[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE ID Syntax: Implementation of 2014 Protection Block



All,

MITRE has decided to implement a protection block similar to what is
documented here:

   http://cve.mitre.org/data/board/archives/2013-06/msg00005.html

This protection block will help address situations in which the
5-digit CVE-2014-10000 could be truncated to CVE-2014-1000 by some CVE
implementations that have not yet implemented the new syntax.  (And
during composition of this e-mail, I noticed that a popular online CVE
repository truncated CVE-2014-12345 to CVE-2014-1234, so we now have
our first documented real-world example.)

Currently, we have chosen to avoid the issuance of the CVE-2014-1000
through CVE-2014-1199 entirely (and thanks to a cute little off-by-one
error, CVE-2014-1200 is also currently unissued).  This means that any
inadvertent use of those IDs will generate a fairly noticeable error
to CVE-using implementations.  As of this writing, CVE-2014-1476 is
the most recent 2014-era CVE ID.

This protection block implementation also means that these CVE IDs
will not show up in any CVE downloads, thus will not appear in any
CVE-using databases that populate their own data using these
downloads.  In addition, any lookup to the CVE web site will generate
an error:

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1000

We are likely to change the CVE ID lookup so that when a CVE in the
protection block is requested, the lookup will generate a more
informative message, notifying users of the potential of a 5-digit
truncation.  This change will be made in the near future.

We issued more IDs in 2013 than in any previous year except 2008, and
we only need about 18 more to surpass that number.  But, there is
still a question of whether CVE will naturally hit 10,000 IDs this
year and trigger use of the protection block.  We cannot be sure that
implementations have adjusted to the new CVE ID syntax until we issue
a 5-digit CVE.  My informal thinking at this point is that even if we
don't reach 10K, we could issue some legitimate 5-digit IDs near the
end of the year, or even in 2015, which would then trigger any
truncation/parsing errors that remain unfixed at that time.  However,
any methods for intentionally issuing 5-digit IDs "before their time"
need to be considered as part of the overall awareness strategy.  We
will discuss awareness efforts with the Board in the near future.

- Steve


Page Last Updated or Reviewed: October 03, 2014