – Definition, obj – Object, ste – State, tst – Test, or var – Variable); and ID Value is an integer that is unique to the DNS name and ID Type pair that precedes it. For example, after the new version CVE-2006-1316 will include oval:org.mitre.oval:def:918 as one of its references.
Contact cve@mitre.org with any comments or concerns. Visit the CVE List to review or download all currently available identifiers.
October 26, 2006
1 Additional Information Security Product Now Registered as Officially "CVE-Compatible"
One new information security product is the latest to achieve the final stage of MITRE's formal CVE
Compatibility Process and is now officially "CVE-compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted as part of the organization's product listing on the CVE-Compatible
Products and Services page on the CVE Web site. A total of 66 products to-date have been declared officially compatible.
The following product is now registered as officially "CVE-Compatible":
Use of the official CVE-Compatible logo by this organization will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises. Their compatibility process questionnaire will help end-users compare how different products satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.
For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.
New CVE Version to Address Modifications of OVAL-ID References in CVE Identifiers
A new version of the CVE List will be released on November 1, 2006 to update the format of the Open Vulnerability and Assessment Language (OVAL) identifiers (OVAL-IDs) that are included as references for CVE Identifiers. The new CVE Version will include updates for existing CVE entries only. There will not be any new entries. Some CVE descriptions may also be modified and some entries will have other changes in their references in addition to the OVAL changes.
Each CVE Identifier includes the following: the CVE identifier number (i.e., "CVE-1999-0067"); indication of "entry" or "candidate" status; brief description of the security vulnerability; and pertinent references such as vulnerability reports and advisories or OVAL-ID. Previously, OVAL-IDs included an OVAL prefix followed by four digits. OVAL identifiers now use an "oval:Organization DNS Name:ID Type:ID Value" format where organization DNS Name is of the form 'org.mitre.oval'; ID Type denotes the entity to which the ID is being applied (and can be one of the following values: def - Definition, obj - Object, ste - State, tst - Test, or var - Variable); and ID Value is an integer that is unique to the DNS name and ID Type pair that precedes it. For example, after the new version CVE-2006-1316 will include oval:org.mitre.oval:def:1115 as one of its references.
We are making this announcement now in order to give advance notice and to minimize the amount of work required for users and vendors from the change. Please contact cve@mitre.org with any comments or concerns.
CVE Hosts Booth at FIAC 2006
MITRE hosted a CVE/CCE/CWE/OVAL/CME exhibitor booth at Federal Information Assurance Conference (FIAC) 2006, October 25-26, 2006, at the Inn and Conference Center, University of Maryland University College, in Adelphi, Maryland, USA. The conference exposed CVE, CCE, CWE, OVAL, and CME to network and systems administrators, security practitioners, acquisition and procurement officials, systems security officers, federal managers, accreditors, and certifiers from numerous agencies of the U.S. federal government. In addition, organizations with CVE-Compatible Products and Services also exhibited.
Visit the CVE Calendar page for information about this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, CCE, CWE, OVAL, CME, and/or other vulnerability management topics at your event.
CVE Presents Briefing at Tactical Information Assurance 2006
CVE Compatibility Lead and CWE Program Manager Robert A. Martin presented a briefing about CVE/CWE/OVAL entitled "Securing The IA Perimeter: Automated IAVA & STIG Compliance Through Standards" at Tactical Information Assurance 2006 on October 25, 2006 at the Westin Arlington Gateway in Arlington, Virginia, USA. The conference introduced CVE, CWE, and OVAL to information technology and security professionals and decision-makers from the U.S. military, defense agencies, industry contractors, and technology service providers.
Visit the CVE Calendar page for information on this and other upcoming events.
October 5, 2006
CVE to Host Booth at FIAC 2006
MITRE is scheduled to host a CVE/CCE/CWE/OVAL/CME exhibitor booth at Federal Information Assurance Conference (FIAC) 2006, October 25-26, 2006, at the Inn and Conference Center, University of Maryland University College, in Adelphi, Maryland, USA. The conference will expose CVE, CCE, CWE, OVAL, and CME to network and systems administrators, security practitioners, acquisition and procurement officials, systems security officers, federal managers, accreditors, and certifiers from numerous agencies of the U.S. federal government. In addition, organizations with CVE-Compatible Products and Services will also be exhibiting.
Visit the CVE Calendar page for information about this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, CCE, CWE, OVAL, CME, and/or other vulnerability management topics at your event.
CVE to Present Briefing at Tactical Information Assurance 2006
CVE Compatibility Lead and CWE Program Manager Robert A. Martin is scheduled to present a briefing about CVE/CWE/OVAL entitled "Securing The IA Perimeter: Automated IAVA & STIG Compliance Through Standards" at Tactical Information Assurance 2006 on October 25, 2006 at the Westin Arlington Gateway in Arlington, Virginia, USA. The conference will introduce CVE, CWE, and OVAL to information technology and security professionals and decision-makers from the U.S. military, defense agencies, industry contractors, and technology service providers.
Visit the CVE Calendar page for information on this and other upcoming events.
CVE Included in Article about Vulnerabilities in SC Magazine
CVE was mentioned in an article entitled "XSS flaws jump to top of CVE rankings, but is the threat overblown?" in the September 22, 2006 issue of SC Magazine. The article is a report about a study by Jeremiah Grossman, CTO of WhiteHat Security, who used the CVE List to determine that "XSS flaws are now the No. 1 flaw on MITRE's Common Vulnerabilities and Exposures (CVE) site - a considerable growth from 12 months ago." The article also includes a quote by Grossman, who states: "This is important to realize because XSS is now ranked ... as the most prevalent vulnerability, even more prevalent than buffer overflows."
Common Weakness Enumeration (CWE) Launches Own Web Site
The CWE List is now available on a dedicated Common Weakness Enumeration (CWE) Web site. It will no longer be available on the CVE Web site. The new site includes the CWE List; an About section describing the overall CWE effort and process in more detail; News page; Calendar page; Compatibility page; Community Participation page; and a list of Sources. CWE is based in part on CVE's 19,000+ identifiers.
CVE Hosts Booth at IT Security World 2006
MITRE hosted a CVE/CCE/CWE/OVAL/CME exhibitor booth at MISTI's IT Security World 2006 on September 25-27, 2006 at the Fairmont Hotel in San Francisco, California, USA. The conference exposed CVE, CCE, CWE, OVAL, and CME to security professionals from industry, government, and academia charged with developing and running their organizations' information security programs. Organizations with CVE-Compatible Products and Services also exhibited.
Visit the CVE Calendar page for information on this and other upcoming events.
525 CVE Names with Candidate Status Added to CVE List in September
525 CVE names with candidate status were added to the CVE List in September 2006. As of September 27, 2006, there were 19,423 CVE names with entry or candidate status posted on the List with 3,052 posted as official entries and 16,371 as candidates. New candidates are added often. Refer to the Get CVE page for the most recent breakdown of total names and total candidates, and to review, search, or download the CVE List. Recently released CVE names are listed by the U.S. National Vulnerability Database (NVD). Use CVE Change Logs, a free tool from CERIAS/Purdue University, to review all additions for September or any month.
Detailed information about how we build the CVE List is available in the About CVE Names and CVE Content Decisions sections.
September 22, 2006
Apple Computer, Inc. Makes Declaration of CVE Compatibility
Apple Computer, Inc. declared that its security updates for Apple products, Apple Product Security, are CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page.
RUS-CERT at the University of Stuttgart Makes Declaration of CVE Compatibility
RUS-CERT at the University of Stuttgart declared that its security advisories and archives, Security Announcement Service RUS-CERT, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page.
Application Security, Inc. Makes Two Declarations of CVE Compatibility
Application Security, Inc. declared that its database vulnerability assessment tools, AppRadar for DB2 and AppRadar for Sybase, are CVE-compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products and Services page.
Beijing Netpower Technologies Inc. Makes Declaration of CVE Compatibility
Beijing Netpower Technologies Inc. declared that its vulnerability assessment and remediation tool, Netpower Network Security Assessment System, is CVE-Compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page.
CVE Presents Briefing at 5th Annual Cyber Security Executive Summit
We presented a briefing about CVE and CWE at the 5th Annual Cyber Security Executive Summit for the financial services sector on September 13-14, 2006 at the Metropolitan Pavilion in New York City, New York, USA. The event will introduce CVE and CWE to financial industry executives and security professionals from around the world.
Visit the CVE Calendar page for information on this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, CCE, CWE, OVAL, CME, and/or other vulnerability management topics at your event.
September 8, 2006
NVD's Public Forum Allows Vendors to Comment on the CVE Vulnerabilities Discovered in their Products
The U.S National Vulnerability Database (NVD), which is built primarily upon CVE identifiers, has announced a new service that provides the software industry with "an open forum to comment upon the set of CVE vulnerabilities discovered in their products. Software vendors have the deepest knowledge about their products and thus are uniquely positioned to comment on their vulnerabilities."
According to Peter Mell, the U.S. National Institute of Standards and Technology's (NIST) NVD Program Manager, the "...set of 'official vendor statements' [that provides the comments] are available as an XML feed from the NVD download page, http://nvd.nist.gov/download.cfm. We encourage other vulnerability databases and services to incorporate these vendor statements alongside their CVE vulnerability descriptions. The statements are also available on the respective NVD vulnerability summary pages (e.g., http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4124).
"Software development organizations can submit official statements by contacting NVD staff (nvd@nist.gov). The capability exists both for organizations to manually submit statements and for organizations to log into NVD to issue and modify statements themselves. We recommend the log in capability for organizations that are affected by more than a few CVE vulnerabilities.
"We would like to thank Red Hat, particularly Mark Cox, for coming up with the idea for this service. They recognized that the software industry needed an open forum in which they could comment on the CVE vulnerabilities in their products. They approached NVD with this idea and we started a pilot program in which Red Hat provided over 100 official statements regarding the CVE vulnerabilities. Each of these statements added valuable details that were not always available from third-party security advisories.
"Organizations can use the service in a variety of ways. For example, they can provide configuration and remediation guidance, clarify vulnerability applicability, provide deeper vulnerability analysis, dispute third party vulnerability information, and explain vulnerability impact.
"It is [NVD's] hope that the software industry will actively participate in this open forum and that the 'official vendor statements' will be propagated throughout the 300+ products and services that use the CVE vulnerability naming standard (https://cve.mitre.org)."
NIST and Red Hat, Inc. are members of the CVE Editorial Board. NVD and Red Hat's Apache Week Web Server are listed on the CVE-Compatible Products and Services page, and the Red Hat Security Advisories are listed as officially CVE-Compatible. In addition, NVD and CVE are both sponsored by the U.S Department of Homeland Security.
CVE to Present Briefing at 5th Annual Cyber Security Executive Summit
We are scheduled to present a briefing about CVE and CWE at the 5th Annual Cyber Security Executive Summit for the financial services sector on September 13-14, 2006 at the Metropolitan Pavilion in New York City, New York, USA. The event will introduce CVE and CWE to financial industry executives and security professionals from around the world.
Visit the CVE Calendar page for information on this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, CCE, CWE, OVAL, CME, and/or other vulnerability management topics at your event.
CVE to Host Booth at IT Security World 2006
We are scheduled to host a CVE/CCE/CWE/OVAL/CME exhibitor booth at MISTI's IT Security World 2006 on September 25-27, 2006 at the Fairmont Hotel in San Francisco, California, USA. The conference will expose CVE, CCE, CWE, OVAL, and CME to security professionals from industry, government, and academia charged with developing and running their organizations' information security programs.
Visit the CVE Calendar page for information on this and other upcoming events.
Photos of CVE Booth at Black Hat 2006
MITRE hosted an CVE/CWE/OVAL/CME exhibitor/meeting booth at Black Hat Briefings 2006 on August 2nd - 3rd, 2006 in Las Vegas, Nevada, USA. Photos from the event are included below:
Visit the CVE Calendar page for information on this and other upcoming events.
585 CVE Names with Candidate Status Added to CVE List in August
585 CVE names with candidate status were added to the CVE List in August 2006. As of August 30, 2006, there were 18,898 CVE names with entry or candidate status posted on the List with 3,052 posted as official entries and 16,733 as candidates. New candidates are added often. Refer to the Get CVE page for the most recent breakdown of total names and total candidates, and to review, search, or download the CVE List. Recently released CVE names are listed by the U.S. National Vulnerability Database (NVD). Use CVE Change Logs, a free tool from CERIAS/Purdue University, to review all additions for August or any month.
Detailed information about how we build the CVE List is available in the CVE Naming Process and CVE Content Decisions sections.
August 17, 2006
"Common Configuration Enumeration" Added to CVE Web Site
A "Common Configuration Enumeration (CCE)" section has been added to the GET CVE page on the CVE Web site. CCE is the part of the CVE Initiative that focuses on security configuration issues and exposures.
CCE provides unique identifiers to system configurations in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. As an example, CCE Identifiers could be used to associate checks in configuration assessment tools with statements in configuration best-practice documents such as the Center for Internet Security (CIS) benchmark documents.
A very preliminary draft of the CCE List is available now for public review and comment. This preliminary draft is intended as a proof-of-concept and focuses on security-related configuration issues for Windows 2000, Windows XP, and Windows Server 2003. The draft should not be considered final and will be modified over time. In particular, the CCE IDs themselves are not final and will likely change significantly in future versions. Currently, each entry on the list includes the following: CCE Identifier number, description, logical parameters, technical mechanisms, and any references. Refer to the CCE List page for more information.
The new section includes the CCE List; a CCE Status section detailing the status of the current version; a description of How to Participate for organizations and individuals interested in contributing; and a Join the CCE Working Group section for those interested in actively participating in this new community initiative.
August 9, 2006
CVE Main Topic of Article in Healthcare Informatics Online
CVE was the main topic of an article entitled "The 411 on CVE" in the July 2006 issue of Healthcare Informatics Online. In the article the author describes some of the business impacts of CVE when he states: "Cost-effectiveness research done by both end users and vendors has shown CVE-based technology is worth the money." The author discusses comments about CVE by Larry Pesce, manager of information systems security for Care New England, Providence, R.I., who "cannot imagine doing his job without tools that support the industry-standard vulnerability dictionary known as CVE..." Pesce says that "the CVE-compatible automated penetration testing tool he uses (Core Impact from Core Security, Boston) has saved Care New England — which includes three hospitals, community wellness centers in Providence and Warwick, R.I., and a visiting nurses' association — the cost of hiring one to two full-time network administrators." The author further states: "Pesce's cost-savings analysis is backed by another industry veteran. Billy Austin, chief security officer of Saint Corporation, Bethesda, Md., which recently introduced a CVE-compatible integrated vulnerability scanning and penetration testing tool, [who] says his company's research shows users who take advantage of the CVE reference infrastructure save an average of 2.5 hours of staff time over doing Internet searches for any given vulnerability's attack vectors, likely impact of an exploit, and remediation steps."
CVE Mentioned in Article about Vulnerabilities in USA Today
CVE was mentioned in an article entitled "Cybercrooks constantly find new ways into PCs" in the August 3, 2006 issue of USA TODAY. The article was a report from at Black Hat Briefings 2006 on August 2nd - 3rd, at which CVE hosted an exhibitor/meeting booth. CVE is mentioned in the article as follows: "[The CVE List] provides common names for publicly known security holes and is a rough indicator of which applications are attracting hackers' attention." The article also includes a quote by Secure Elements, Inc., security director Scott Carpenter, who states: "The CVE identifier is the most oranges-to-oranges comparison you can make."
CVE Hosts Booth at Black Hat Briefings 2006
MITRE hosted a CVE/CWE/OVAL/CME exhibitor/meeting booth at Black Hat Briefings 2006 on August 2nd - 3rd, 2006 at Caesars Palace in Las Vegas, Nevada, USA. The event exposed CVE, CWE, OVAL, and CME to a diverse audience of information security-focused attendees from around the world.
Visit the CVE Calendar page for information on this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, CWE, OVAL, CME, and/or other vulnerability management topics at your event.
431 CVE Names with Candidate Status Added to CVE List in July
431 CVE names with candidate status were added to the CVE List in July 2006. As of August 2, 2006, there were 18,426 CVE names with entry or candidate status posted on the List with 3,052 posted as official entries and 15,374 as candidates. New candidates are added often. Refer to the Get CVE page for the most recent breakdown of total names and total candidates, and to review, search, or download the CVE List. Recently released CVE names are listed by the U.S. National Vulnerability Database (NVD). Use CVE Change Logs, a free tool from CERIAS/Purdue University, to review all additions for July or any month.
Detailed information about how we build the CVE List is available in the CVE Naming Process and CVE Content Decisions sections.
July 19, 2006
Third Draft of Common Weakness Enumeration (CWE) Now Available
The third draft of CWE has been posted on the CWE List page on the CVE Web site. Changes include (1) additional descriptions and mitigations for about 150 of the items; (2) adding language specific indicators for those that are tied to language or platform like C, C++, Java, or .NET; (3) minor revisions and updates to many other items; and (4) addition of a first cut at a CWE_ID field that is meant be a unique non-variant identifier for the CWE content.
CWE is a community-developed formal list of common software weaknesses. The intention of CWE is to serve as a common language for describing software security weaknesses in architecture, design, or code; as a standard measuring stick for software security tools targeting these weaknesses; and to provide a common baseline standard for weakness identification, mitigation, and prevention efforts. Broad community adoption of CWE will help shape and mature the code security assessment industry and also dramatically accelerate the use and utility of software assurance capabilities for organizations in reviewing the software systems they acquire or develop.
Our next step in building CWE involves gathering data about weaknesses from fourteen tool and knowledge sources and then merging this new data into the current list to create a fourth draft. We welcome any comments about CWE at cwe@mitre.org.
Download Options for CVE List Modified on July 19th
As of July 19, 2006 downloads of the CVE List will no longer be available with the old-style "CAN" prefix. The CVE naming scheme was modified on October 19, 2005 to replace the "CAN" prefix with a "CVE" prefix in all CVE names. Downloads using only the "CVE" prefix were introduced at that time and will continue to be offered in three options: (1) a single list combining both CVE names with "entry" and "candidate" status, (2) entries only, and (3) candidates only. Each option is available in multiple formats: XML, HTML, Text, and comma separated. The "CAN" prefix downloads were continued for eight months to support the transition from the old format.
CVE information is also available from external resources including CVE Change Logs, a free tool from CERIAS/Purdue University that records changes to the CVE List, and the U.S. National Vulnerability Database (NVD), which is based upon CVE identifiers and offers a variety of search and download options.
July 12, 2006
CVE Main Topic of Article in IEEE Distributed Systems Online
CVE was the main topic of an article entitled "Functionality Meets Terminology to Address Network Security Vulnerabilities" in the June 2006 issue of IEEE Distributed Systems Online. The article describes what CVE is and the problems it solves, discusses the history of CVE, mentions CVE compatibility, and notes that the U.S. National Institute of Standards and Technology's National Vulnerability Database (NVD) is built wholly upon CVE identifiers. The article includes a quote from NVD project leader and CVE Editorial Board member Peter Mell, who states: "With 300-plus products and services using [CVE identifiers], we definitely need a database of information relative to the CVE standard, and the NVD database provides that. End users need a way to prioritize the constant stream of vulnerabilities that are coming out ... [and by] ... integrating the NVD and CVE, we've made a significant step toward helping people to do that."
The author notes some of the business impacts of CVE via its CVE Compatibility Program when he states: "CVE-compatible products have shown themselves to be cost-effective. Larry Pesce, manager of information systems security for Care New England, a Rhode Island-based healthcare network, says the use of a CVE-compatible penetration testing tool by vendor Core Security probably saves the organization the cost of one to two full-time employees a year. Billy Austin, chief security officer of Saint, a CVE-compatible vendor, says using such tools saves the typical security administrator 2.5 hours per vulnerability over doing manual searches."
The article also mentions MITRE's follow on standards efforts including Open Vulnerability and Assessment Language (OVAL), which uses CVE identifiers as the basis for its standardized XML definitions that check for the presence of vulnerabilities on systems; Common Malware Enumeration (CME), which provides single, common identifiers to virus threats to reduce public confusions during malware outbreaks and to facilitate the adoption of a shared, neutral indexing capability for malware; and Common Weakness Enumeration (CWE), which is a community-developed formal list of common software weaknesses intended to serve as a common language for describing software security vulnerabilities, a standard measuring stick for software security tools targeting these vulnerabilities, and as a baseline standard for vulnerability identification, mitigation, and prevention efforts. The CWE dictionary, which is based in part on the numerous identifiers on the CVE List, is currently hosted on the CVE Web site.
The article concludes with a quote by MITRE's CWE Project Manager, Robert A. Martin, who comments on the purpose behind these other information security standards efforts: "People are so used to selecting the vendor and that's kind of the core they build out from. What we want them to do is get married to enabling standards and then build around that."
National Institute of Standards and Technology (NIST) is a member of the CVE Editorial Board and CVE, NVD, CWE, OVAL, and CME are all sponsored by the U.S Department of Homeland Security.
Secunia Makes Five Declarations of CVE Compatibility
Secunia declared that its enterprise tool for tracking, mapping, and managing vulnerabilities in corporate networks, Secunia Enterprise Security Manager; enterprise tool for tracking, mapping, and managing vulnerabilities in corporate servers, Secunia Enterprise Security Manager - Server Edition; tool for tracking, mapping, and managing vulnerabilities in corporate networks, Secunia Security Manager; enterprise service for tracking, mapping, and managing vulnerabilities in corporate networks, Secunia Vulnerability Tracking Service - Enterprise Edition; and database and archive of alerts and information about vulnerabilities, Secunia Vulnerability Database, are CVE-compatible.
For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products and Services page.
CVE to Host Booth at Black Hat Briefings 2006
MITRE is scheduled to host a CVE/CWE/OVAL/CME exhibitor/meeting booth at Black Hat Briefings 2006 on August 2nd - 3rd at Caesars Palace in Las Vegas, Nevada, USA. The event will expose CVE, CWE, OVAL, and CME to a diverse audience of information security-focused attendees from around the world.
Visit the CVE Calendar page for information on this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, CWE, OVAL, CME, and/or other vulnerability management topics at your event.
CVE Editorial Board Holds Teleconference
The CVE Editorial Board held a teleconference on Thursday, June 28, 2006, with 10 Board members participating, and 4 representatives from MITRE. Topics included a CVE content activity update; the role of entries, candidates, and voting; updates on the Common Weakness Enumeration (CWE), Common Configuration Enumeration (CCE), and CIEL; future role of the Board; and a discussion of prospective Board members.
Rede Nacional de Ensino e Pesquisa References CVE Identifiers in Security Advisories
Rede Nacional de Ensino e Pesquisa (RNP) issued a security advisory on December 4, 2003 entitled "Vulnerabilidade no rsync 2.5.6" that referenced CVE-2003-0962. Numerous other RNP advisories also include CVE identifiers. To-date, 71 organizations from around the world have included CVE identifiers in their security advisories, ensuring that the community benefits by having CVE identifiers as soon as the problem is announced.
Download Options for CVE List will be Modified July 19th
On July 19, 2006 downloads of the CVE List will no longer be available with the old-style "CAN" prefix. The CVE naming scheme was modified on October 19, 2005 to replace the "CAN" prefix with a "CVE" prefix in all CVE names. Downloads using only the "CVE" prefix were introduced at that time and will continue to be offered in three options: (1) a single list combining both CVE names with "entry" and "candidate" status, (2) entries only, and (3) candidates only. Each option is available in multiple formats: XML, HTML, Text, and comma separated. The "CAN" prefix downloads were continued for eight months to support the transition from the old format.
CVE information is also available from external resources including CVE Change Logs, a free tool from CERIAS/Purdue University that records changes to the CVE List, and the U.S. National Vulnerability Database (NVD), which is based upon CVE identifiers and offers a variety of search and download options.
CWE Main Topic of Briefing at NIST's Static Analysis Summit
CWE Program Manager Robert A. Martin presented a briefing about the Common Weakness Enumeration (CWE) on June 29, 2006 entitled "Bringing Standards to Software Source Code Security Assessment" at the U.S. National Institute of Standards and Technology's (NIST) "Static Analysis Summit" in Gaithersburg, Maryland, USA. CWE is based in part on the CVE List's 17,000 plus CVE names.
676 CVE Identifiers with Candidate Status Added to CVE List in June
676 CVE identifiers with candidate status were added to the CVE List in June 2006. As of July 5, 2006, there were 17,995 CVE identifiers with entry or candidate status posted on the List with 3,052 posted as official entries and 15,621 as candidates. New candidates are added often. Refer to the Get CVE page for the most recent breakdown of total identifiers and total candidates, and to review, search, or download the CVE List. Recently released CVE identifiers are listed by the U.S. National Vulnerability Database (NVD). Use CVE Change Logs, a free tool from CERIAS/Purdue University, to review all additions for June or any month.
Detailed information about how we build the CVE List is available in the CVE Naming Process and CVE Content Decisions sections.
June 20, 2006
5 Additional Information Security Products/Services Now Registered as Officially "CVE-Compatible"
Five information security products and services from four organizations are the latest to achieve the final stage of MITRE's formal CVE
Compatibility Process and are now officially "CVE-compatible." Each product is now eligible to use the CVE-Compatible Product/Service logo, and their completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaires are posted as part of their product listings on the CVE-Compatible
Products and Services page on the CVE Web site. A total of 65 products to-date have been declared officially compatible.
The following products are now registered as officially "CVE-Compatible":
Use of the official CVE-Compatible logo by these organizations will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises. The compatibility process questionnaires will help end-users compare how different products satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.
For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services pages.
Huawei-3Com Co. Ltd. Posts CVE Compatibility Questionnaire
Huawei-3Com Co. Ltd. has achieved the second phase of the CVE Compatibility Process by submitting a CVE Compatibility Questionnaire for Quidway SecEngine Intrusion Detection System. In Phase 2 of the compatibility process the organization's completed compatibility requirements evaluation questionnaire is posted on the CVE Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially CVE-Compatible."
For additional information and to review the complete list of all products and services participating in the compatibility program, visit the CVE-Compatible Products and Services section.
AdventNet, Inc. Posts Two CVE Compatibility Questionnaires
AdventNet, Inc. has achieved the second phase of the CVE Compatibility Process by submitting a CVE Compatibility Questionnaire for SecureCentral ScanFi and a CVE Compatibility Questionnaire for SecureCentral PatchQuest. In Phase 2 of the compatibility process the organization's completed compatibility requirements evaluation questionnaire is posted on the CVE Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially CVE-Compatible."
For additional information and to review the complete list of all products and services participating in the compatibility program, visit the CVE-Compatible Products and Services section.
LANDesk Software Inc. Posts Two CVE Compatibility Questionnaires
LANDesk Software Inc. has achieved the second phase of the CVE Compatibility Process by submitting a CVE Compatibility Questionnaire for LANDesk Patch Manager and a CVE Compatibility Questionnaire for LANDesk Security Suite. In Phase 2 of the compatibility process the organization's completed compatibility requirements evaluation questionnaire is posted on the CVE Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially CVE-Compatible."
For additional information and to review the complete list of all products and services participating in the compatibility program, visit the CVE-Compatible Products and Services section.
SecurityReason Posts CVE Compatibility Questionnaire
SecurityReason has achieved the second phase of the CVE Compatibility Process by submitting a CVE Compatibility Questionnaire for SecurityAlert. In Phase 2 of the compatibility process the organization's completed compatibility requirements evaluation questionnaire is posted on the CVE Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially CVE-Compatible."
For additional information and to review the complete list of all products and services participating in the compatibility program, visit the CVE-Compatible Products and Services section.
Download Options for CVE List to be Modified on July 10th
Beginning July 10, 2006 downloads of the CVE List will no longer be available with the old-style "CAN" prefix. The CVE naming scheme was modified on October 19, 2005 to replace the "CAN" prefix with a "CVE" prefix in all CVE names. Downloads using only the "CVE" prefix were introduced at that time and will continue to be offered in three options: (1) a single list combining both CVE names with "entry" and "candidate" status, (2) entries only, and (3) candidates only. Each option is available in multiple formats: XML, HTML, Text, and comma separated. The "CAN" prefix downloads were continued for 8 months to support the transition from the old style.
CVE information is also available from external resources including CVE Change Logs, a free tool from CERIAS/Purdue University that records changes to the CVE List, and the U.S. National Vulnerability Database (NVD), which is based upon CVE names and offers a variety of search and download options.
June 9, 2006
AdventNet, Inc. Makes Two Declarations of CVE Compatibility
AdventNet, Inc. declared that its vulnerability management system SecureCentral, ScanFi, and its patch management system, SecureCentral PatchQuest, are CVE-compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products and Services page.
LANDesk Software Inc. Makes Two Declarations of CVE Compatibility
LANDesk Software Inc. declared that its patch management system, LANDesk Patch Manager, and its active endpoint security management system, LANDesk Security Suite, will be CVE-compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products and Services page.
CWE Main Topic of Briefing Scheduled for June 29th at NIST's Static Analysis Summit
CWE Program Manager Robert A. Martin is scheduled to present a briefing about the Common Weakness Enumeration (CWE) on June 29, 2006 entitled "Bringing Standards to Software Source Code Security Assessment" at the U.S. National Institute of Standards and Technology's (NIST) "Static Analysis Summit" in Gaithersburg, Maryland, USA.
CWE is based in part on the CVE List's 17,000 plus CVE names. More information about CWE is available in the CWE section on the CVE Web site.
680 CVE Names with Candidate Status Added to CVE List in May
680 CVE names with candidate status were added to the CVE List in May 2006. As of May 31, 2006, there were 17,209 CVE names with entry or candidate status posted on the List with 3,052 posted as official entries and 14,960 as candidates. New candidates are added often. Refer to the Get CVE page for the most recent breakdown of total names and total candidates, and to review, search, or download the CVE List. Recently released CVE names are listed by the U.S. National Vulnerability Database (NVD). Use CVE Change Logs, a free tool from CERIAS/Purdue University, to review all additions for May or any month.
Detailed information about how we build the CVE List is available in the CVE Naming Process and CVE Content Decisions sections.
May 10, 2006
CVE Names Included in Spring Update of "SANS Top Twenty" List of Internet Security Threats
The 2006 Spring Update to the Twenty Most Critical Internet Security Vulnerabilities, a SANS/FBI consensus list of the most critical problem areas in Internet security, was released on May 1, 2006 and includes an additional 55 CVE names. The full list now includes 296 CVE names. According to the SANS Web site, this latest update of the Top Twenty "enables cyber security professionals to tune their defensive systems to reflect the most important new vulnerabilities that attackers are exploiting to take over computers and steal sensitive or valuable information." The list includes CVE names with both entry and candidate status to uniquely identify the vulnerabilities it describes. This will help system administrators use CVE-compatible products and services to help make their networks more secure.
The spring update lists eight major trends: (1) rapid growth in critical vulnerabilities being discovered in Mac OS/X including a zero-day vulnerability; (2) substantial decline in the number of critical vulnerabilities in Windows Services, offset by flaws in client-side software; (3) continuing discovery of multiple zero-day vulnerabilities in Internet Explorer; (4) rapid growth in critical Firefox and Mozilla vulnerabilities; (5) surge in commodity zero-day attacks used to infiltrate systems for profit motives; (6) rapid growth in three types of critical vulnerabilities (Oracle, Veritas Back-Up and SQL Injection attacks) allowing direct access to databases, data warehouses, and backup data; (7) continuing surge in file-based attacks, especially using media and image files, Microsoft Excel files, etc.; and (8) a rapid spread of spear-phishing attacks especially among defense and nuclear energy sites.
SANS is a member of the CVE Editorial Board and its education and training materials are listed in the CVE-Compatible Products and Services section.
CVE Presents Briefing at DOD System and Software Technology Conference
CVE Compatibility Lead Robert A. Martin presented a briefing about CVE and OVAL on May 4, 2006 entitled "Making Vulnerability Management Operational" at the U.S. Department of Defense (DOD) Joint Service's "18th Annual System and Software Technology Conference" in Salt Lake City, Utah, USA.
The purpose of the conference itself was to help "government, industry, and academia must collaborate more closely in all aspects of systems and software engineering — designing, building, and managing complex "systems of systems" in support of DOD.
Visit the CVE Calendar page for information on this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, CME, CWE, and/or other vulnerability management topics at your event.
CWE Main Topic of Briefing at DOD System and Software Technology Conference
CWE Program Manager Robert A. Martin presented a briefing about the Common Weakness Enumeration (CWE) on May 4, 2006 entitled "Bringing Standards to Software Source Code Security Assessment" at the U.S. Department of Defense (DOD) Joint Service's "18th Annual System and Software Technology Conference" in Salt Lake City, Utah, USA. CWE is based in part on the CVE List's 16,000 plus CVE names. More information about CWE is available in the CWE section on the CVE Web site.
CVE Presents Briefing at GFIRST National Conference 2006
CVE was one of the main topics of a briefing entitled "Vulnerability, Secure Configuration, and Malware Information Exchange Using CVE, OVAL, and CME" presented on May 3, 2006 by OVAL Technical Lead Matthew N. Wojcik and CME Program Manager Julie Connolly at the Government Forum of Incident Responders and Security Teams (GFIRST) second annual "GFIRST National Conference 2006" in Orlando, Florida, USA.
The presentation examined MITRE's three DHS-sponsored security information exchange initiatives — Common Vulnerabilities and Exposures (CVE), Open Vulnerability and Assessment Language (OVAL), and Common Malware Enumeration (CME) — including the purpose of each effort, its goals, participants, future plans, and how each effort benefits the incident response community.
Visit the CVE Calendar page for information on this and other upcoming events.
603 CVE Names with Candidate Status Added to CVE List in April
603 CVE names with candidate status were added to the CVE List in April 2006. As of April 26, 2006, there were 16,529 CVE names with entry or candidate status posted on the List with 3,052 posted as official entries and 14,264 as candidates. New candidates are added often. Refer to the Get CVE page for the most recent breakdown of total names and total candidates, and to review, search, or download the CVE List. Recently released CVE names are listed by the U.S. National Vulnerability Database (NVD). Use CVE Change Logs, a free tool from CERIAS/Purdue University, to review all additions for April or any month.
Detailed information about how we build the CVE List is available in the CVE Naming Process and CVE Content Decisions sections.
May 1, 2006
Huawei-3Com Co. Ltd. Makes Declaration of CVE Compatibility
Huawei-3Com Co. Ltd. declared that its Quidway SecEngine D500 Intrusion Detection System is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page.
SecurityReason Makes Declaration of CVE Compatibility
SecurityReason declared that its database of security advisories, SecurityAlert, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page.
Cenzic, Inc. Makes Two Declarations of CVE Compatibility
Cenzic, Inc. declared that its application security assessment tool, Cenzic Hailstorm, and its application security assessment service, Cenzic ClickToSecure, will be CVE-compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products and Services page.
Second Draft of Common Weakness Enumeration (CWE) Now Available
The second draft of CWE has been posted on the CWE List page on the CVE Web site. Changes include (1) cleaning up the names of the current elements, and (2) full expansion of the current elements using additional the content from PLOVER, Seven Pernicious Kingdoms, and CLASP.
CWE is a community-developed formal list of common software weaknesses, idiosyncrasies, faults, and flaws. The intention of CWE is to serve as a common language for describing software security vulnerabilities, a standard measuring stick for software security tools targeting these vulnerabilities, and as a baseline standard for vulnerability identification, mitigation, and prevention efforts. Broad community adoption of CWE will help shape and mature the code security assessment industry and also dramatically accelerate the use and utility of software assurance capabilities for organizations in reviewing the software systems they acquire or develop.
Our next step in building CWE involves gathering data about weaknesses from ten tool and knowledge sources and then merging this new data into the current list to create a third draft. We welcome any comments about CWE at cwe@mitre.org.
April 12, 2006
VeriSign, Inc. Makes Declaration of CVE Compatibility
VeriSign, Inc. declared that its VeriSign Vulnerability Management Service is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page.
CVE to Present Briefing at GFIRST National Conference 2006 on May 3rd
CVE is one of the main topics of a briefing entitled "Vulnerability, Secure Configuration, and Malware Information Exchange Using CVE, OVAL, and CME" scheduled to be presented on May 3, 2006 by OVAL Technical Lead Matthew N. Wojcik and CME Program Manager Julie Connolly at the Government Forum of Incident Responders and Security Teams (GFIRST) second annual "GFIRST National Conference 2006" at the Doubletree Hotel in Orlando, Florida, USA.
The presentation will examine MITRE's three DHS-sponsored security information exchange initiatives: Common Vulnerabilities and Exposures (CVE), Open Vulnerability and Assessment Language (OVAL), and Common Malware Enumeration (CME). The presentation will start with CVE, move to OVAL, the increasingly popular language for specifying system state information, and finish with the newest initiative for malware, CME. The purpose of each effort, its goals, participants, and future plans will be reviewed. How each effort benefits the incident response community will also be reviewed.
Visit the CVE Calendar page for information on this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, CME, and/or other vulnerability management topics at your event.
CVE to Present Briefings at DOD System and Software Technology Conference on May 4th
CVE Compatibility Lead Robert A. Martin is scheduled to present a briefing about CVE and OVAL on May 4, 2006 entitled "Making Vulnerability Management Operational" at the U.S. Department of Defense (DOD) Joint Service's "18th Annual System and Software Technology Conference" at the Salt Palace Convention Center in Salt Lake City, Utah, USA.
Robert Martin is also scheduled to present a briefing on May 4, 2006 entitled "Bringing Standards to Software Source Code Security Assessment" about the Common Weakness Enumeration (CWE), an effort that is based in part on the CVE List's 16,000 plus CVE names.
The purpose of the conference itself is to help "government, industry, and academia must collaborate more closely in all aspects of systems and software engineering — designing, building, and managing complex "systems of systems" in support of DOD.
Visit the CVE Calendar page for information on this and other upcoming events.
518 CVE Names with Candidate Status Added to CVE List in March
518 CVE names with candidate status were added to the CVE List in March 2006. As of March 29, 2006, there were 15,926 CVE names with entry or candidate status posted on the List with 3,052 posted as official entries and 13,671 as candidates. New candidates are added often. Refer to the Get CVE page for the most recent breakdown of total names and total candidates, and to review, search, or download the CVE List. Use CVE Change Logs, a free tool from CERIAS/Purdue University, to review the additions for March or any month.
Detailed information about how we build the CVE List is available in the CVE Naming Process and CVE Content Decisions sections.
CVE Hosts Booth at MISTI's InfoSec World 2006, April 3-4
MITRE hosted a CVE/OVAL/CME exhibitor booth at MISTI's InfoSecWorld 2006 Conference & Expo on April 3rd - 4th at the Coronado Springs Resort in Orlando, Florida, USA. The conference exposed CVE, OVAL, and CME to a diverse audience of attendees from the banking, finance, real estate, insurance, and health care industries, among others. The conference was targeted to information security policy and decision makers from these and other industries, as well as directors and managers of information security, CIOs, network and systems security administrators, IT auditors, systems planners and analysts, systems administrators, software and application developers, engineers, systems integrators, strategic planners, and other information security professionals. Organizations listed in the CVE-Compatible Products and Services section also exhibited.
Photos from the event are included below:
Visit the CVE Calendar page for information on this and other upcoming events.
March 30, 2006
Blue Lane Technologies Inc. Posts CVE Compatibility Questionnaire
Blue Lane Technologies Inc. has achieved the second phase of the CVE Compatibility Process by submitting a CVE Compatibility Questionnaire for Blue Lane PatchPoint System. In Phase 2 of the compatibility process the organization's completed compatibility requirements evaluation questionnaire is posted on the CVE Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially CVE-Compatible."
To-date, 60 products or services from around the world have been awarded a CVE-Compatible logo and registered as Officially CVE-Compatible. For additional information and to review the complete list of all products and services participating in the compatibility program, visit the CVE-Compatible Products and Services section.
Criston Software Makes Declaration of CVE Compatibility
Criston Software declared that its vulnerability scanner, Criston Vulnerability Management, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page.
March 15, 2006
"Common Weakness Enumeration" Added to CVE Web Site
A new effort leveraging CVE entitled the "Common Weakness Enumeration (CWE)" has been added to the GET CVE page on the CVE Web site.
CWE is a community-developed formal list of common software weaknesses, idiosyncrasies, faults, and flaws. The intention of CWE is to serve as a common language for describing software security vulnerabilities, a standard measuring stick for software security tools targeting these vulnerabilities, and as a baseline standard for vulnerability identification, mitigation, and prevention efforts. Leveraging the diverse thinking on this topic from academia, the commercial sector, and government, CWE unites the most valuable breadth and depth of content and structure to serve as a unified standard. Our objective is to help shape and mature the code security assessment industry and also dramatically accelerate the use and utility of software assurance capabilities for organizations in reviewing the software systems they acquire or develop.
Based in part on the CVE List's 15,000 plus CVE names—but also including detail and scope from a diverse set of other industry and academic sources and examples including the McGraw/Fortify "Kingdoms" taxonomy; Howard, LeBlanc & Viega's 19 Deadly Sins; and Secure Software's CLASP project; among others—CWE's definitions and descriptions support the finding of common types of software security flaws in code prior to fielding. This means both users and developers now have a mechanism for ensuring that the software products they acquire and develop are free of known types of security flaws by describing their code and assessment capabilities in terms of their coverage of the different CWEs.
The new section includes the CWE List, offered in a detailed Taxonomy view and a high-level Dictionary view; an About section describing the overall CWE effort and process in more detail; a Compatibility page; a Community Participation page; and list of Sources.
CVE to Host Booth at MISTI's InfoSec World 2006
MITRE is scheduled to host an CVE/OVAL/CME exhibitor booth at MISTI's InfoSecWorld 2006 Conference & Expo on April 3rd - 4th at the Coronado Springs Resort in Orlando, Florida, USA. The conference will expose CVE, OVAL, and CME to a diverse audience of attendees from the banking, finance, real estate, insurance, and health care industries, among others. The conference is targeted to information security policy and decision makers from these and other industries, as well as directors and managers of information security, CIOs, network and systems security administrators, IT auditors, systems planners and analysts, systems administrators, software and application developers, engineers, systems integrators, strategic planners, and other information security professionals. Please stop by Booth 436 and say hello. In addition, organizations listed in the CVE-Compatible Products and Services section will also be exhibiting.
Visit the CVE Calendar page for information on this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, CME, and/or other vulnerability management topics at your event.
504 CVE Names with Candidate Status Added to CVE List in February
504 CVE names with candidate status were added to the CVE List in February 2006. As of February 28, 2006, there were 15,408 CVE names with entry or candidate status posted on the List with 3,052 posted as official entries and 12,356 as candidates. New candidates are added daily. Refer to the Get CVE page for the most recent breakdown of total names and total candidates, and to review, search, or download the CVE List. Use CVE Change Logs, a free tool from CERIAS/Purdue University, to review the additions for February or any month.
Detailed information about how we build the CVE List is available in the CVE Naming Process and CVE Content Decisions sections.
CVE Presents Briefing at MISTI's FISMA Risk Management & Compliance Training Symposium on March 14th
CVE Compatibility Lead Robert A. Martin presented a briefing on March 14, 2006 entitled "Program Automation and Standards: The Key to Economic FISMA Compliance" at MIS Training Institute's (MISTI) "FISMA Risk Management & Compliance Training Symposium" in Washington, D.C., USA. FISMA is the Federal Information Security Management Act of 2002, which provides the framework for securing the U.S. government's information technology.
Topics covered in the briefing session included standards-based vulnerability and remediation capabilities; Open Vulnerability and Assessment Language (OVAL); standards-compliant test rules to drive assessment and reporting using commercial products; leveraging OVAL-compliant versions of the DISA STIGS or CIS benchmarks with commercial tools; improving reporting of vulnerability and configuration status for FISMA; and leveraging automation and standards to make FISMA reporting economical.
Visit the CVE Calendar page for information on this and other upcoming events.
March 1, 2006
CVE "Editor's Commentary" Page Added to CVE Web Site
A new Editor's Commentary page has been added to the GET CVE page. The new page includes opinion and commentary about vulnerabilities, software assurance, and related topics by CVE List Editor Steve Christey. Posts will be either Community Issues or CVE-Specific.
Some recent posts about Community Issues include:
What
is the state of vulnerability research? 2006-02-16
Seven open questions
to vulnerability researchers, posted on Bugtraq, intended to encourage fruitful
public discussion on the topic.
[Full-disclosure]
Open Letter on the Interpretation of "Vulnerability Statistics",
2006-01-05
A short paper on how to interpret vulnerability statistics. Includes
a discussion about the veracity of publicly available Refined Vulnerability
Information (RVI) sources.
[Full-disclosure]
On Interpretation Conflict Vulnerabilities, 2005-11-02
A discussion
about vulnerabilities that are considered "interpretation conflicts."
[Full-disclosure]
Why Vulnerability Databases can't do everything, 2005-07-15
Commentary
on the work involved in maintaining a vulnerability database.
Some recent posts about CVE-Specific issues include:
Managing a Candidate Request for a New Issue, 2006-01-10
Handling Duplicate Public CVE Identifiers, 2005-06-29
CVE Content Decisions in Action, 2005-03-23
There is no set publication schedule so check the Editor's Commentary page regularly for new posts. You may also contact cve@mitre.org with any comments or suggestions.
Certificate of CVE Compatibility Awarded to CA
CA was recently presented with an Official Certificate of CVE Compatibility for its eTrust Vulnerability Manager product. MITRE presented the award at RSA Conference 2006 on February 14, 2006 in San Jose, California, USA. A total of 60 products to-date are officially CVE-Compatible.
Eric Herrera of CA (left), Yiannis Vassiliades of CA (center), and Robert A. Martin, OVAL Compatibility Lead right) at MITRE's compatibility awards presentation at RSA 2006.
For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.
Certificate of CVE Compatibility Awarded to NetClarity
NetClarity was recently presented with an Official Certificate of CVE Compatibility for its NetClarity Analyst and Update Service product. MITRE presented the award at RSA Conference 2006 on February 14, 2006 in San Jose, California, USA. A total of 60 products to-date are officially CVE-Compatible.
Gary Miliefsky of NetClarity (left), Gil Roeder of NetClarity (center), and Robert A. Martin, OVAL Compatibility Lead (right) at MITRE's compatibility awards presentation at RSA 2006.
For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.
Certificate of CVE Compatibility Awarded to DragonSoft Security Associates
DragonSoft Security Associates, Inc. was recently presented with an Official Certificate of CVE Compatibility for its DragonSoft Vulnerability Database product. MITRE presented the award at RSA Conference 2006 on February 14, 2006 in San Jose, California, USA. A total of 60 products to-date are officially CVE-Compatible.
For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.
Certificate of CVE Compatibility Awarded to Information Risk Management
Information Risk Management Plc was recently presented with an Official Certificate of CVE Compatibility for its Security Risk Assessment product. MITRE presented the award at RSA Conference 2006 on February 14, 2006 in San Jose, California, USA. A total of 60 products to-date are officially CVE-Compatible.
For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.
Two Certificates of CVE Compatibility Awarded to NSFOCUS Information Technology
NSFOCUS Information Technology Co., Ltd. was recently presented with an Official Certificate of CVE Compatibility for its AURORA RSAS and ICEYE NIDS products. MITRE presented the award at RSA Conference 2006 on February 14, 2006 in San Jose, California, USA. A total of 60 products to-date are officially CVE-Compatible.
For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.
Certificate of CVE Compatibility Awarded to ThreatGuard
ThreatGuard, Inc. was recently presented with an Official Certificate of CVE Compatibility for its ThreatGuard Traveler product. MITRE presented the award at RSA Conference 2006 on February 14, 2006 in San Jose, California, USA. A total of 60 products to-date are officially CVE-Compatible.
For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.
Certificate of CVE Compatibility Awarded to Venus Information Technology
Venus Information Technology, Inc. was recently presented with an Official Certificate of CVE Compatibility for its Cybervision Vulnerability Assessment and Management System product. MITRE presented the award at RSA Conference 2006 on February 14, 2006 in San Jose, California, USA. A total of 60 products to-date are officially CVE-Compatible.
For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.
FuJian RongJi Software Development Company Posts CVE Compatibility Questionnaire
FuJian RongJi Software Development Company, Ltd. has achieved the second phase of the CVE Compatibility Process by submitting a CVE Compatibility Questionnaire for RJ-iTop Network Vulnerability Scanner System. In Phase 2 of the compatibility process the organization's completed compatibility requirements evaluation questionnaire is posted on the CVE Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially CVE-Compatible."
To-date, 60 products or services from around the world have been awarded a CVE-Compatible logo and registered as Officially CVE-Compatible. For additional information and to review the complete list of all products and services participating in the compatibility program, visit the CVE-Compatible Products and Services section.
BigFix, Inc. Makes Declaration of CVE Compatibility
BigFix, Inc. declared that its vulnerability and security configuration management suite, BigFix Enterprise Suite, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page.
Safend Makes Four Declarations of CVE Compatibility
Safend declared that four of its products will be CVE-compatible: its firewalls, Safend Protector and USB Port Protector, vulnerability assessment service, Safend Auditor, and on-demand vulnerability assessment service, USB Auditor. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products and Services page.
CVE to Present Briefing at MISTI's FISMA Risk Management & Compliance Training Symposium on March 14th
CVE Compatibility Lead Robert A. Martin is scheduled to present a briefing on March 14, 2006 entitled "Program Automation and Standards: The Key to Economic FISMA Compliance" at MIS Training Institute's (MISTI) "FISMA Risk Management & Compliance Training Symposium" in Washington, D.C., USA. FISMA is the Federal Information Security Management Act of 2002, which provides the framework for securing the U.S. government's information technology.
Topics that will be covered in the briefing session include standards-based vulnerability and remediation capabilities; Open Vulnerability and Assessment Language (OVAL); standards-compliant test rules to drive assessment and reporting using commercial products; leveraging OVAL-compliant versions of the DISA STIGS or CIS benchmarks with commercial tools; improving reporting of vulnerability and configuration status for FISMA; and leveraging automation and standards to make FISMA reporting economical.
Visit the CVE Calendar page for information on this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, CME, and/or other vulnerability management topics at your event.
CVE Hosts Booth at RSA Conference 2006, February 13-17
MITRE hosted an CVE/OVAL/CME exhibitor booth at RSA Conference 2006 on February 13-17, 2006 at the McEnery Convention Center, in San Jose, California, USA. The RSA Conference provides a forum for information security professionals and visionaries to "exchange and collaborate in a dynamic, authoritative setting." The event introduced CVE, OVAL, and CME to security professionals from industry, government, and academia from around the world. Organizations listed in the CVE-Compatible Products and Services section also exhibited.
Photos from the event are included below:
Visit the CVE Calendar page for information on this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, CME, and/or other vulnerability management topics at your event.
CVE Main Focus of Article on VoIPLoop.com
CVE was the main focus of a February 14, 2006 article on VoIPLoop.com entitled "A CVE is not a Resume-It's a Threat." The article explains what CVE is and the problems it addresses; states the number of names currently on the CVE List; mentions the current number of officially CVE-Compatible products and the number of products with declarations to be CVE-compatible; includes a link to the CVE Web site; and discusses CVE-2005-4050 and CVE-2005-3804, which address VoIP vulnerabilities. The author also recommends that readers use CVE-compatible products and that they check the CVE List regularly for new VoIP-specific vulnerabilities.
CVE and OVAL Main Topics of MITRE Digest Article
CVE and OVAL were the main topics of a February 2006 MITRE Digest article on the MITRE Corporation Web site entitled "Information Assurance Industry Uses CVE and OVAL to Identify Vulnerabilities." The article describes how "as the number of software vulnerabilities continues to increase, MITRE's OVAL and CVE initiatives are becoming standards in the information assurance industry." The article further describes how the growing list of CVE names "ensures enhanced interoperability and security for enterprises" and describes how "OVAL identifies vulnerabilities and configuration issues."
The article concludes with a section on how "MITRE is leveraging the CVE and OVAL Initiatives to help the [U.S.] Department of Defense (DoD) transform its enterprise incident and remediation management efforts" and how "as a result, the DoD will be fundamentally changing the way it deals with vulnerabilities and configuration issues in the commercial and open source components of its infrastructure and mission systems."
February 14, 2006
8 Additional Information Security Products/Services Now Registered as Officially "CVE-Compatible"
Eight information security products and services from seven
organizations are the latest to achieve the final stage of MITRE's formal CVE
Compatibility Process and are now officially "CVE-compatible." Each
product is now eligible to use the CVE-Compatible Product/Service logo, and
their completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaires
are posted as part of their product listings on the CVE-Compatible
Products and Services page on the CVE Web site. A total of 60 products
to-date have been declared officially compatible.
The following products are now registered as officially "CVE-Compatible":
Use of the official CVE-Compatible logo by these organizations will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises. The compatibility process questionnaires will help end-users compare how different products satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.
CVE Compatibility certificates were awarded on Tuesday, February 14, 2006 at RSA Conference 2006 in San Jose, CA, USA, to the organizations that have achieved this final phase. The certificates were presented to all seven organizations, including CA; DragonSoft Security Associates, Inc.; Information Risk Management Plc; NetClarity; NSFOCUS Information Technology Co., Ltd.; ThreatGuard, Inc.; and Venus Information Technology, Inc.
For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services pages.
577 CVE Names with Candidate Status Added to CVE List in January
577 CVE names with candidate status were added to the CVE List in January 2006. As of January 31, 2006, there were 14,904 CVE names with entry or candidate status posted on the List with 3,052 posted as official entries and 12,608 as candidates. New candidates are added daily. Refer to the Get CVE page for the most recent breakdown of total names and total candidates, and to review, search, or download the CVE List. Use CVE Change Logs, a free tool from CERIAS/Purdue University, to review the additions for January or any month.
Detailed information about how we build the CVE List is available in the CVE Naming Process and CVE Content Decisions sections.
February 8, 2006
15,000+ CVE Names Now Available on the CVE Web Site!
The CVE Web site now contains 15,024 unique information security issues with publicly known names. Of these, 3,053 have CVE entry status and 12,726 have candidate status pending approval by the CVE Editorial Board. CVE names are used by information security product/service vendors and researchers as a standard method for identifying vulnerabilities and for cross-linking with other repositories that also use CVE names.
CVE names are unique, common identifiers for publicly known information security vulnerabilities. Each CVE name includes the following: the CVE identifier number (i.e., "CVE-1999-0067"); indication of "entry" or "candidate" status; brief description of the security vulnerability or exposure; and any pertinent references (i.e., vulnerability reports and advisories or OVAL-ID).
Visit the CVE-Compatible Products and Services page to find out about the 238 products that use CVE names (of which, 56 are "Officially CVE-Compatible"), or see Organizations with CVE Names in Advisories for a list of the 70 organizations to-date that are including or have included CVE names in their advisories.
February 1, 2006
Openware Makes Declaration of CVE Compatibility
Openware declared that its on demand vulnerability management and assessment service, ATTAKA, will be CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page.
Imperfect Networks Makes Declaration of CVE Compatibility
Imperfect Networks declared that its vulnerability assessment appliance and database, ThreatEx, will be CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page.
CVE to Host Booth at RSA Conference 2006, February 13-17
MITRE is scheduled to host a CVE/OVAL/CME exhibitor booth at RSA Conference 2006 on February 13-17, 2006 at the McEnery Convention Center, in San Jose, California, USA. RSA Conference provides a forum for information security professionals and visionaries to "exchange and collaborate in a dynamic, authoritative setting." The event will introduce CVE, OVAL, and CME to security professionals from industry, government, and academia from around the world. Organizations with CVE-Compatible Products and Services will also be exhibiting. Please stop by Booth 1743, or any of these booths, and say hello.
Visit the CVE Calendar page for information on this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, CME, and/or other vulnerability management topics at your event.
CVE Hosts Booth at IA Conference Workshop, January 30 - February 1
MITRE hosted a CVE/OVAL/CME exhibitor booth at the 10th annual U.S. Department of Defense (DOD) Information Assurance (IA) Conference Workshop on January 30 - February 1, 2006 at the Philadelphia Marriott Downtown, in Philadelphia, Pennsylvania, USA. The purpose of the workshop, which is hosted by the Defense Information Systems Agency (DISA), National Security Agency (NSA), Joint Staff, and the United States Strategic Commands, was to provide a forum in which the IA community can provide updates and work issues on relevant IA topics that have been aligned with the goals of DOD IA strategy. The event introduced CVE, OVAL, and CME to representatives of the DOD and other Federal Government employees and their sponsored contractors. Organizations with CVE-Compatible Products and Services also exhibited.
Visit the CVE Calendar for information on this and other events.
CVE Hosts Booth/Participates on Discussion Panel at Homeland Security for Networked Industries 2006 Conference & Expo
MITRE hosted a CVE/OVAL/CME exhibitor booth at Homeland Security for Networked Industries (HSNI) 2006 Conference & Expo on January 9-11, 2006 at Walt Disney World Resort, in Orlando, Florida, USA. In addition, CVE Compatibility Lead Robert A. Martin participated on a Discussion Panel about CVE on January 11th with Carl Benzhof, CTO of Citadel Security Software; Peter Allor, Director of Operations for Internet Security Systems; Amol Sarwate, Director of Vulnerability Research, Qualys, Inc.; and Greg Galford, Lead Program Manager at Microsoft Corporation's Security Resource Center. Organizations with CVE-Compatible Products and Services also exhibited at the expo.
Visit the CVE Calendar page for information on this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, CME, and/or other vulnerability management topics at your event.
CVE Announces Initial 'Calendar of Events' for 2006
The CVE Initiative has announced its initial calendar of events for the first half of 2006. Details regarding MITRE's scheduled participation at these events are noted on the CVE Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.
- Homeland Security for Networked Industries (HSNI) 2006 Conference & Expo, January 9-11, 2006
- DOD IA Conference Workshop, January 30 - February 1, 2006
- RSA Conference 2006, February 13-17, 2006
- MISTI's InfoSec World 2006 Conference & Expo, April 3-4, 2006
Other events will be added throughout the year. Visit the CVE Calendar for information or contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, CME, and/or other vulnerability management topics at your event.
CVE Presents Briefing at InfraGard Meeting
CVE Compatibility Lead Robert A. Martin presented a briefing about CVE at InfraGard's Boston Member Alliance Quarterly Meeting on January 18, 2006 at MFS in Boston, Massachusetts, USA. InfraGard is a U.S. Federal Burea of Investigation (FBI) program to gain support from the information technology industry and academia for the FBI's investigative efforts concerning various terrorism, intelligence, criminal, and security matters in the cyber arena. See the national InfraGard Web site for more information about InfraGard and its mission.
Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, CME, and/or other vulnerability management topics at your event.
714 CVE Names with Candidate Status Added to CVE List in December
714 CVE names with candidate status were added to the CVE List in December 2005. As of December 28, 2005, there were 14,338 CVE names with entry or candidate status posted on the List with 3,052 posted as official entries and 12,031 as candidates. New candidates are added daily. Refer to the Get CVE page for the most recent breakdown of total names and total candidates, and to review, search, or download the CVE List. Use CVE Change Logs, a free tool from CERIAS/Purdue University, to review the additions for December or any month.
Detailed information about how we build the CVE List is available in the CVE Naming Process and CVE Content Decisions sections.
Photographs from Recent CVE Exhibitor Booths
MITRE hosts a CVE exhibitor booth at various events throughout the year. Below are photographs of events from autumn 2005:
Federal Information Assurance Conference (FIAC)
2005, October 25-26, 2005
CSI Computer Security Conference & Exhibition, November 13-15, 2005
January 3, 2006
CVE to Host Booth/Participate on Discussion Panel at Homeland Security for Networked Industries 2006 Conference & Expo in January
MITRE is scheduled to host a CVE/OVAL/CME exhibitor booth at Homeland Security for Networked Industries (HSNI) 2006 Conference & Expo on January 9-11, 2006 at Walt Disney World Resort, in Orlando, Florida, USA. The conference is "the first of its kind to encourage cross-industry collaboration on network security issues pertinent to America's critical infrastructures [or those] networks which serve as the backbone for daily life for the American public." It is "an opportunity to listen and network with IT decision makers from a variety of networked industries including utilities, telecom and transportation as well as government."
In addition, CVE Compatibility Lead Robert A. Martin will be participating on a Discussion Panel about CVE on January 11th with Carl Benzhof, CTO of Citadel Security Software; Peter Allor, Director of Operations for Internet Security Systems; Gerhard Eschelbeck, CTO & VP of Engineering at Qualys, Inc.; and Greg Galford, Lead Program Manager at Microsoft Corporation's Security Resource Center.
Organizations with CVE-Compatible Products and Services will also be exhibiting at the expo. Please stop by Booth 117, or any of these booths, and say hello.
SecurityReason References CVE Names in Security Advisories
SecurityReason issued a security alert on September 24, 2005 that referenced CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060. Numerous other SecurityReason advisories also include CVE names. See Organizations with CVE Names in Vulnerability Advisories for a complete list of the 70 organizations that are including or have included CVE names with entry or candidate status in their security advisories.
CVE Included in NetClarity Press Release
CVE was included in a November 21, 2005 press release by NetClarity entitled "NetClarity Upgrades Line of Vulnerability Management Appliances; Auditor Now Provides Multi-Appliance Correlation and VoIP Security Testing." CVE is first mentioned in a description of how the latest release of the Auditor product works: " ... Auditor now has the capability of scanning VoIP network equipment, such as servers, switches, routers and handsets, for Common Vulnerabilities and Exposures (CVE) [names], the systemic cause of over 95 percent of all network security breaches."
CVE is also mentioned in a quote by Gary Miliefsky, NetClarity's chief technology officer, who states: "If you are considering deploying VoIP on the same network as your desktop computers and servers, you are at high risk of poor call quality, denial of service, breaches of privacy, integrity and availability. By removing your CVEs, you can quickly mitigate much of this risk. Because these packet-based networks are not very secure by default they are extremely susceptible to attacks such as Man in the Middle (eavesdropping and alerting) and Denial of Service (DoS). Auditor now enables customers to quickly find and remediate CVE that may lead to these types of attacks."
Finally, CVE is highlighted in a list of the new features of the latest release of Auditor: "Integration with the National Vulnerability Database [NVD], which is based on and synchronized with the MITRE CVE naming standard: this comprehensive cyber security vulnerability database enables customers to better understand how vulnerabilities impact their business and how to fix them as well as the latest threats against their [CVE names]."
Four NetClarity (formerly PredatorWatch, Inc.) products are listed on the CVE-Compatible Products and Services page, three of which—NetClarity Auditor Enterprise and Update Service, NetClarity Auditor 128 and Update Service, and NetClarity Auditor XL and Update Service—are "Officially CVE-Compatible." NVD and CVE are sponsored by the U.S. Department of Homeland Security.
