CVEs listed incorrectly at MITRE as reserved

[<Kent_Landfield@McAfee.com>]

We seem to have an issue with certain CVEs that are CNA supplied…

In the attached spreadsheet is a list of CVEs that are listed as reserved at the MITRE site but in use in the field, seemingly assigned by CNAs,

 ~ 270 entries out of the 296 CVEs listed by customers are Linux vendor patch advisories.

 

Reserved CVEs are supposed to be updated to either published state or deleted, but these old CVEs escalated by customer were never processed by MITRE even after the vendors published them long back. 

 

The problem we found with the CVE’s from that list are that even if it is marked as “reserved” the respective vendors have published them in their advisories.

Example #1) CVE-2013-2124:
This is a reserved CVE as per MITRE,
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2124

If we do a search and we can find many vendor advisories with details of this CVE,
https://access.redhat.com/security/cve/CVE-2013-2124
http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2124.html
http://www.securityfocus.com/bid/60205/info
  
Example #2) CVE-2013-5122
Reserved CVE as per MITRE
Unable to find, as per NIST
but the vendor Cisco has an advisory for it,
http://tools.cisco.com/security/center/viewAlert.x?alertId=32899
  

Here is similar discussion on some online forums where people report a list of CVEs that are made public but “reserved” status and mentions that MITRE has been processing them lately,

http://comments.gmane.org/gmane.comp.security.oss.general/12072

 

The CVEs are collected from vendor advisory, not from a third party. If we plan to delete them now then we will have to monitor when MITRE is going to publish them in future and will have to add again. Since vendor published patches with CVE references, the chances of MITRE deleting these CVE’s are less in our opinion.

 

Kent Landfield
Director, Standards and Technology Policy
McAfee. Part of Intel Security

+1.817.637.8026

CNA-CVE-Reserved-Mismatch.xlsx