Definition
Common Vulnerabilities and Exposures (CVE) are a dictionary of unique identifiers (CVE ID) assigned to publicly disclosed cybersecurity vulnerabilities, providing a standardized method for identifying and communicating information about these weaknesses.
Importance of CVE
Prior to its launch in 1999, industry tools used their own databases and naming conventions to report on security vulnerabilities, this resulted in ineffective communication with other tools leading to gaps in security vulnerability information. The CVE system was designed to standardize vulnerability identification and information sharing.
Today, “CVE” is the de facto standard for uniquely identifying vulnerabilities, establishing a reliable way to connect specific versions of software or software libraries to publicly disclosed vulnerabilities. In this way, it can be thought of as a conduit between vulnerability scanners, patch information, patch managers, and security engineers.
This inevitably led to an increase in the effectiveness of security professionals, researchers, and organizations’ ability to identify, track, and prioritize vulnerabilities. This facilitates collaboration, timely response, and the development of effective mitigation strategies.
How does the CVE system work?
CVE IDs can be requested by anyone if submitted to the appropriate CNA Numbering Authority (CNA). CNA’s are organizations who are vetted and approved by the CVE Program to assign CVE IDs and publish CVE Records within their specific scopes of coverage. These groups deliberately vary by region and expertise to cover a wide range of vulnerability types.
CVE Program vs. CVE Database
The CVE program and the CVE database (also known as the National Vulnerability Database or NVD), are two distinct, yet interconnected parts in the realm of information sharing and vulnerability management.
The CVE program: Managed by MITRE Corporation, the CVE program is a global initiative that exists to provide a standardized naming convention for publicly known vulnerabilities. Its main purpose is to assign vulnerabilities a unique identifier (CVE ID), making it easier for organizations to reference and track them. The CVE program acts as a central authority for assigning and managing CVE IDs, to ensure consistency across different security tools, databases, and platforms.
The CVE database: Maintained by the National Institute of Standards and Technology (NIST), the CVE database is a comprehensive repository of vulnerability information. It houses detailed records of vulnerabilities, including their CVE IDs, descriptions, severity ratings, affected software versions, and associated references. The NVD, which is part of the CVE database, offers a publicly accessible platform where users can search for vulnerability information. It also provides additional resources like vulnerability metrics, scoring systems such as CVSS, and links to security advisories and patches.
MITRE vs. NIST
MITRE oversees the assignment and management of CVE IDs as part of the CVE program. They collaborate with stakeholders such as vendors, vulnerability researchers, and security organizations to ensure accurate and timely identification of vulnerabilities. MITRE also maintains the CVE List, a primary source of CVE IDs and associated details.
NIST is responsible for maintaining and operating the NVD, which includes collecting vulnerability data from various sources, curating and analyzing the information, and populating the CVE database. NIST collaborates with MITRE and other organizations to ensure the accuracy and integrity of the vulnerability data. They also provide additional resources and tools to assist users in understanding and addressing vulnerabilities effectively.
In summary, the CVE program, managed by MITRE, focuses on assigning unique identifiers (CVE IDs) to vulnerabilities, while the CVE database (NVD), maintained by NIST, serves as a repository of vulnerability information, indexed primarily by CVE IDs. MITRE plays a key role in managing CVE IDs, while NIST is responsible for curating and maintaining the NVD, providing a valuable resource for vulnerability management and information sharing.
What qualifies for a CVE?
There are several factors considered when determining if a reported vulnerability qualifies to be assigned a CVE ID.
For inclusion, the reported vulnerability :
- Must have potential to compromise the confidentiality, integrity, or availability of a system or data.
- Must be possible to reliably reproduce the vulnerability under specific conditions.
- Should affect widely-used software, systems, or devices.
- Should be accompanied by clear documentation or evidence demonstrating the existence and impact of the vulnerability.
- Can not be dependent on other vulnerabilities to be exploited.
- Must have a need for mitigation or remediation to address the vulnerability.
The MITRE CVE program covers all types of vulnerabilities, including software/application vulnerabilities, infrastructure/configuration vulnerabilities, and network vulnerabilities. The only exception is vulnerabilities in websites or web applications, which don’t get a CVE allocated. This is because the purpose of the CVE program is to advocate updating to a new version of the software, which isn’t relevant in the context of websites, which get upgraded in the background. In addition, malicious software packages usually don’t get a CVE assigned due to the same reason – a malicious package does not have a “safe version” users can upgrade to.
What is CVE Scanning?
CVE scanning is a type of vulnerability scanning that scans software components, libraries and dependencies to detect common vulnerabilities and exposures (CVEs). The database of publicly disclosed vulnerabilities that CVE Scanners refer to also provides important information about the severity and applicability of each vulnerability.
By conducting CVE Scanning and gaining insight into the severity of vulnerabilities detected, organizations can assess the potential impact and relevance of each reported threat.
How to prevent attacks with CVE Scanning
The best way to deal with a software vulnerability is to prevent it from happening in the first place. We encourage developers to investigate 3rd-party libraries before they use them, and choose a library that has no critical CVEs assigned
Since no solution can guarantee that your application code is 100% free of vulnerabilities, CVE scanning is beneficial as a continuous security measure. CVE scanners alert developers to known vulnerable components, allowing them to address the issue in their codebase. While CVE scanners won’t detect all threats, such as zero-day vulnerabilities, they protect against the majority of threats.
Once you’ve detected vulnerabilities, you should assess the level of severity using the Common Vulnerability Scoring System (CVSS) level of each flagged alert. Lots of mature DevSecOps teams also tend to employ commercial CVE scanners with risk-based capabilities meaning they use vulnerability scanning software that can help prioritize alerts that carry the most risk to their specific build.
Finally, formulate and execute a plan for mitigating the vulnerability. The mitigation process will vary depending on the nature of the vulnerability, but in many cases, fixing the vulnerability involves either applying a patch, or updating to a newer version of the vulnerable 3rd-party component. Alternatively, if no fix is available and you can’t implement it yourself, you can take steps to prevent the vulnerability from being exploited by, for example, updating the application’s configuration such that the conditions required for exploitation aren’t present.
By taking these steps, you can help you catch and prevent CVEs from being exploited.
