Forever “reserved” CVEs

In this post I would like to provide some links, that you can use to find out necessary information about vulnerability by its CVE ID. I also want to share my amazement, how the method of using the CVE identifiers is changing.

Reserved CVE

Traditionally, CVE was a global identifier that most of vulnerabilities had. Have you found malicious bug in some software? Send a brief description to MITRE and you will receive CVE id. Some time later NIST will analyze this CVE, will add CVSS vector and CPEs and will put a new item to the NVD database. MITRE and NVD CVE databases were really useful source of information.

Times change. Now typical is a situation, that some researcher (mostly a big company) publish a report with some CVE id. You go to MITRE and see “reserved”, than you go NVD and of course there is no such id. If issue is important, lots of people will discuss it using the id for references. But in MITRE and NVD description of this vulnerability will appear with a HUGE latency.

For example, last week critical vulnerability in Adobe Flash. It was discovered by researchers from Google’s Threat Analysis Group. Adobe released Adobe Security Bulletin APSB16-36 at October 26, 2016. It uses CVE-2016-7855 id.

Todays is the 1st of November. Let’s see the links:

Upd. November 2 – appeared description at at NVD and Vulners. Mitre is still “reserved”

And the only source that has normal description and CVSS vector for this CVE is IBM xforce: https://exchange.xforce.ibmcloud.com/new
If you search for “CVE-2016-7855” you will get a great Vulnerability Report:

xforce cve example

Why this happens? I suppose that the problem is CNA (CVE Numbering Authorities) program. Adobe Systems Incorporated is one of the participants. CNA don’t need to get CVE ID from Mitre for every issue, it already has some reserved:

The following series of communications occur between CNAs to MITRE:

(1) The CNA requests a pool of CVE IDs.

(2) The CNA announces the publication of a new CVE ID, which allows MITRE to update the CVE ID information on the CVE website.

(3) The CNA may need to consult with MITRE regarding CVE content decisions.

(4) The CNA notifies MITRE of suspected abuses of the CVE process by researchers.

(5) The CNA notifies MITRE and other parties when duplicate CVE IDs are detected.

Well, that seems, that step 2 may take long-long time. Maybe CNA is not really interested to make it fast. Or maybe Mitre don’t react efficiently. I don’t know. But I just see that CVE becoming a set of IDs and not a vulnerability base.

2 thoughts on “Forever “reserved” CVEs

  1. Pingback: Divination with Vulnerability Database | Alexander V. Leonov

  2. Pingback: Vulners Subsriptions and Apache Struts RCE | Alexander V. Leonov

Leave a Reply

Your email address will not be published. Required fields are marked *