About Us Our Work Employment News & Events
MITRE Remote Access for MITRE Staff and Partners Site Map
The MITRE Digest
Advanced Research
Aviation Systems
Defense and Intelligence
Federal Sector Modernization
Health Transformation
Homeland Security

Follow Us:
Visit MITRE on Facebook
Visit MITRE on Twitter
Visit MITRE on Linkedin
Visit MITRE on YouTube
View MITRE's RSS Feeds
View MITRE's Mobile Apps
Home > News & Events > MITRE Publications > The MITRE Digest >

CVE Common Vulnerabilities and Exposure (CVE)

MITRE Develops Valuable Resource for Sharing Vulnerability Information

June 2000

Does your company use a variety of tools to assess its computer security? How do you determine which tool identifies the most vulnerabilities and exposures—i.e., problems in a computer system, such as software bugs or misconfigurations, that allow a hacker to break into or abuse that system? How do you handle information from multiple vulnerability assessments and intrusion detection systems (IDS) tools—all of which use different terms for the same vulnerabilities? And won't any comparison of tools and databases be very labor intensive?

The above tasks can be accomplished easily and quickly with a new resource: the dictionary of Common Vulnerabilities and Exposures. In October, MITRE launched CVE, the first listing that provides standardized names and descriptions for more than 473 publicly known information security vulnerabilities and exposures.

CVE Concept Any network can contain vulnerabilities and exposures that allow hackers to abuse computer systems. CVE is expected to contribute to improved cyber defenses by making it easier to share and correlate data across separate vulnerability databases and security tools. MITRE staff developed CVE in collaboration with representatives from more than 20 major security organizations. CVE is available free to the public.

"In the past, each security tool and vulnerability database used its own names for vulnerabilities and exposures," said Pete Tasker, executive director of MITRE's Security and Information Operations Division. "Without a common language to correlate pieces of vulnerability-related information, it was labor intensive to compare output from tools from different vendors, to relate IDS alarms with network assessment probes, or to determine which vulnerabilities each tool identifies in order to close potential security gaps. The comparative research made possible by CVE is expected to lead to enhanced security tools and further innovations in information security."

How Does It Work?

The CVE naming standard facilitates data sharing among IDS assessment tools, vulnerability databases, researchers, and incident response teams. How does it work? Take, for example, the vulnerability listed as "CVE-1999-0067," with its description: "CGI phf program allows remote command execution through shell metacharacters." Various manufacturers and organizations refer to this single vulnerability as "http-cgi-phf," "http_escshellcmd," "CERT: CA-96.06.cgi_example_code," "#3200-WWW phf attack," or "Vulnerability in NCSA/Apache Example Code."

Using one accepted reference (the CVE number) will obviously make it easier to communicate and correlate security information. You can search CVE for specific vulnerabilities and exposures. To evaluate products, you can download CVE, identify CVE entries related to your evaluation needs, and directly compare CVE-compatible tools and databases.

Evaluation Process

"CVE represents a significant leap forward for the information security industry and end-user community," said Christopher Klaus, founder and chief technology officer of Internet Security Systems (ISS). "ISS is pleased to be a part of this important initiative as we move toward a standard that is crucial to the effective protection of every organization's critical digital assets."

Fourteen organizations have already declared publicly that they will make their tools or databases CVE-compatible.

How Can You Benefit from CVE?

For consumers of security information. The CVE name will give you a standardized identifier for any given vulnerability or exposure. Knowing this identifier will allow you to quickly and accurately access information about the problem across multiple information sources that are CVE-compatible. For example, when a security tool's reports contain references to CVE names, you may then access fix information in a separate CVE-compatible database.

By facilitating better comparisons among security tools, CVE could help you make a better choice as to which tools are appropriate for your needs. Also, you may be able to create a suite of interoperable security tools from multiple vendors, if those tools use CVE as a common index.

CVE may also benefit consumers of security information by facilitating better research on vulnerabilities.

For producers of security information. By mapping your own vulnerability- related information to CVE, you can dramatically increase the value of your information to consumers by providing them with the ability to relate it to other CVE-compatible data sources. The mappings will also allow you to share and compare your information with other producers.

The CVE Development Process

CVE Group
Pete Tasker, left, David Mann, center, and Steve Christey have developed a dictionary of common computer vulnerabilities that could lead to enhanced computer security.

When MITRE's Steve Christey and David Mann came up with the concept for CVE, their first step was to present their idea at Purdue's Center for Education and Research for Information Assurance and Security (CERIAS) 2nd Workshop on Research on Security Vulnerability Databases, held in January 1999. By April, a MITRE team had produced a draft CVE list.

The team's goals were to:

  • Enumerate and discriminate among all publicly known vulnerabilities,
  • Assign a standard, unique name to each vulnerability or exposure,
  • Exist independently of the multiple perspectives of what a vulnerability is, and
  • Be publicly open and shareable, without distribution restrictions.

MITRE's next step was to form a CVE Editorial Board—representatives from a consortium of companies and organizations involved in information security—to bring a broader perspective and additional industry expertise to the development process. MITRE's original CVE draft was expanded through the collaborative efforts of the Editorial Board members, who discuss and agree on names and descriptions for CVE items.

The Board will continue to expand CVE, adding new vulnerabilities and exposures as they arise. The Board will also play a role in promoting industry-wide acceptance of CVE.

MITRE's role is to moderate Board discussions and provide technical guidance on all matters related to ongoing development of CVE. The MITRE team also maintains the CVE Web site, which contains the CVE list, along with archived information from Board meetings and discussions. The team will continually look at ways to enhance the Web site's usefulness and welcomes feedback from users.

 

Page last updated:February 12, 2000   |   Top of page

Homeland Security Center Center for Enterprise Modernization Command, Control, Communications and Intelligence Center Center for Advanced Aviation System Development

 
 
 

Solutions That Make a Difference.®
Copyright © 1997-2013, The MITRE Corporation. All rights reserved.
MITRE is a registered trademark of The MITRE Corporation.
Material on this site may be copied and distributed with permission only.
IDG's Computerworld Names MITRE a "Best Place to Work in IT" for Eighth Straight Year The Boston Globe Ranks MITRE Number 6 Top Place to Work Fast Company Names MITRE One of the "World's 50 Most Innovative Companies"
 

Privacy Policy | Contact Us