[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CVE Will Reject a Group of Unused CVE IDs



Dave,

 

We are simply marking all previously unused CVE IDs as REJECT. These are the CVE IDs that CNAs told us are not assigned and are unused. Marking items as REJECT is fairly routine, though in this case we are taking about a much larger update. Is your concern specific to the number of REJECTs at once, or is it more about the fact that there may be new CVEs (i.e., non-REJECTs) mixed in with a bunch of REJECTs?

 

Note that this only affects the limited distribution CVENEW mailing list. The CVENEW mailing list has always listed REJECTs. The CVENew Twitter feed does not currently list REJECTs.

 

Chris

 

From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Waltermire, David A. (Fed)
Sent: Tuesday, May 9, 2017 1:00 PM
To: Adinolfi, Daniel R <dadinolfi@mitre.org>; cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: RE: CVE Will Reject a Group of Unused CVE IDs

 

Will this result in the creation of a bunch of new “rejected” CVE entries in the CVE data feeds?

 

If so, I don’t think this specific approach is ideal or effective. If I am understanding this correctly, the feeds will be littered with a bunch of “rejected” entries. It may even be the case that the number of rejected entries will outnumber the actual used CVE entries.

 

While the board has agreed that sharing information about rejected and unused portions of the address space is needed, I don’t recall any decisions being made about how to do that yet. If decisions have been made, there may be some confusion about how this is proceeding.  If I am interpreting this correctly, I believe the board should discuss the specifics of this technical solution being proposed here before moving forward with making these changes.

 

Regards,

Dave

 

From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Adinolfi, Daniel R
Sent: Tuesday, May 09, 2017 12:19 PM
To: Multiple recipients <LISTSERV@LISTS.MITRE.ORG>
Subject: CVE Will Reject a Group of Unused CVE IDs

 

All,

 

To help reduce the number of reserved but unused CVE IDs in the CVE List, the CVE Team will reject CVE IDs that CNAs have indicated as being unused from their prior CVE ID allocations. The CVE IDs affected include those from years 1999 through 2016. CVE List consumers will see 3103 reserved CVE IDs become rejected in an update on May 10th.

 

Each of these CVE entries will be updated with the following information ([Year] is replaced with four-digit year):

 

"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or

individual who requested this candidate did not associate it with any

vulnerability during [Year]. Notes: none."

 

CNAs are given blocks of CVE IDs each year, and those CVE IDs are marked as "RESERVED" in the CVE list until they are assigned to a vulnerability and published. CNAs often do not use all the CVE IDs they are allocated, which results in many reserved CVE IDs that will never be assigned to a vulnerability.

 

Going forward, at the start of each new calendar year, the CVE Team will ask CNAs for the list of unused CVE IDs from their allocations. Once we have that list of unused CVE IDs, we will update those CVE IDs to "REJECT" status, hopefully making it clearer that the CVE IDs do not represent unannounced vulnerabilities. (For more details about the meaning of the "REJECT" status, refer to <http://cve.mitre.org/about/faqs.html#reject_signify_in_cve_id>.)

 

If there are any questions about this process, you can contact the CVE Team at <https://cveform.mitre.org/>.

 

Thanks.

 

-Dan, for the CVE Team

_________________________

Daniel Adinolfi, CISSP

Lead Cybersecurity Engineer, The MITRE Corporation

CVE Communications and CNA Coordinator

Email: <dadinolfi@mitre.org>  Phone: 781-271-5774

 

 

 


Page Last Updated or Reviewed: May 09, 2017