The Common Vulnerabilities and Exposures glossary (CVE) is a security project focused on publicly released software, funded by the US Division of Homeland Security and maintained by the MITRE Corporation. The CVE glossary uses Security Content Automation Protocol (SCAP) to collect information about security vulnerabilities and exposures, cataloging them according to various identifiers and providing them with unique IDs.
Once documented, MITRE provides each vulnerability with a unique ID. Several days after publication in the Mitre vulnerability database, the National Vulnerability Database (NVD) publishes the CVE with a corresponding security analysis.
The CVE list is defined by MITRE as a glossary or dictionary of publicly available vulnerabilities and exposures, rather than a database, and as such is intended to serve as an industry baseline for communicating and dialoguing around a given vulnerability. According the MITRE’s vision, CVE documentation is the industry standard by which disparate security advisories, bug trackers and databases can obtain a uniform baseline with which to “speak” to each other, communicating and deliberating about the same vulnerability in a “common language”.
Every new CVE entry receives a unique ID following this formula:
CVE numbers are given to each new CVE issue by MITRE. However, it is worthwhile noting that MITRE is not the only one. CVEs may receive their numeric ID from commercial numbering authorities (non-governmental) who will number vulnerabilities and exposures found in their own products. As of December 2018, 93 commercial entities are authorized to act as CVE Numbering Authorities (CNA), including Adobe, Apple, Cisco, Linux, Google, HP, IBM, Microsoft, Mozilla, Oracle, and Red Hat. The third and final numbering authority is the emergency response team known as CERT Coordination Center which is also certified to assign CVE numbers.
Beyond their unique ID, each CVE receives an entry date indicating when it was created by MITRE, followed by an individual description field and a reference field. If the vulnerability was not directly reported by MITRE but rather was first assigned by a different bug tracker or advisory board, the reference field will include URL links to the bug tracker or advisory board which first submitted the vulnerability. Other links that may appear in this field are to the product pages affected by the CVE.
Reporting a CVE requires contacting any one of the CVE Numbering Authorities (CNA), mostly likely MITRE which is the primary contributor to its own vulnerability database.
According to some developers forums, it is possible to post a vulnerability alert on a mailing list such as Bugtraq instead of contacting a CNA with a request for a CVE. MITRE will respond within a few days with a published CVE.
It is important to remember that though providing a vital service to the software community, new CVE entries may take time to appear in the MITRE database (anywhere from days to months). Bans and embragos related to commercial censorships must receive clearance prior to publicizing new CVEs and may cause delays from the time a CVE is given its ID to the time it is made public. Lack of resources at MITRE to write up new CVEs has also been known to cause setbacks in publishing. MITRE explains their handling delays as resulting from a constantly growing influx of vulnerabilities reported to the organization.
Each CVE receives a CVSS score from the NVD, indicating its security severity. The NVD’s security severity ranking helps responders including developers, DevSecOps and security teams determine how to approach the vulnerability and when. Remediation resources are allocated based on severity prioritization.
The CVSS score follows a formula made up of several security metrics. The metrics involved in determining the severity of a vulnerability include its access vector, the attack complexity, the confidentiality of data processed by the system containing the vulnerability, the integrity of the exploited system, to name a few.
Some vulnerabilities don’t make it into the MITRE database, therefore never receiving a CVE number. This will happen if the discovering entity didn’t contact MITRE or any other CNA to request a CVE identifier, or if a CNA such as MITRE decided not to include the vulnerability in the system.
According to WhiteSource’s 2018 Annual Report on the State of Open Source Vulnerabilities Management, only 86% of all reported open source vulnerabilities make it into MITRE’s CVE list. This means that another 14% of vulnerabilities are reported elsewhere outside of MITRE’s vulnerability glossary.
WhiteSource’s monthly review of the top 5 monthly open source vulnerabilities features at two vulnerabilities on average without a CVE designation every month, which was reported on independent advisories or bug trackers. This represents 40% of the total top open source vulnerabilities listed each month.
Unreported vulnerabilities remain hidden away in security advisory boards or issues trackers, where their discovering entity first published them. These vulnerabilities are “off the radar” for many developers who usually scout the main vulnerability databases and therefore are less likely to become known and properly patched even if patches or new version are available .
If the MITRE Corporation’s CVE dictionary consists of a list of entries, each documenting a unique publicly available vulnerability and attributed an ID number, then the National Vulnerability Database (NVD) is an elaborate vulnerability database offering security analysis of vulnerabilities.
While the NVD and MITRE’s CVE list are two separate entities, they are fully in synch so that any update, change and new entry made to the MITRE list will immediately show up on the NVD database.
The CVE list will offer a leaner entry of the vulnerability and will assign it an ID. The NVD will then build on this information, and offer broader information about the vulnerability, including fix information, search options, and impact ratings.
Security flaws are a wide and varied mix, reported in various databases, advisory boards and bug trackers and consisting of a diverse set of features and qualities. Yet of this assorted mix, CVE vulnerabilities remain the most popular vulnerability type and MITRE remains the foremost list for the documentation of security vulnerabilities in publicly released software.