Question about CVE to vendor mappings

["Andre Frech (ISS)" <afrech@iss.net>]

All,

 

During a recent debate on how we're going to fit the CVE into our database structure, one of the DBAs commented on how a specific vulnerability might not just have one CVE index, but several. Up to now, this group has discussed the potential of one CVE mapping to zero or more records of a VDB, but the opposite has not been discussed before; namely, a many-to-many relationship.

 

For example, "Windows NT 4.0 prior to Service Pack 4" involves many potential CVEs, possibly subsuming the CVEs in SP3, 2, and 1. How would a vendor handle these, considering that it is probably out of the scope of the CVE to reconcile these entries?

 

I envision this question raising several points:

- Can a vendor go about assigning multiple CVEs to a vulnerability or check outside of the framework of the CVE?

- Who verifies that the vendor is doing correct assignments?

- Do CVE indices get subsumed in later patches (for example NT SP3 is subsumed in SP4)? (My opinion on this one is 'no, they do not,' but YMMV.

- Can almost everything in a VDB get a CVE? I know there are rules on what a 'vulnerability' is, but the draft CVE is a lot less stringent about the definition than, say, the Common Criteria (CC).

 

I would appreciate your thoughts on this matter.

=====================================
Andre Frech

X-Force Security Research

afrech@iss.net

Internet Security Systems, Inc.
678.443.6241 / fax 678.443.6479
www.iss.net

Adaptive Network Security for the Enterprise
=====================================