[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Wireless VE



I've not yet had a chance to dig in to the WVE but I am not, as Pascal 
mentioned, all that enthused about another mapping. For Symantec's point 
of view it's not likely we will pick it up if the CVE meets the same 
needs. Malcode could seriously benefit from a mapping schema but I am 
skeptical of the need for a new vulnerability one.

-al


On Thu, 8 Dec 2005, Pascal Meunier wrote:

> I was unable to find out more information using Google, e.g., what is their
> motivation, funding, etc...  I would like to know if they have vulnerability
> information that the CVE doesn't have.  I'd like to know how and if they
> relate vulnerabilities to exploits, and if they have anything as flexible as
> what I implemented in the coop vdb:
> https://cirdb.cerias.purdue.edu/coopvdb/public/
>
> So, they could be doing valuable work, but I can't tell.  If it is good work
> and they have staying power then the CVE will have to adjust.  I bet that
> Steve and the security vendors don't relish the prospect of another mapping
> job.  However, in theory if both they and the CVE do their job properly, the
> vulnerability mapping should be one on one unless there are cardinality
> issues and then it would be one to many.  The thing to avoid is an
> irreversible mapping, where if you go from WVE->CVE->WVE you get a different
> entry (which would be possible if there is a many-to-many relationship).
> This situation would likely indicate that some vulnerabilities were
> incorrectly grouped together by either effort.  Maybe WVE and CVE could talk
> to try to avoid this situation, and establish contacts and procedures in
> case it happens.  If it happens, either the CVE or WVE would need repairs.
> Other comments and suggestions come to mind but they would be premature at
> this point.
>
> In any case, I miss very much the discussions we used to have.  I derived a
> great benefit from them;  for example when format string vulnerabilities
> first started being identified, the board's discussions helped me understand
> them.
>
> Pascal
>
> On 12/8/05 12:55 PM, "Andy Balinsky" <balinsky@cisco.com> wrote:
>
>> There is a new CVE clone effort out there for Wireless vulnerabilities
>> (WVE). This brings up several issues:
>> - What is the status of CVE, given that the editorial board hasn't had
>> any activity for many many months?
>> - Does this WVE effort detract from CVE and add confusion to the world
>> by coming up with a second set of standard names for things that CVE
>> covers, too? Or is it good to get more information categorized out there
>> in the world?
>>
>> Although their entry format is very similar to CVE (as well as their
>> structure, including an Editorial Board), they include 2 categories of
>> entries: Vulnerabilities and Exploits. They use the same namespace
>> (WVE-2005-????) for both vulns & exploits.
>>
>> Any ideas or comments?
>>
>> Andy
>>
>

Alfred Huger
Symantec Corp.

Page Last Updated or Reviewed: May 22, 2007