Ask the Expert

Can the list of Common Vulnerabilities and Exposures protect applications?

How does Common Vulnerability Enumeration help defend against application attacks? Does it actually do anything?

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

For those who haven't heard of it, the phrase "Common Vulnerability Enumeration" was an early moniker applied to Mitre Corp.'s systematic naming and numbering of security issues. The modern name is now "Common Vulnerabilities and Exposures", or CVE for short. When new vulnerabilities are discovered, like a buffer overflow in vendor XYZ's ABC product, a CVE number gets assigned to it, and a brief description is posted at Mitre's easily searchable CVE Web site.

When discussing today's many vulnerabilities, people can use CVE to make sure that they refer to the same flaw. Suppose I were to tell you that I was hacked yesterday with a buffer-overflow attack in vendor XYZ's Web server. "Oh man!" you might respond, "I was hacked with a buffer overflow in XYZ's Web server as well. It must have been the same exploit!" With CVE, however, I can say, "I was hit with CVE-2007-1234." You might respond, "Oh, I got snagged by CVE-2007-5678." We could then rapidly conclude that while the issue was in the same software product, it was indeed a different vulnerability that we each suffered from. This consistent nomenclature is helpful in our business. Mitre has also started the Common Malware Enumeration project (CME), which aims to apply a consistent naming and numbering scheme to malware specimens.

The vast majority of vulnerabilities cataloged within the enumeration refer to software flaws in specific network service software and client-side applications. They focus on the exact vulnerabilities in particular products themselves, and not a description of the classes of vulnerabilities. That is, instead of explaining how buffer overflows generally work, CVE inventories thousands of examples of real buffer-overflow flaws. The list does include a significant number of application attacks, but only against specific applications, such as certain widely used ecommerce packages, enterprise resource planning (ERP) tools, database environments and groupware products. CVE doesn't focus on the description of Web application attacks, like cross-site scripting (XSS), SQL injection and session cloning. Instead, as you might expect, it includes specific examples of those kinds of vulnerabilities in widely used software, such as specific Apache modules, PHP scripts, commercial ecommerce software and so forth.

Here's the rub: a lot of Web application software is home-grown, with organizations rolling their own applications together to satisfy their business needs and serve their customers. Thus, it's not widely used software, and flaws in it are not included in the CVE. That's not Mitre's fault, though; the list keeps track of software vulnerabilities so that organizations deploying that software can be aware of their flaws. CVE, however, does not address general categories of flaws or vulnerabilities in company-specific Web applications.

More information:

  • See how some vulnerability scanner results include relevant CVE identification numbers.
  • In March, IT professionals said they were disappointed with the Anti-Spyware Coalition's threat-rating system. Some thought it should have a rating system similar to the Common Vulnerabilities and Exposures (CVE).
  • This was first published in July 2007