The CVE is the list of Common Vulnerabilities and Exposures. It is a standard from 1999 for valuation of known weaknesses and possible attack vectors in software and internet services.
What is CVE and who invented it all?
CVE stands for Common Vulnerabilities and Exposures. It refers to a publicly available list, or glossary of known weaknesses and possible attack vectors in software and internet services. Each entry in the CVE
includes details such as a unique serial ID number, a bried desciption and any public reference.
As stated on their website, the mission of the CVE® Program
is to identify, define, and catalog piblicly disclosed cybersecurity vulnerabilities. CVE Numbering Authorities (CNA) are organisations that assign CVE IDs to vulnerabilites and are made up of IT corporations, research institutions for example.
The program was started by MITRE. MITRE
’s roots began in the computer laboratories of the Massachusetts Institute of Technology (MIT) during World War II. The original concept for what would become the CVE List was presented by the co-creators of CVE, The MITRE Corporation’s David E. Mann and Steven M. Christey, as a white paper entitled, Towards a Common Enumeration of Vulnerabilities (PDF, 0.3MB), at the 2nd Workshop on Research with Security Vulnerability Databases on January 21-22, 1999 at Purdue University in West Lafayette, Indiana, USA.
How is it used in our everyday lives?
This is a useful standard to use in every day business. Let’s say a developer has just found a so called backdoor to reveal data and it concerns a software or service almost everyone on the planet is using. Wouldn’t it be great to be able to ‘report’ this somewhere so everyone can take precautions and a fix can be found fast? Or think about how many flaws can be discovered in software that are actually the same but everyone who deals with it isn’t aware of how many others deal with it too.
Organisations can strengthen their security systems once they become aware of relevant listed security flaws. Have the CVE Identification system also makes communication easier as you can refer to a problem by using the ID number and and it is hoped that by using a CVE identifier, you can find information about a certain vulnerability quicker and easier.
How helpful is CVE?
According to their website
, CVE® is an international, community-based effort that maintains a community-driven, open data registry of publicly known cybersecurity vulnerabilities (CVE List).
The CVE Identifiers (CVE IDs) assigned through the registry enable program stakeholders to rapidly discover and correlate vulnerability information used to protect systems against attacks. CVE IDs are assigned by CVE Numbering Authorities (CNAs), which are operated on a voluntary basis by participating organizations. CVE is the de facto international standard for identifying vulnerabilities.
Let’s look at real life examples, Log4j
Log4j is a Java library, and while the programming language is less popular with consumers these days, it’s still used very broadly in enterprise systems and web apps. Researchers told WIRED on Friday that they expect many mainstream services will be affected if there were to be an attack.
All an attacker has to do to exploit the flaw is strategically send a malicious code string that eventually gets logged by Log4j version 2.0 or higher. The exploit lets an attacker load arbitrary Java code on a server, allowing them to take control.
Minecraft screenshots circulating on forums appear to show players exploiting the vulnerability from the Minecraft chat function. Last week, some Twitter users began changing their display names to code strings that could trigger the exploit. Another user changed his iPhone name to do the same and submitted the finding to Apple. Researchers told WIRED that the approach could also potentially work using email.
What does the CVE do in such a case?
After being reported, the National Vulnerabilitiy Database evaluates each CVE’s severity and assigns it a status: Reserved, Disputed or Reject. It would then be catalogues and given it’s unique ID number. Information would be provided or collected depending on the specific case and then it would be links to Advisories, Solutions and Tools.
The CVE list is constantly updates as new vulnerabilities emerge daily. Even then, there are likely to be many unreported risks out there. To understand more about the CVE, or to look for a specific vulnerabilitiy, the FAQ page on the CVE website
is most informative.