|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Mapping Questions
- To: <cve-editorial-board-list@lists.mitre.org>
- Subject: Mapping Questions
- From: "Mann, Dave" <Dave.Mann@bindview.com>
- Date: Mon, 7 Jul 2003 11:16:38 -0500
- Cc: "Steven M. Christey" <coley@LINUS.mitre.org>, "RAZOR" <RAZOR@bindview.com>
- Delivery-Date: Mon Jul 7 12:16:50 2003
- Thread-Index: AcLs3BT1nlqeGTQ9ThKY6D45A4YU3RXwloTQ
- Thread-Topic: [PROPOSAL] Cluster UNIX-2002b - 58 candidates
All,
We need some guidance on how to more accurately
reference CVE numbers.
As CVE begins to focus more on configuration
issues (a.k.a. "exposures"), we have encountered
the following general question:
Q: Should a data element that deals with a configuration
issue reference:
a) only the cve/can number related to that configuration
issue or
b) the cve/can number related to the configuration issue
AS WELL AS ALL cve/can NUMBERS OF VULNERABILITIES
THAT ARE REMOVED WHEN THE CONFIGURATION ISSUE IS
ADDRESSED?
As a motivating example, consider:
CAN-1999-0630: The NT Alerter and Messenger services are running.
Disabling the Messenger service eliminates the following vulnerability:
CVE-1999-0224: Denial of service in Windows NT messenger service
through a long username.
As a second example, consider:
CAN-1999-0619: The Telnet service is running.
A partial list of vulnerabilities closed by disabling
this service is found here:
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=telnet
==========================================================
Dave Mann
Product Manager, Policy & Compliance Products
BindView Corporation
Office: 781.331.8148
Cell: 781.424.6003
e-mail: dmann@bindview.com
==========================================================
Insight 2003 User Conference
October 15 - 17, Las Vegas
Pre-conference Workshops October 13 - 14
Early Bird Registration Available Now
BindView - Insight at Work
==========================================================