|
|
CVE Included in Article about Vulnerability Assessment Scanners in PC Magazine
CVE was included in an article entitled "Network Security: Know Your Weaknesses" in the December 30, 2003 issue of PC Magazine. In the article the author discusses vulnerability assessment in general and reviews six scanners. Of these, CVE is noted as a product feature in the review text of four of them: GFI LANguard Network Security Scanner 3.3, Retina Network Security Scanner, Nessus Scanner, and Security Analyzer 5.0. In the Nessus review, the author provides a link to the CVE Web site: "Links to the Common Vulnerabilities and Exposures (CVE) dictionary (https://cve.mitre.org), which lists known vulnerabilities . . . are also provided . . . " Though not mentioned in the article, another of the scanners being reviewed, SAINT 5, also checks for CVE names.
The article includes a Summary of Features chart in which CVE is included as a feature under the reporting category: "Reports include data for Bugtraq/CVE." Five of these six scanners under review are noted as including CVE names. In a Performance Analysis section, the article noted that PC Labs checked for a number of CVE candidates during their testing of the scanners under review, including: CAN-2003-0715, CAN-2003-0528, and CAN-2003-0605; CAN-2003-0660; CAN-2003-0682, CAN-2003-0693, and CAN-2003-0695; CAN 1999-0554; and CAN-2002-0400.
Finally, five of the six scanners reviewedGFI LANguard Network Security Scanner 3.3, Nessus Scanner, Retina Network Security Scanner, SAINT 5, and Security Analyzer 5.0are listed on the CVE-Compatible Products and Services page.
Syhunt, Inf. Ltd. Makes CVE Compatibility Declaration
Syhunt, Inf. Ltd. has declared that its application security scanner, TrustSight Security Scanner, will be CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page.
CVE Mentioned in Article about OVAL in Government Computer News
CVE was mentioned in a December 4, 2003 article in Government Computer News entitled "Look it up: A common language for vulnerabilities." The main topic of the article is MITRE's Open Vulnerability Assessment Language (OVAL) effort. The article quotes CVE Compatibility Lead Robert A. Martin: "[OVAL is] how you describe the test conditions for vulnerabilities [on the CVE List]." Martin goes on to say that OVAL is the next step in standardizing vulnerability management.
CVE, which plays a large part in OVAL as all OVAL queries are based on CVE names, is mentioned throughout the article. The author describes the creation of CVE in 1999, mentions the information security community component of the CVE Editorial Board, mentions that CVE is funded by the Department of Homeland Security, and describes CVE Compatibility noting that "Both the National Institute of Standards and Technology and the Defense Department recommend that agencies give preference to CVE-compatible products" and "To date, 143 computer security products or services from 96 organizations are compatible with the scheme, using CVE designations to identify vulnerabilities." The author also includes the current number of entries on the CVE List: "[CVE] now contains about 2,572 entries, with another 3,832 under evaluation."
The author concludes the article with the following statement about OVAL: "Although testing and scanning tools are becoming common for discovering vulnerabilities in computer systems, there are no standards for these tasks. OVAL will provide standards so that automating vulnerability management can be more effective, Martin said. It will define the attributes needed to find vulnerabilities in a system, to prioritize them and fix them."
CVE Presents Briefing at Fifth Annual Secure Trusted Operating System Consortium Symposium
Robert A. Martin, CVE Compatibility Lead, presented a briefing about CVE and OVAL on December 3rd, 2003 entitled "CVE and OVALSecurity Standards that Are Making a Difference" at the Fifth Annual Secure Trusted Operating System Consortium Symposium in Washington, D.C., USA. The presentation was successful and exposed CVE and OVAL to an audience of "system and lab administrators, programmers, developers, strategists, consultants and other technical staff involved in the design, development, deployment and securing of systems," and "anyone for whom security is a requirement."
Visit the CVE Calendar page for information about this and other upcoming events.
CVE Mentioned in Article on SecuritySearch.com
CVE was mentioned in a November 25, 2003 article on the SecuritySearch.com Web site entitled "Vulnerability scanning with Nessus." In this "Network Security Tip" article, the author discusses vulnerability scanning with Nessus Security Scanner and states: "This free tool offers a surprisingly robust feature set and is widely supported among the information security community. It doesn't take long between the discovery of a new vulnerability and the posting of an updated script for Nessus to detect it. In fact, Nessus takes advantage of the Common Vulnerabilities and Exposures architecture that facilitates easy cross-linking between compliant security tools." The article also includes a link to the CVE Web site and another direct link to the CVE-Compatible Products and Services section.
Nessus Project is a member of the CVE Editorial Board, and Nessus Security Scanner is listed on the CVE-Compatible Products and Services page.
PredatorWatch, Inc. Press Release Mentions CVE
CVE was mentioned twice in a November 24, 2003 press release by PredatorWatch, Inc. entitled "PredatorWatch, Inc. Announces Auditor(TM) Release 2.1." The first mention of CVE was in the first paragraph: "The PredatorWatch Auditor version 2.0 was the first to detect common vulnerabilities and exposures (CVEs) in Microsoft Windows Server 2003, the new Microsoft Wireless Router, and other mission critical platforms."
The second mention was in the second paragraph of the press release, in which access to the CVE List through the CVE Web site is included as one of the product's main features: "[Auditor 2.1] has been enhanced and is now delivered in a . . . Linux-based security auditing appliance. Including . . . built-in access to MITRE's CVE search engine . . ."
PredatorWatch, Inc. and PredatorWatch Auditor are listed on the CVE-Compatible Products and Services.
Reflex Security Inc. Makes CVE Compatibility Declaration
Reflex Security Inc. has declared that its automated intrusion response system, Reflex Interceptor, will be CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page.
OVAL Introductory White Paper Discusses CVE and CVE Compatibility
A November 2003 white paper entitled "Introduction to OVAL: A New Language to Determine the Presence of Software Vulnerabilities" discusses the role CVE plays in the OVAL effort and the importance of OVAL's CVE compatibility. OVAL is Open Vulnerability Assessment Language, an effort by MITRE and the international information security community to standardize the way in which vulnerabilities are identified on computer systems. OVAL-which supports Windows, UNIX, and Linux-uses Structured Query Language (SQL) queries to identify the vulnerabilities on systems. XML is also supported for tool developers. All OVAL queries are based on the CVE List; for each CVE entry, there are one or more OVAL queries.
The white paper explains what OVAL is and how OVAL improves vulnerability assessment. Also discussed are an OVAL-enabled process, the value of OVAL's CVE compatibility, OVAL's broad industry participation via the OVAL Community Forum and the OVAL Board, the process for creating OVAL queries, a technical discussion about the Reference Query Interpreter, and a summary of OVAL benefits. Many of the organizations participating in OVAL effort are also involved in CVE. The white paper is available from the Documents page on the OVAL Web site.
6,347 CVE Names Now Available on the CVE Web Site
The CVE Web site now contains 6,347 unique information security issues with publicly known names. Of these, 2,572 are unique CVE entries on the official CVE List and 3,775 are candidates to the list pending the approval of the CVE Editorial Board. CVE candidate numbers reflect breaking and newly discovered vulnerability information that may be of special or immediate concern to the public as well as items under study, while official entries are considered mature and reviewed information. Both types of CVE items are useful and usable in helping organizations with the job of managing vulnerabilities.
Numerous entries and candidates on the CVE Web site have appeared in vulnerability advisories and bulletins. Including CVE names in security advisories ensures the community benefits by having the CVE names as soon as the problem is announced. In this way, organizations that use products and services supporting the CVE naming scheme can respond swiftly to the advisories. When an advisory includes the CVE name, users can see if their scanners check for the described threat and then determine whether their intrusion detection system has the appropriate attack signatures. For organizations that build or maintain systems for customers, the use of CVE names in advisories helps directly identify any fixes from the vendors of the commercial software products in those systems (if the vendor fix site supports CVE names). The result overall is a much more structured and predictable process for handling advisories than most organizations currently possess, and an improved process for handling risk.
See Vulnerability Alerts/Announcements for a list of the organizations that are including or have included CVE names in their advisories to-date, or visit the CVE-Compatible Products and Services page to find out more about compatible products.
ScanAlert, Inc. Makes CVE Compatibility Declaration
ScanAlert, Inc. has declared that its security auditing and certification product, HACKER SAFE Certification, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page.
CVE to Present Briefing at the Fifth Annual Secure Trusted Operating System Consortium Symposium
Robert A. Martin, CVE Compatibility Lead, will present a briefing on CVE and OVAL entitled "CVE and OVALSecurity Standards that Are Making a Difference" at the Fifth Annual Secure Trusted Operating System Consortium Symposium at the Morris & Gwendolyn Cafritz Foundation Conference Center at George Washington University, Washington, D.C., USA. The conference, scheduled for December 1st - 5th, is targeted to "system and lab administrators, programmers, developers, strategists, consultants and other technical staff involved in the design, development, deployment and securing of systems," as well as "anyone for whom security is a requirement."
Visit the CVE Calendar page for information about this and other upcoming events.
Conference Photos of CVE Booth at LISA 2003
MITRE hosted a CVE/OVAL exhibitor booth at LISA 2003 October 29th - 30th in San Diego, California, USA. See photos below.
DragonSoft Security Associates, Inc. Makes CVE Compatibility Declaration
DragonSoft Security Associates, Inc. has declared that its vulnerability assessment and remediation product, DragonSoft Secure Scanner, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page.
Westpoint, Ltd. Makes CVE Compatibility Declaration
Westpoint, Ltd. has declared that its managed vulnerability assessment service, Westpoint Enterprise Scan, will be CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page.
CVE Mentioned in eWeek Article about Threat Information Management
CVE was mentioned in an article entitled "All The Threat Information You Want, And Then Some" in the October 24, 2004 issue of eWeek. The main topics of the article are Symantec, Inc.'s DeepSight Alert Service, a configurable Web-based interface that keeps users "informed on vulnerabilities in excruciating detail," and its Threat Management Services, which provides "a series of reports and statistics on threats worldwide that are collected from a large network of honey pots and other monitoring systems."
The author notes that a CVE name is one of the five ways in which the DeepSight Alert Service provides information on vulnerabilities. Each alert includes: "a CVE code for those who track vulnerabilities that way". The alerts also include: a SecurityFocus BugTraq ID; the original publication dates of the alert and the last update date; whether the vulnerability is remote and/or local; and a classification of the type of bug it is (e.g., a "Boundary Condition Error").
Symantec, Inc. is a member of the CVE Editorial Board, and seven Symantec products are listed on the CVE-Compatible Products and Services page.
CVE Mentioned as a Feature in an InfoWorld Product Review
CVE was included as feature in a product review entitled "No-frills security scanning" in the September 5, 2003 issue of InfoWorld. CVE is noted as a feature of both products being reviewed, Internet Security Systems's (ISS) Internet Scanner and the Nessus Project's Nessus Scanner. The authors' state: "the scanning engines of Internet Scanner and Nessus were accurate, with verifiable reporting and links to MITRE's CVE (Common Vulnerabilities and Exposures) List." The review also included a link to the CVE Web site.
Both Internet Security Systems and the Nessus Project are members of the CVE Editorial Board, and ISS Internet Scanner and Nessus Scanner are listed on the CVE-Compatible Products and Services page.
CVE Hosts Booths at FIAC 2003 and LISA 2003
MITRE hosted a CVE/OVAL exhibitor booth at two events in October, FIAC 2003 and LISA 2003. The first, Federal Information Assurance Conference (FIAC) 2003, was held October 21st and 23rd in Adelphi, Maryland, USA. The event was successful and exposed CVE and OVAL to network and systems administrators, security practitioners, acquisition and procurement officials, systems security officers, federal managers, accreditors, and certifiers from numerous agencies of the U.S. federal government. Companies with CVE-Compatible Products and Services also exhibited.
The second event, the Large Installations Systems Administration (LISA) Conference 2003, was held October 29th and 30th in San Diego, California, USA. The LISA conference was also successful and introduced CVE and OVAL to ". . . a wide range of system and network administrators working in the full spectrum of computing environments large corporations, small businesses, academic institutions, [and] government agencies . . . "
Visit the CVE Calendar page for information about upcoming events.
Conference Photos of CVE Booth at FIAC 2003
PredatorWatch, Inc. Makes CVE Compatibility Declaration
PredatorWatch, Inc. has declared that its vulnerability assessment and remediation product, PredatorWatch Auditor, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
CVE Included as Method Scanning Tools Should Use to Identify Vulnerabilities in NIST Special Publication
CVE was included as a method vulnerability scanning tools should use to identify vulnerabilities in the National Institute of Standards and Technology (NIST) special publication "SP 800-36: Guide to Selecting Information Security Products." According to the authors, scanning tools should use a combination of methods to identify vulnerabilities and that those methods will "vary from product to product and are also dependent on whether host or network scanning is being performed and on the operating system of the target."
CVE is included as method seven in the "Vulnerability Scanner Product Characteristics" section of this report. "Whenever applicable, the tool should report the CVE number for each identified vulnerability." CVE is also mentioned in a footnote: "ICAT is a search engine for an industry standard set of known vulnerabilities (https://cve.mitre.org) containing links to vulnerability and patch information."
NIST is a member of the CVE Editorial Board, and the NIST ICAT metabase is listed on the CVE-Compatible Products and Services page.
CVE Senior Advisory Council Holds Meeting
The CVE Senior Advisory Council, which also now provides oversight for the OVAL effort, held a meeting on Thursday, October 2, 2003. The meeting included status updates on the CVE Initiative, focusing on the progress of the CVE Compatibility program and the current of compatibility declarations for 139 products from 92 organizations; status updates on the OVAL effort, including a discussion of an XML Schema to represent OVAL queries; policy compliance with regard to system configuration and traceability for Federal Information Security Management Act (FISMA)-like compliance assessments; and a report on the current work of the Department of Homeland Security's National Cyber Security Division (NCSD).
CVE Included in Article about New Uses for Vulnerability Assessment Tools in Network Magazine
CVE was mentioned in an article entitled "Vulnerability Assessment Tools Find New Uses" in the September 4, 2003 issue of Network Magazine. The article focuses on what the authors considers three recent trends in the vulnerability assessment tools market that "affect the way vulnerability data is acquired and used." These three trends are: (1) vulnerability assessment as a managed service; (2) vulnerability data being drafted in such a way as to help make intrusion detection systems (IDSs) smarter; and, (3) new tools "that perform passive vulnerability assessment [to] address some of the current shortcomings of active scanners and provide a new source of information for managing risk."
CVE was mentioned in two instances in the article in a section about IDSs, in which the author states that an "IDS can go beyond detecting attack traffic and determine if the target is susceptible by consulting vulnerability data." The first mention of CVE is when the author discusses products by Qualys, Inc.: "In July 2003, Qualys announced QuIDScor, a software module that ties vulnerability data from its QualysGuard VA service with Snort, the popular open-source IDS. A correlation engine in QuIDScor accepts raw alerts from Snort and runs them against QualysGuard's vulnerability database using Common Vulnerabilities and Exposures (CVE) identifiers."
The second mention of CVE involves a discussion about Tenable Network Security's Lightning Console, which "lets users manage multiple Nessus [vulnerability scanning] engines to scan large networks. It automates scanning activities such as scheduling, and helps track scan results and manage remediation of discovered vulnerabilities." "Using CVE and BugTraq ID numbers, the console can match IDS events with targets that have the corresponding vulnerabilities."
The Nessus Project is a member of the CVE Editorial Board, and both the Nessus Project's Nessus Security Scanner and Qualys Inc.'s QualysGuard Intranet Scanner are listed on the CVE-Compatible Products/Services page.
Application Security, Inc. Makes CVE Compatibility Declaration
Application Security, Inc. has declared that its vulnerability assessment tool, AppDetective for MySQL, is CVE-compatible. Five other Application Security products are already listed as CVE-compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
CVE to Host Booth at FIAC 2003
MITRE is scheduled to host a CVE/OVAL exhibitor booth at Federal Information Assurance Conference (FIAC) 2003 October 21st and 23rd at the University of Maryland University College Inn and Conference Center, Adelphi, Maryland, USA. The conference will expose CVE and OVAL to network and systems administrators, security practitioners, acquisition and procurement officials, systems security officers, federal managers, accreditors, and certifiers from numerous agencies of the U.S. federal government. Companies with CVE-compatible products and services will also be exhibiting.
MITRE's booth will be a CVE/OVAL booth. OVAL is Open Vulnerability Assessment Language, an effort by MITRE and the international information security community to standardize the way in which vulnerabilities are identified on computer systems. OVALwhich supports Windows, Solaris, and Linuxuses Structured Query Language (SQL) queries to identify the vulnerabilities on systems. It is these queries, called OVAL queries, and an official SQL-based OVAL Schema that serves to keep queries consistent and standardized, that the experts employ as their common language. OVAL queries are based on the CVE List. For each CVE entry, there are one or more OVAL queries. Many of the organizations participating in OVAL effort are also involved in CVE. See the OVAL Web Site for more information about this community effort.
Visit the CVE Calendar page for information about FIAC 2003 and other upcoming events.
CVE to Host Booth at LISA 2003
MITRE is scheduled to host a CVE/OVAL exhibitor booth at LISA 2003 on October 29th and 30th at the Town & Country Resort and Convention Center, San Diego, California, USA. The conference will expose CVE and OVAL to ". . . a wide range of system and network administrators working in the full spectrum of computing environmentslarge corporations, small businesses, academic institutions, [and] government agencies . . . "
Visit the CVE Calendar page for information about LISA 2003 and other upcoming events.
Yokogawa Electric Corporation Makes CVE Compatibility Declaration
Yokogawa Electric Corporation has declared that its free vulnerability database, Security Intelligence Operation Studio (SIOS), and its commercially available vulnerability database, Security Intelligence Operation Studio (SIOS GOLD), are CVE-compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products and Services page.
CVE Names Included in Qualys' Real-Time Top Ten Vulnerabilities (RV10) List
CVE names are included as references for the top 10 "highest-risk" vulnerabilities as listed in Qualys Inc.'s free Real-Time Top Ten Vulnerabilities (RV10) list. RV-10 is a "dynamic list of the ten most critical and prevalent security vulnerabilities" that is "updated automatically and continuously from a statistically representative sample of a few thousand networks."
RV10, updated in real-time, includes the following information for each item it considers one of the ten "most critical and prevalent" security vulnerabilities: (1) the title of the vulnerability, and (2) the CVE Entry or CVE Candidate Number. Each item with a CVE name includes a direct link to that entry or candidate page on the CVE Web site.
Four Qualys products and servicesincluding QualysGuard, Qualys Browser Check, QualysGuard Intranet Scanner, and the QualysGuard SANS/FBI Top 20 Vulnerabilities Scannerare listed on the CVE-Compatible Products and Services page.
CVE Mentioned in NIST Report about Testing Intrusion Detection Systems
CVE was mentioned in the USA National Institute of Standards and Technology (NIST) June 2003 NIST Intragency Report entitled "NIST IR: Testing Intrusion Detection Systems." NIST is a member of the CVE Editorial Board, and the NIST ICAT metabase is listed on the CVE-Compatible Products and Services page.
CVE is mentioned in a section of the report focusing on those measurements that can be made on intrusion detection systems (IDSs) that are "quantitative and that relate to detection accuracy." Specifically, CVE is mentioned with regard to "This disparity concerning the proper level of granularity for viewing attacks makes it difficult to count the number of attacks that an IDS detects and to compare the coverage of multiple IDSs."
The authors state: "This problem is somewhat alleviated by the Common Vulnerabilities and Exposures (CVE), which is a standard list of virtually all known vulnerabilities [2]. However, the CVE approach does not solve this problem when multiple attacks are used to exploit the same vulnerability using different approaches to evade IDS systems. To address this issue, the CVE standards group has started a project to name attacks, but this work is still in the research stages." The footnote in the quote references the original paper on the creation of CVE, "Towards a Common Enumeration of Vulnerabilities," presented at the 2nd Workshop on Research with Security Vulnerability Databases at Purdue University in January 1999. This paper is available for download or review from the CVE Documents page.
CVE to Participate on Panel Discussion at E-Gov's Information Assurance Conference 2003
CVE compatibility lead Robert A. Martin will participate as a member of a panel discussion on "Strategies for Effective Information Assurance" at E-Gov's Information Assurance Conference 2003 on September 16, 2003 at the Ronald Reagan Building in Washington, D.C., USA. The focus of the talk will be "Vulnerability Assessment and Remediation" and will include a discussion of the "Common Vulnerability Exposure (CVE) naming standard and the Open Vulnerability Assessment Language (OVAL) queries. [Attendees will learn how their] enterprise incident management and remediation efforts can become more focused, efficient, and effective by using products, services, and methodologies that support these initiatives." The conference itself runs September 15th - 17th. Companies with CVE-compatible products/services will be exhibiting on the 17th.
WebZcan Makes CVE Compatibility Declaration
WebZcan has declared that its remote security services, WebZcan for Home Users and WebZcan for Business Users, are CVE-compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
Solvent Solutions, Inc. Makes CVE Compatibility Declaration
Solvent Solutions, Inc. has declared that its distributed platform for security event analysis and policy enforcement, SolventView, will be CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
CVE Mentioned in MITRE Digest Article
CVE was mentioned in an August 2003 MITRE Digest article about the Open Vulnerability Assessment Language (OVAL) effort entitled, "OVAL: A New Language to Determine the Presence of Software Vulnerabilities." The article describes what OVAL is and explains how OVAL improves vulnerability assessment for organizations. The article discusses the official, community-developed OVAL Schema, OVAL queries, the part CVE plays, and the community-involvement and community-endorsement aspect of the OVAL effort via the OVAL Board and the OVAL Community Forum.
OVALwhich supports Windows, UNIX, and Linuxuses Structured Query Language (SQL) queries to identify the vulnerabilities on systems. Called OVAL queries, each query is based on the vulnerabilities and exposures identified on the CVE List. For each CVE entry or candidate, there are one or more OVAL queries. Many of the organizations participating in OVAL effort are also involved in CVE.
Open Security Project Translates CVE List into XML Format
The Open Security Project (OpenSec) has converted the CVE List into XML format and is offering it to the public for free on the OpenSec Web site. OpenSec is a "grassroots coalition with the aim of creating [open] standards to simplify the process of system management."
OpenSec's CVE in XML page offers three options for downloading the CVE List in XML: (1) CVE Entries (0.99 MB); (2) CVE Candidates (1.77 MB); and (3) "both files merged into one" (2.87 MB). The site also includes a description of what CVE is and provides multiple links to the CVE Web site. The downloads are mapped to the current version of the CVE List, CVE Version 20030402, which includes 2,573 official entries, and the 3,303 CVE Candidates that were listed at that time.
CVE is free to use and publicly available. You may search or download CVE, copy it, redistribute it, reference it, and analyze it, provided you do not modify CVE itself. You may also link to specific CVE entry and candidate pages from your Web site, product, publication, or other capability. Visit the Get CVE page to search or download the CVE entries and the candidates.
CVE Names Included in Sintelli Risk Index
CVE names are included as references for the "most important" vulnerabilities as listed in Sintelli Limited's Sintelli Risk Index. Available to Sintelli's customers and SINTRAQ e-newsletter subscribers, the index includes the following information for each item it considers an important vulnerability: (1) a Sintelli ID, or "SID"; (2) the "Vulnerability Name"; (3) the "Platform Affected"; and (4) the associated CVE Name or "CVE ID". The July index includes 29 entries, each of which has an associated CVE entry or CVE candidate number.
Sintelli's vulnerability alert service, Sintelli Alert!, and its Sintelli Vulnerability Database, are listed on the CVE-Compatible Products and Services page.
LEXSI Makes CVE Compatibility Declaration
LEXSI has declared that its vulnerability database, CSI, will be CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
scip AG Makes CVE Compatibility Declaration
scip AG has declared that )PALLAS( , its vulnerability notification consulting service, and Verletzbarkeits-Datenbank, its vulnerability database, are CVE-compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
130 Information Security Products and Services Now Listed on the CVE Web Site
Information about numerous information security products and services can be found in the CVE-Compatible Products and Services section of the CVE Web site. 130 are listed to-date, all of which have been declared CVE-compatible or are in the process of being made CVE-compatible by 87 organizations from industry, government, and academia worldwide.
"CVE-compatible" means that a product or service uses CVE names in a way that allows it to cross-link with other repositories that also use CVE names, as documented in the CVE compatibility requirements. Each item listed on the CVE Web site includes a link to the organization's homepage, the product or service name, type of product, link to the product homepage, and a notation of the specific point in the CVE Compatibility Process each product or service has reached. Many organizations have multiple products and services listed. For additional usability, they are also listed by product type, product name, organization, and country. Product types include vulnerability databases; security archives and advisories; vulnerability assessment and remediation; intrusion detection, management, monitoring, and response; incident management; data and event correlation; educational materials; and firewalls.
Visit the CVE-Compatible Products and Services page to review information about CVE compatibility, and on all 130 information security products and services.
CVE Hosts Booth at GOVSEC 2003
MITRE hosted a CVE/OVAL exhibitor booth at GOVSEC 2003 on July 23rd and 24th at the Washington Convention Center, Washington D.C., USA. The conference exposed CVE and OVAL to security professionals from U.S. federal, state, and local governments responsible for information security, cyber security, and physical security. Organizations with CVE-compatible products/services also exhibited. Visit the CVE Calendar page for information about upcoming events.
CVE Names Included in ISS' X-Force Catastrophic Risk Index
CVE names are included as references for the "high-risk" vulnerabilities as listed in Internet Security Systems' (ISS) free X-Force Catastrophic Risk Index. The Catastrophic Risk Index, or CRI, is "an always up-to-date list of the most serious, high-risk vulnerabilities and attacks." CRI "enables cost effective and proactive protection around threats and vulnerabilities that pose the greatest risk to confidentiality, integrity, and availability of critical business systems and applications."
The CRI, issued on a quarterly basis, includes the following information for each item it considers a high-risk vulnerability or attack threat: (1) an X-Force advisory "Reference Number", (2) the "Catastrophic Risk Name" for the vulnerability or attack, (3) a brief "Description" of the vulnerability or attack, and (4) the associated "CVE Name". The June CRI includes 31 entries, each of which has an associated CVE entry or CVE candidate number that includes a direct link to that entry or candidate page on the CVE Web site.
Internet Security Systems is a member of the CVE Editorial Board, and six (6) ISS products and servicesincluding X-Force Alerts and Advisories and the X-Force Databaseare listed on the CVE-Compatible Products and Services page.
Intellitactics, Inc. Makes CVE Compatibility Declaration
Intellitactics, Inc. has declared that its integrated threat management platform, Network Security Manager, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
CVE Called "Industry Norm" for Vulnerability Names on TechWorld.com
CVE was referred to as the "industry norm" for vulnerability names in a July 1, 2003 article on TechWorld.com entitled "X-Force blasts computer monsters: Catastrophic Risk Index a new tool in network security." In the article, which is a discussion of in Internet Security Systems' X-Force Catastrophic Risk Index, the author makes the reference to CVE in a section about what information is included in the index: "Each vulnerability comes with an ISS reference number, the risk name, a brief description and the industry-norm CVE (Common Vulnerabilities and Exposures) and CAN (candidate vulnerability) numbers. Hypertext links connect to full information about the vulnerability and how to deal with it."
"CVE Announce" e-Newsletter Adds 700+ New Subscribers
Since November, an additional 733 information security professionals and others have subscribed to the CVE-Announce e-newsletter, bringing the total to 3,866 subscribers. CVE-Announce is free, issued once every two weeks or less, and provides general news about CVE such as new versions, new compatible product vendors, upcoming conferences, new Web site features, etc.
CVE-Announce has an extensive international audience. Based upon email addresses, the following six countries are newly represented since November by 11 new subscribers: Belarus (2), Bosnia-Herzegovina (1), Luxembourg (1), Niue (1), Pakistan (3), Slovenia (1), and Vietnam (2). Again based upon email addresses, the following 43 previously represented countries have added 283 new subscribers since November: South Africa (2), Argentina (4), Austria (8), Australia (10), Belgium (4), Brazil (25), Canada (9), Chile (1), China (3), Costa Rica (2), Croatia (1), Czechoslovakia (7), Denmark (3), Estonia (1), Germany (19), France (11), Greece (3), Hong Kong (3), Hungary (1), Ireland (1), India (5), Italy (30), Japan (26), South Korea (8), Mexico (6), Netherlands (8), Norway (1), Peru (1), Philippines (3), Poland (11), Portugal (2), Romania (2), Russia (15), Singapore (6), Slovac Republic (1), Spain (6), Sweden (3), Switzerland (3), Taiwan (2), Thailand (5), Turkey (2), Ukraine (1), and United Kingdom (17). Finally, there have also been an additional 439 subscribers from general USA Internet domains (i.e., com, net, mil, org, edu, and gov).
In addition to CVE-Announce, users may also subscribe to CVE-Data-Update for technical updates. Intended for technical users of CVE such as vulnerability database maintainers or those who require timely notification of new candidates, the CVE-Data-Update e-newsletter is issued once per week or less and provides subscribers with reports of new CVE entries and/or candidates and other detailed technical information regarding CVE.
You may sign up for either or both free e-newsletters to receive information and updates directly in your mailbox.
CVE Mentioned in Computerworld Article about Protecting Against Network Security Vulnerabilities
CVE was mentioned as an information resource in a Computerworld article entitled "Strategies to protect against network security vulnerabilities" by Carl Banzhof, CTO of Citadel Security Software. Citadel is listed on the CVE-Compatible Products and Services page, and Banzhof is a member of the CVE Editorial Board and the OVAL Board. In the article, Banzhof outlines five best practices for vulnerability remediation that can help administrators assess their current risk, as well as "take steps to prepare their vulnerability defense with minimal interruption to current processes and lay the groundwork to proactively address future vulnerabilities (with their current IT staff) before they are exploited."
Banzhof identifies the following five steps as "crucial to helping administrators": (1) Identification/Discovery of Systems, (2) Vulnerability Assessment, (3) Vulnerability Review, (4) Vulnerability Remediation, and (5) Ongoing Vulnerability Management.
CVE is mentioned in two instances. In step 2, Banzhof states: "Information on commercial scanners can be found on the Common Vulnerabilities and Exposures (CVE) Web site." Banzhof also provides a similar reference in step 4, in which he states: "The [CVE] Web site is also a good resource for finding information about [vulnerability remediation] tools."
Numerous information security tools and services are listed in the CVE-Compatible Products and Services section of the CVE Web site. To date, 130 information security products and services have been declared CVE-compatible or are in the process of being made CVE-compatible by 86 organizations from industry, government, and academia worldwide. Compatible products and services are listed by product type, product name, organization, and country. Product types include vulnerability databases; security archives and advisories; vulnerability assessment and remediation; intrusion detection, management, monitoring, and response; incident management; data and event correlation; educational materials; and firewalls.
CVE Editorial Board Member Mark Cox to Present Briefing that Includes CVE and OVAL at LinuxWorld
CVE Editorial Board member Mark Cox of Red Hat Linux is scheduled to present a briefing that includes OVAL CVE and at the LinuxWorld Conference & Expo on August 7th at the Moscone Center, San Francisco, California, USA. The talk, entitled "Security Response and Vendor Accountability for Open Source Software," is targeted to IT and security managers and other professionals responsible for analyzing and responding to security issues. Part of the talk will examine how MITRE's CVE and OVAL projects can be used to manage security risks in an enterprise. The conference itself is scheduled from August 4th-7th.
Sintelli Limited Makes CVE Compatibility Declaration
Sintelli Limited has declared that its Sintelli Vulnerability Database is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
CVE Recommended as Deciding Factor in Adopting Security Tools in Federal Computer Week Product Review
CVE was recommended as a deciding factor in choosing vulnerability scanning tools in a product review article entitled "Vulnerability scanning: It's all about control" in the June 9, 2003 issue of Federal Computer Week. The article was a review of Qualys Inc.'s QualysGuard Intranet Scanner, which was compared to Nessus Security Scanner from The Nessus Project. According to the authors, "A vulnerability scanner is the best tool for ensuring that all of your users are following security policies and applying all the patches."
The authors mention CVE as part of the product review: "Both QualysGuard and Nessus arrange reports by the industry-standard list of Common Vulnerabilities and Exposures (see www.cve.mitre.org for more information)." The authors then go on to make the following statement: "We recommend against buying any product that does not comply with [the CVE] standard."
The Nessus Project is a member of the CVE Editorial Board, and both the Nessus Project's Nessus Security Scanner and Qualys Inc.'s QualysGuard Intranet Scanner are listed on the CVE-Compatible Products/Services page.
CVE Co-Creator Steve Christey Comments on OIS's Responsible Vulnerability Reporting Guidelines in Security Wire Digest
A quote by Steve Christey, co-creator and editor of the CVE List, was included in an article entitled "Can Vulnerability Disclosers Agree?" in the June 9, 2003 issue of Security Wire Digest. The focus of the article is the draft responsible disclosure guidelines by The Organization for Internet Safety (OIS) entitled "Security Vulnerability Reporting and Response Process," which was made available for public comment on the OIS Web site.
Christey states: "There are widely varying opinions on how to address this sort of process." The author then notes that Christey thinks that if professional researchers do adopt the OIS responsible disclosure guidelines, " . . . others will follow by example."
The OIS responsible vulnerability disclosure document is described in the article as follows: "Among the 37-page report's guidelines: vendors acknowledge receipt of a report within seven days, then update status with the vulnerability reporter every seven days; list clear contact information on vendor Web sites for reporting vulnerabilities; and vendors vigilantly monitor several email addresses (such as support) for submissions. The report also recommends 30 days from first notification as a reasonable starting point for all parties to agree upon before public disclosure. It offers that length of time as a way to balance the vulnerability's risk with the challenge of engineering a remedy."
The document is available for review and comment at http://www.oisafety.org until July 4th.
Check Point Software Technologies, Ltd. Makes CVE Compatibility Declaration
Check Point Software Technologies, Ltd. has declared that its scalable VPN and firewall, VPN-1/FireWall-1 with SmartDefense, will be CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
CVE to Host Booth at GOVSEC 2003
MITRE is scheduled to host a CVE/OVAL exhibitor booth at GOVSEC 2003 on July 23rd and 24th at the Washington Convention Center, Washington D.C., USA. The conference will expose CVE and OVAL to those security professionals from U.S. federal, state, and local governments responsible for information security, cyber security, and physical security. Information security personnel in attendance will include system administrators, network managers, IS managers, CIOs, information risk managers, cryptographers, and telecom managers. Companies with CVE-compatible products/services will also be exhibiting.
MITRE's booth will be a CVE/OVAL booth. OVAL is Open Vulnerability Assessment Language, an effort by MITRE and the international information security community to standardize the way in which vulnerabilities are identified on computer systems. OVALwhich supports Windows, Solaris, and Linuxuses Structured Query Language (SQL) queries to identify the vulnerabilities on systems. It is these queries, called OVAL queries, and an official SQL-based OVAL Schema that serves to keep queries consistent and standardized, that the experts employ as their common language. OVAL queries are based on the CVE List. For each CVE entry, there are one or more OVAL queries. Many of the organizations participating in OVAL effort are also involved in CVE. See the OVAL Web Site for more information about this community effort.
Visit the CVE Calendar page for information about GOVSEC 2003 and other upcoming events.
Software in the Public Interest, Inc. Makes CVE Compatibility Declaration
Software in the Public Interest, Inc. has declared that its Debian Security Advisories are CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
Department of Homeland Security/NIPC Includes CVE Candidate Number in Security Advisory
The U.S. Department of Homeland Security's National Infrastructure Protection Center (NIPC) released a security advisory that included a candidate number (CAN). An advisory on March 3, 2003 entitled "Advisory 03-004: "Remote Sendmail Header Processing Vulnerability," identified CAN-2002-1337. On March 1st, NIPC became part of the Information Analysis and Infrastructure Protection (IAIP) Directorate under the Department of Homeland Security. NIPC is a "national critical infrastructure threat assessment, warning, vulnerability, and law enforcement investigation and response entity," providing "timely warnings of international threats, comprehensive analysis, and law enforcement investigation and response."
To date, more than 870 CANs have appeared in vulnerability advisories from 39 organizations. Including CANs in security advisories ensures the community benefits by having CVE names as soon as the problem is announced.
See Vulnerability Alerts/Announcements for a list of all organizations that are including or have included CANs in their security advisories.
Ubizen Makes CVE Compatibility Declaration
Ubizen has declared that its vulnerability assessment service, OnlineGuardian IQ, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
SecurityTracker Makes CVE Compatibility Declaration
SecurityTracker has declared that its SecurityTracker database of vulnerability alerts is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
Network Intelligence India Pvt. Ltd. Makes CVE Compatibility Declaration
Network Intelligence India Pvt. Ltd. has declared that its vulnerability assessment tool, AuditPro for SQL Server, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
Numerous Organizations Reference CVE Candidate Numbers in Security Advisories
Six organizations recently referenced CVE candidate numbers (CANs) in their security advisories: The OpenPKG Project, Core Security Technologies, Digital Defense Inc., Gentoo Linux, Beyond Security, and KDE e. V.
The OpenPKG Project issued a security advisory on May 16, 2003 that identified CAN-2003-0255. Numerous other OpenPKG Project advisories also include CANs.
Core Security Technologies issued a security advisory on May 5, 2003 that identified CAN-2003-0235, CAN-2003-0236, CAN-2003-0237, CAN-2003-0238, CAN-2003-0239. Numerous other CoreLabs advisories also include CANs.
Digital Defense issued a security advisory on April 7. 2003 that identified CAN-2003-0201. Numerous other advisories posted on the site also include CANs.
Gentoo Linux issued a security advisory on March 4, 2003 that identified CAN-2003-0190. Other advisories also include CANs.
Beyond Security issued a security advisory on November 12, 2002 that identified CAN-2002-1345 and CAN-2002-1344. Other advisories posted on the site also include CANs.
KDE e. V. issued a security advisory on October 10, 2002 that identified CAN-2002-0838.
See Vulnerability Alerts/Announcements for a complete list of organizations that are including CANs or have included in their security advisories.
CVE Presents Paper at New England Chapter of ISSA
Robert A. Martin, CVE Compatibility Lead, presented a briefing on CVE and OVAL entitled "Assessing Vulnerabilities, A New Standard For Computer Vulnerability Assessment" at the New England Chapter of the International Systems Security Association (ISSA) in Littleton, Massachusetts, USA, on May 20th. Visit the CVE Calendar page for information on this and other upcoming events.
CVE Initiative Announces Expanded CVE Compatibility Process and New Compatibility Logo
MITRE has created a newly expanded "CVE Compatibility Process" for organizations wishing to make their products or services CVE-compatible. The new process includes formal compatibility evaluations, the posting of questionnaires citing how the organizations have satisfied the CVE compatibility requirements, and a "branding program" with an official CVE compatibility logo for vendors to include with their products and for system administrators and other security professionals to look for when adopting vulnerability management products and services for their enterprise.
Specifically, the expanded CVE Compatibility Process involves two phases:
(1) Declaration PhaseThe organization declares its intent to make its product(s) and/or service(s) CVE-compatible by providing MITRE with such basic information as company name and contact information, the type of product, and the name of the product or service. Once the declaration is reviewed, the organization will be listed on the CVE-Compatible Products/Services pages of the CVE Web site, provided the products or services are commercially available when we post the declaration.
(2) Evaluation PhaseThe organization completes a "CVE Compatibility Requirements Evaluation" questionnaire that specifically states the details of how the organization has satisfied the "Requirements and Recommendations for CVE Compatibility" document. While the second phase takes more effort than the first, it has been designed to minimize the expense for both the submitting organization and MITRE. This approach avoids an evaluation process that would make it too expensive for freeware or smaller software vendors to obtain compatibility. By using the questionnaire and statement of compatibility the level of effort is kept reasonable, while making a good effort to verify that the submitting organization properly understands and correctly implements the CVE compatibility requirements. (An organization must complete phase 1 before starting phase 2.)
This new compatibility process, which ultimately includes publication of the organization's statement on the CVE Web site and a CVE compatibility logo for use on their products or services, allows end users and prospective customers of CVE-compatible products and services to compare how different products satisfy the compatibility requirements and which specific implementations are best for their networks and systems. Note also that as part of the expanded process, the listings of compatible products and services on the CVE Web site by product type, product name, organization, and country now include a "Status" column to indicate the specific point in the compatibility process that the product has reached.
Netcraft Ltd. Makes CVE Compatibility Declaration
Netcraft Ltd. has declared that its managed vulnerability scanning service, Netcraft Network Examination Service, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
Preventsys, Inc. Makes CVE Compatibility Declaration
Preventsys, Inc. has declared that its vulnerability assessment and remediation product, Preventsys Automated Audit and Policy Assurance System, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
CVE FAQs Section Updated and Expanded
The Frequently Asked Questions section of the CVE Web site has been updated with 16 new questions-answers for a total of 52 questions, up from 36, and the categories have increased from 4 to 7. The updates and new information will help our users better understand the CVE Initiative, using and getting information from the CVE List and candidates, CVE compatibility, the CVE Editorial Board, and the CVE Senior Advisory Council.
Sample new questions include:
Portions of this new information are in direct response to user feedback and suggestions about the CVE List, the CVE Web site, and the CVE Initiative in general. Please send comments and suggestions to cve@mitre.org.
CVE to Present Paper at New England Chapter of ISSA
Robert A. Martin, CVE Compatibility Lead, will present a briefing on CVE and OVAL entitled "Assessing Vulnerabilities, A New Standard For Computer Vulnerability Assessment" at the New England of the International Systems Security Association (ISSA) in Littleton, Massachusetts, USA, on May 20th.
ISSA is "is a not-for-profit international organization of information security professionals and practitioners" that aims to educate and provide peer interaction opportunities to "enhance the knowledge, skill, and professional growth of its members."
Visit the CVE Calendar page for information on this and other upcoming events.
CVE Senior Advisory Council Holds Meeting
The CVE Senior Advisory Council held a meeting on Wednesday, April 30, 2003. The meeting included status updates on the CVE Initiative, status updates on the OVAL effort, and a report on the current work of the Center for Internet Security. The relationship of CVE names and OVAL queries to integrating vulnerability information, security policy, and configuration guide activities was also reviewed.
Secunia-Stay Secure Makes CVE Compatibility Declaration
Secunia-Stay Secure has declared that its Secunia Security Advisories are CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
Telsinc Security Makes CVE Compatibility Declaration
Telsinc Security has declared that its vulnerability assessment services, Telsinc Global Security, Telsinc Internet Security, and Telsinc Network Security, are CVE-compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
CVE Specified as a Resource Link for Security Researchers on Network World Fusion Web site
CVE was included as a Resource Link for security researchers on NetworkWorldFusion.com. The listing includes a brief description of what CVE is, a link to the CVE Web site, and an opportunity for visitors to "rate" CVE as a resource.
eWeek Labs Product Review of Intranet Scanner Mentions CVE
A product review entitled "QualysGuard Spots, Reports Flaws" in the April 7, 2003 issue of eWeek Labs mentions CVE when describing one of the products main features. The author mentions CVE when discussing how Qualys Inc.'s QualysGuard Intranet Scanner analyzes data off-site and makes reports available to administrators via a Web interface. The author states: "As we applied security fixes, vulnerabilities . . . were closed and reported fixed by QualysGuard [in the Web interface]. In this version, report data is normalized to the Common Vulnerabilities and Exposures list of standardized names (see www.cve.mitre.org for more information). Security administrators who are already using this popular site to categorize vulnerabilities and security exposures can easily fit QualysGuard scans into their workflow."
Qualys' QualysGuard Intranet Scanner and three other Qualys products are listed on the CVE-Compatible Products/Services page.
CVE Presents Paper at RSA Conference 2003
Robert A. Martin, CVE Compatibility Lead, presented his paper on CVE entitled "Common Vulnerabilities and Exposures (CVE) - Managing Vulnerabilities in COTS and Open Source through an International Standards Initiative" at RSA Conference 2003 in San Francisco, California, USA, on April 17th. The presentation was well received with attendees gaining an understanding of how the CVE standard and CVE-enabled products, services, and methodologies are making enterprise security management more predictable, structured, and effective. Visit the CVE Calendar page for information on other upcoming events.
CVE List Surpasses 2,500 Entries Milestone!
CVE Version 20030402 has just been released. It has 350 new entries for a total of 2,573 official CVE entries now available on the CVE List. In addition to official entries, the CVE Web site also includes 3,109 candidates. CVE candidate numbers reflect breaking and newly discovered vulnerability information that may be of special or immediate concern to the public, while official entries are considered mature and reviewed information. A report is available to identify the differences between this version and the previous version, 20020625.
The CVE Editorial Board determines which candidates become official CVE entries. Candidates, which are those vulnerabilities and exposures under consideration for acceptance into CVE by the Board, are created in two ways. The first is from the approximately 150-500 new submissions per month MITRE receives from the organizations that serve as its data sourcesInternet Security Systems, SecurityFocus, Neohapsis, and the U.S. National Infrastructure Protection Centerand MITRE creates new candidates from them. The second is through the 30-70 specific candidates reserved each month by the CVE Candidate Numbering Authorities (CNAs). CNAs, which are organizations or individuals authorized by MITRE to reserve candidates before a new vulnerability or exposure is publicly known, assign the candidates to issues and include them in their vendor and security community alerts and advisories. Because of the frequency of newly discovered vulnerability information being submitted to MITRE, the candidates listed on the site are updated more frequently than the official CVE Versions, which occur approximately once per quarter.
All totaled, including candidates and official entries, there are now 5,682 unique issues with publicly known names available on the CVE Web site. CVE is publicly available and free to use. Use Get CVE to view, search, or download the official CVE List or the candidates.
CVE to Present Paper at ISSA Innovative Security Technologies Conference
Robert A. Martin, CVE Compatibility Lead, will present a briefing on CVE and OVAL entitled "Assessing Vulnerabilities, A New Standard For Computer Vulnerability Assessment" at the International Systems Security Association's (ISSA) Innovative Security Technologies Conference in Arlington, Virginia, USA, on April 23rd.
ISSA is "is a not-for-profit international organization of information security professionals and practitioners" that aims to educate and provide peer interaction opportunities to "enhance the knowledge, skill, and professional growth of its members."
Visit the CVE Calendar page for information on this and other upcoming events.
New User Documentation Added to the CVE Web Site
Four new pages have been added to the CVE Web site to better help our users understand the processes and procedures involved in managing the CVE Initiative and maintaining the CVE List and candidates. This new documentation includes the following pages:
CVE Candidates Explained - Describes what a CVE "candidate" is; the two ways new security issues become candidates; how long it takes for candidates to become official CVE entries; how candidates are affected by CVE "content decisions"; and how to find out when new candidates are added to the CVE site.
How We Build the CVE List - Explains that building the CVE List is divided into three stages: the initial submission stage, the candidate stage, and the entry stage; discusses deletions in the CVE List and the candidates; and provides an illustrated example of growth in the CVE List over time. This page also notes that MITRE is solely responsible for the submission stage but is dependent on its data sources for the submissions, and that the CVE Editorial Board shares the responsibility for the candidate and entry stages though the entry stage is primarily managed by MITRE as part of normal CVE maintenance.
Candidate Numbering Authorities - Includes an introduction to the candidate reservation process; defines Candidate Numbering Authorities (CNAs); provides the requirements for being a CNA; describes CNA tasks; explains the communication requirements from the CNA to MITRE; defines the role of vendor liaisons; and explains the researcher's responsibilities in the process.
CVE Content Decisions - Explains that there are two major types of CVE content decisions, Inclusion, which specifies whether a vulnerability or exposure should go into CVE, and Abstraction, which specifies at what level of abstraction (i.e., level of detail) a vulnerability should be described. This page also gives examples of the two of the most commonly used CDs: "CD:SF-LOC: multiple security flaws in the same executable, but possibly in different lines of code," and "CD:SF-EXEC: multiple executables exhibiting the same problem."
Portions of this new information are in direct response to user feedback and suggestions about the CVE List, the CVE Web site, and the CVE Initiative in general. Please send comments and suggestions to cve@mitre.org.
Network Box Corporation Makes CVE Compatibility Declaration
Network Box Corporation has declared that its Network Box Internet Threat Protection Device, and its vulnerability database, security advisories and archives capability, the Network Box Web Site, will be CVE-compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
Application Security, Inc. Makes CVE Compatibility Declaration
Application Security, Inc. has declared that its vulnerability assessment tool, AppDetective for the Enterprise, is CVE-compatible. Five other Application Security products are already listed as CVE-compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
CVE to Present Paper at RSA Conference 2003
Robert A. Martin, CVE Compatibility Lead, will present his paper on CVE entitled "Common Vulnerabilities and Exposures (CVE) - Managing Vulnerabilities in COTS and Open Source through an International Standards Initiative" at RSA Conference 2003 in San Francisco, California, USA, on April 17th. Attendees will gain an understanding of how the CVE standard and CVE-enabled products, services, and methodologies are making enterprise security management more predictable, structured, and effective.
The conference, which will run April 13-17, is targeted to IT professionals, developers, policy makers, executives, and government professionals from organizations interested in deploying, developing, or investigating data security or cryptography products. Visit the CVE Calendar page for information on this and other upcoming events
CVE Included in Article about OVAL in IEEE Software Magazine
CVE was included in an article about MITRE's Open Vulnerability Assessment Language (OVAL) entitled "Software Language Should Help Protect Networks from Hackers" in the March/April 2003 issue of IEEE Software magazine. In the article the author describes what OVAL is, how it builds upon the CVE Initiative, mentions the importance of information security community involvement and participation in the development of OVAL queries, and includes links to the OVAL and CVE Web sites.
Regarding CVE, the author states: "The [OVAL] language builds upon the Common Vulnerabilities and Exposures (www.cve.mitre.org), a dictionary of standard names and descriptions of existing information security openings. OVAL is a natural follow on that will eliminate most ambiguity that currently plagues IT managers who are always on the lookout for the latest entry points for hackers."
The author also states: ". . . OVAL's big benefit is that it provides another avenue for [technologists and programmers] to share ideas. Many of these companies are working on the same problems at the same time, developing proprietary ideas. At times this work is redundant; at other times, the ideas could be enhanced if more programmers were aware of them." The author further states: "Once these programmers use OVAL to create tools for locating vulnerabilities, their customers should find it much easier to prevent viruses, worms, and hackers from wreaking havoc on their systems."
CVE Exhibits at MISTI's InfoSec World 2003
MITRE hosted a CVE/OVAL exhibitor booth at MIS Training Institute's (MISTI) InfoSec World Conference 2003, March 10-11 at Disney's Coronado Springs Resort, Lake Buena Vista, Florida, USA. The conference was successful and introduced CVE, CVE-compatible products and services, and MITRE's Open Vulnerability Assessment Language (OVAL) to a diverse audience of information security professionals from the banking, finance, real estate, insurance, and health care industries, among others. See photos below.
MandrakeSoft S.A. Makes CVE Compatibility Declaration
MandrakeSoft S.A. has declared that its Mandrake Linux Security Advisories are CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
TraceSecurity, Inc. Makes CVE Compatibility Declaration
TraceSecurity, Inc. has declared that its vulnerability lifecycle management utility, TS:TraceAudit, and its vulnerability and malicious code alert service, TS:PatchPortal, are CVE-compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
CVE Listed in Business 2.0 Magazine's "Security Technology Web Guide"
CVE is included in Business 2.0 magazine's "Security Technology Web Guide" on the business2.com Web site. The guide lists the magazine's top 23 security technology picks in alphabetical order, of which CVE is number 15. The listing includes a link to the CVE Web site and the following description: "MITRE Corporation: Common Vulnerabilities and Exposures-List of standardized names for vulnerabilities and other information security exposures. The goal of CVE is to make it easier to share data across separate vulnerability databases and security tools. Use online or download."
Also included on the list are CVE Editorial Board members CERT/CC (#3), eSecurityOnline.com (#6), Microsoft (#14), SANS (#18), and SecurityFocus (#20). Four of these organizationsCERT/CC, eSecurityOnline.com, SANS, and SecurityFocusare also listed on the CVE-Compatible Products/Services page.
CVE Mentioned in SPARC Product Directory News Article about Harris' New STAT Scanner Incorporating the FedCIRC Vulnerabilities List
CVE was mentioned in a February 19, 2003 news article on the SPARC Product Directory Web site entitled "Harris Corporation Computer Security Tool Now Includes Department of Homeland Security Vulnerabilities List". The article, excerpted from a Harris press release, states that Harris Corporation is the first company in the industry to add the list of computer vulnerabilities published by the Federal Computer Incident Response Center (FedCIRC) to its vulnerability assessment tool. The article also states that ". . .STAT Scanner searches for vulnerabilities from several other sources, including the MITRE Common Vulnerabilities and Exposures (CVE) List, the SANS/FBI Top 20 vulnerabilities list, the CERT list, and the Information Assurance Vulnerability Alerts (IAVAs) issued by the DOD and all the military branches." Read the Harris press release.
FedCIRC and Harris Corporation are both members of the CVE Editorial Board, and Harris' STAT Scanner is listed on the CVE-Compatible Products/Services page.
CVE Referenced in California Computer News Magazine Article about Computer Worm
CVE was referenced in the January 27, 2003 issue of California Computer News Magazine in an article about the "SQL Slammer" worm. In the article entitled "Worm Hits Internet" the author identifies CAN-2002-0649 and concludes the article with the following under Additional Information: "The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2002-0649 to this issue. This is a candidate for inclusion in the CVE List (https://cve.mitre.org), which standardizes names for security problems."
CVE Mentioned in Information Security Magazine Article about More Granular Security Alerts
CVE was mentioned in an article in the February 2003 issue of Information Security Magazine about refining the dissemination of vulnerability alerts and security advisories to "[help] organizations make sense of the daily torrent of virtually unrefined information." In the article entitled "Groups Develop Granular Security Info" the author mentions CVE when discussing how MITRE's OVAL project addresses this problem: "Similarly, the keepers of the Common Vulnerabilities and Exposures list recently launched Open Vulnerability Assessment Language (OVAL) which builds upon CVE to create a means for making vulnerability alerts more applicable to individual enterprises."
The author describes how OVAL works as a community effort and quotes CVE project leader Margie Zuk on the link between CVE and OVAL: "It's the logical next step. CVE was the beginning of trying to bring some order, and [OVAL] is aimed at improving things." The author explains that while a large amount of information is exchanged at a general level there isn't much detailed technical information included in it about how to detect if that vulnerability exists on an organizations own network, and OVAL addresses this. He also notes that OVAL addresses the problem of system administrators running various diagnostic software programs to determine if vulnerabilities are present but then getting different answers from the different programs.
The author concludes the article with a quote from co-creator and editor of the CVE List Steve Christey, who states: "[OVAL] brings us one step closer to demystifying and improving how vulnerabilities can be detected on computer systems. It raises the bar by actually creating a bar."
MITRE to Host CVE/OVAL Booth at InfoSec World Conference 2003 March 10-11
MITRE is scheduled to host a CVE/OVAL exhibitor booth at MIS Training Institutes' (MISTI) InfoSec World Conference 2003, at Disney's Coronado Springs Resort, Lake Buena Vista, Florida, USA, March 10-11. The conference will expose CVE and OVAL to a diverse audience of attendees from the banking, finance, real estate, insurance, and health care industries, among others. The conference is targeted to information security policy and decision makers from these and other industries, as well as directors and managers of information security, CIOs, network and systems security administrators, IT auditors, systems planners and analysts, systems administrators, software and application developers, engineers, systems integrators, strategic planners, and other information security professionals. In addition, numerous companies with CVE-compatible products/services will be exhibiting.
Visit the CVE Calendar page for information on this and other upcoming events.
NIST Bulletin Advocates Security Patches and CVE Names as Tools to Address Computer System Vulnerabilities
CVE was recommended as a tool to address system vulnerabilities in an Information Technology Laboratory Bulletin from the USA National Institute of Standards and Technology (NIST) entitled "Security Patches and the CVE Vulnerability Naming Scheme: Tools to Address Computer System Vulnerabilities." The bulletin, released in October 2002, calls CVE an "emerging industry standard that has achieved wide acceptance by the security industry and a number of government organizations."
The author describes what CVE is and isn't, discusses CVE-compatible products and services and the CVE compatibility requirements, and provides multiple links to the CVE Web site. The article also offers and explains NIST's "Guidelines for Use of the CVE Vulnerability Naming Scheme":
Detailed information is available from NIST "Special Publication 800-51, Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme" and "Special Publication 800-40, Procedures for Handling Security Patches" on NIST's Computer Security Resource Center (CSRC) Web site. NIST is a member of the CVE Editorial Board, and the NIST ICAT metabase is listed on the CVE-compatible products/services page.
Sintelli Limited Makes CVE Compatibility Declaration
Sintelli Limited has declared that its vulnerability alert service, Sintelli Alert!, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
e-Project srl Makes CVE Compatibility Declaration
e-Project srl has declared that its vulnerability assessment and remediation service, Scan-edge, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
CVE to Present Paper at Delphi Summit on February 10th
Robert A. Martin, CVE Compatibility Lead, will present his paper on CVE entitled "Integrating Security Vulnerability Management Using the CVE Initiative" at the Delphi Summit in Coronado Island, California, USA, on February 10th. Attendees will gain an understanding of how CVE will help enterprise security management become more predictable, structured, and effective through CVE-enabled information security products, services, and methodologies.
The conference, which will run February 10-12, is targeted to policy and decision makers, product managers, R&D managers, and other professionals and managers from industry, government, and not-for-profit organizations. The summit will focus on business architectures that integrate and consolidate diverse IT solutions in the areas of enterprise portals, content/document/knowledge, management, information access and retrieval, real time enterprise/team, collaboration, and process support and integration.
Visit the CVE Calendar page for information on this and other upcoming events.
MITRE Hosts CVE Booth at 7th Annual Information Assurance (IA) Workshop, January 28 - 30
MITRE hosted a CVE/OVAL exhibitor booth at the Defense Information Systems Agency (DISA) and National Security Agency (NSA) "7th Annual Information Assurance (IA) Workshop" in Williamsburg, Virginia, USA, January 28th-30th. The purpose of the workshop was to "provide a forum in which the IA community can provide updates and work issues on relevant IA topics" that have been aligned with the goals of Department of Defense (DOD) IA strategy. The event was successful and introduced CVE and OVAL to representatives of the DOD and other Federal Government employees and their sponsored contractors.
CVE Co-Creator Steve Christey Comments on OWASP's Top Ten Common Security Vulnerabilities Document
A quote by Steve Christey, co-creator and editor of the CVE List, was included in the commentary section of the "Top Ten Most Critical Web Application Security Vulnerabilities" document released January 13, 2003 by the Open Web Application Security Project (OWASP). The document describes each of the top ten Web vulnerabilities as defined by OWASP, the environments affected for each, and provides examples and references to illustrate them. The document also explains how to determine if your system is vulnerable from each and how to protect it.
Christey is quoted as follows: "This list is an important development for consumers and vendors alike. It will educate vendors to avoid the same mistakes that have been repeated countless times in other Web applications. But it also gives consumers a way of asking vendors to follow a minimum set of expectations for Web application security and, just as importantly, to identify which vendors are not living up to those expectations."
OWASP is an international open source community initiative for "developing software tools and knowledge-based documentation that helps people secure Web applications and Web services."
CVE Noted as a Standard in InfoWorld Article about Managing Security-Related Technologies
CVE was noted as an information security standard in a January 10, 2003 article about managing security-related technologies in InfoWorld. In the article entitled "Managing it all" the author includes CVE in a section about data management, integration, and scalability in which the author states: "Efforts are under way to develop standardized security-event representations, including the CVE (Common Vulnerabilities and Exposures) project and those under way at the Computer Emergency Response Team (CERT) Coordination Center." CERT is a member of the CVE Editorial Board, is listed on the CVE-Compatible Products/Services page, and includes CANs in its security advisories.
CVE Senior Advisory Council Holds Meeting
The CVE Senior Advisory Council held a meeting on Tuesday, January 7, 2003. The meeting emphasized the synergistic relationships of CVE names and OVAL queries with integrating vulnerability and configuration guide activities, FedCIRC's Patch Dissemination System, and the Enterprise Mission Assurance Support System (EMASS).
Foundstone, Inc. Includes CVE Candidate Numbers in Security Advisories
Foundstone, Inc. has released security advisories that include CVE candidate numbers (CANs). An advisory on December 18, 2002 provided information about a problem involving CAN-2002-1327, and a second advisory on December 18, 2002 provided information about a problem involving CAN-2002-1176 and CAN-2002-1177, among many other advisories.
To date, more than 700 CANs have appeared in vulnerability advisories from 31 organizations. Including CANs in security advisories ensures the community benefits by having CVE names as soon as the problem is announced.
Foundscan is also listed on the CVE-Compatible Products/Services page. See Vulnerability Alerts/Announcements for a list of all organizations that have included or are including CANs in their security advisories.
iDEFENSE, Inc. Includes CVE Candidate Numbers in Security Advisories
iDEFENSE, Inc. has released security advisories that include CVE candidate numbers (CANs). An advisory on January 21, 2003 provided information about a problem involving CAN-2003-0034, CAN-2003-0035, and CAN-2003-0036, and an advisory on December 23, 2002 provided information about a problem involving CAN-2002-1384, among many other advisories.
See Vulnerability Alerts/Announcements for a list of all organizations that have included or are including CANs in their security advisories.
Alcatel Includes CVE Candidate Numbers in Security Advisories
Alcatel has released security advisories that include CVE candidate numbers (CANs). Separate advisories have provided information about a problem involving CAN-2002-1272, a problem involving CAN-2002-1273, and a problem involving CAN-2002-1274.
See Vulnerability Alerts/Announcements for a list of all organizations that have included or are including CANs in their security advisories.
CVE Co-Creator Steve Christey Profiled in Information Security Magazine
Steve Christey, co-creator and editor of the CVE List, was profiled in the December 2002 issue of Information Security Magazine. In the article entitled "PROFILE/STEVEN CHRISTEY, Name That Vulnerability" the author describes Christey's background and personal interests. She also describes how Christey came to co-create CVE in 1998 while conducting internal network audits for MITRE and finding that the hundreds of vulnerabilities he was cross-referencing looked the same although they carried different vendor-assigned names.
The author explains how CVE solves this problem, details how the CVE Initiative has grown since then, and quotes Christey when discussing how CVE's standardized names are improving information security: "We have a number of CVE users who come up to us and thank us for producing a useful utility."
The author further states that CVE is "becoming a more visible component" of serious security solutions. The profile also includes a link to the CVE Web site.
CentaVision Corporation Makes CVE Compatibility Declaration
CentaVision Corporation has declared that its network-based intrusion control system (ICS), RAPTUS ICS, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
CVE Included in eWeek Magazine Article about OVAL
CVE was included in the December 16, 2002 issue of eWeek in an article about MITRE's Open Vulnerability Assessment Language (OVAL) entitled "MITRE Standard Eases Vulnerability Research". In the article the author describes OVAL as "a new language designed to make it easier for researchers to define and explain vulnerabilities found in software," explains how OVAL works, and describes how OVAL uses CVE names as the basis for OVAL queries.
CVE Included in ServerWatch Article about OVAL
CVE was included in a ServerWatch.com article on December 16, 2002 about MITRE's Open Vulnerability Assessment Language (OVAL) entitled "MITRE Issues New Standard for Computer Vulnerability Assessment". In the article the author explains how OVAL works and that CVE names are used as the basis for OVAL queries.
CVE Included in Article in Security Wire Digest about Launch of OVAL
CVE was included in article in the December 12, 2002 issue of Security Wire Digest entitled "MITRE Builds on CVE, Launches OVAL" that discusses the launch of MITRE's Open Vulnerability Assessment Language (OVAL) effort. In the article the author discusses the launch of OVAL and how it builds upon CVE, describes what OVAL is and how it works, mentions the importance of community involvement and participation in the development of OVAL queries, explains the composition of the OVAL Board, and includes a link to the OVAL Web site.
The author also quotes Andre Frech, CVE Editorial Board member, OVAL Board member, and Internet Security Systems X-Force research engineer: "There are no conceivable downside potentials to OVAL. The initiative is flexibly defined so that security professionals are free to contribute or use the parts that are relevant to their issues."
CVE Mentioned in eWeek Magazine Article about Launch of OVAL
CVE was mentioned in an article about the launch of OVAL in the December 11, 2002 issue of eWeek. In the article, entitled "New Language Assesses Software Flaws" the author describes how OVAL builds upon CVE, explains the purpose of OVAL, and explains how it works including the query development process. The author concludes the article with a quote by OVAL Editor and MITRE senior information security engineer Matthew N. Wojcik, "OVAL solves the consistency problem. [OVAL] queries provide a baseline for performing vulnerability assessments . . . The widespread availability of OVAL queries will provide the means for standardized vulnerability assessment and result in consistent and reproducible information assurance metrics from systems."
CVE Included in Security Wire Digest Article about ISS Security Disclosure Guidelines
CVE was included in a December 9, 2003 article in Security Wire Digest entitled "ISS Vulnerability Disclosure Guidelines". The article discusses how obtaining CVE candidate numbers is a major step in Internet Security Systems' (ISS) new security disclosure guidelines (download PDF from ISS), dated November 18, 2003. The author notes: "Once a vulnerability is identified, an advisory and a shorter brief are written, and a vulnerability and exposure candidate number (CAN) is obtained from the [CVE Initiative]." The author also quotes co-creator of the CVE List and CVE Editor Steve Christey: "I think it's a good step forward that [ISS is] publishing their policy. It will allow the community to further focus the discussion." ISS is a member of the CVE Editorial Board, has several products listed on the CVE-Compatible Products/Services page, and includes CANs in its security advisories.
CVE Mentioned in PC World Article about ISS Security Disclosure Guidelines
CVE was included in a December 3, 2003 article entitled "Security Firm Rewrites Rules on Disclosing Flaws" on PCWorld.com. In the article the author notes that obtaining CVE candidate numbers (CANs) from the CVE Initiative is included by ISS about Internet Security Systems (ISS) as major step after vendor notification and prior to customer notification in its new security disclosure guidelines (download PDF from ISS) dated November 18, 2003. The author states: "X-Force will wait the 30 days and then contact the nonprofit research company MITRE to receive a Common Vulnerabilities and Exposures candidate number that sets a standard name for the vulnerability." ISS is a member of the CVE Editorial Board, has several products listed on the CVE-Compatible Products/Services page, and includes CANs in its security advisories.