Status Update on CVE ID Syntax Change

To: <cve-editorial-board-list@lists.mitre.org>
Subject: Status Update on CVE ID Syntax Change
From: "Steven M. Christey" <coley@mitre.org>
Date: Mon, 16 Mar 2015 20:06:48 -0400
Delivered-To: coley@rcf-smtp.mitre.org
Delivery-Date: Mon Mar 16 20:07:41 2015
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
Reply-To: <coley@mitre.org>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>

All,

On January 13, 2015, we reached the publication date for the new
CVE-ID syntax.  We published 92 new-syntax IDs: 48 with 5 digits, and
44 with 6 digits, which included 70 normal entries and 22 additional
entries with REJECTED or RESERVED status.  We published CVE entries
for CVE-2014-10001 through CVE-2014-10039 (with 5-digit sequence
numbers) and CVE-2014-100001 through CVE-2014-100038 (6-digit sequence
numbers).

So far, two months later, we have not seen or received any reports of
any significant errors occurring due to the syntax change.  We've seen
some public bug fixes related to ID parsing around the time of the
deadline.  We've had feedback that sorting of variable-length IDs is
causing some minor annoyance due to the variable length, although this
was a well-documented and publicly discussed problem when the syntax
was adopted.

We have received, seen, or otherwise become aware of various questions
about the process that we have been following for assigning the new
IDs, so we thought it would be useful to provide more details of what
we did and why.

1. Since there are many different communication channels or processes
    that involve the exchange of CVE IDs, and there could be different
    ID-processing code for each stream/process, we believed that it was
    important to exercise the ID syntax change for these different
    channels, so that consumers can verify that their ID syntax changes
    have been thoroughly handled.

2. We published valid CVE entries for CVE-2014-10001 through
    CVE-2014-10039 (with 5-digit sequence numbers) and CVE-2014-100001
    through CVE-2014-100038 (6-digit sequence numbers).  This satisfied
    the CVENEW and CVE download communication streams.  For this set of
    IDs, we selected issues that were public in 2014 but had not yet
    received a CVE-ID due to prioritization according to our "CVE Data
    Sources and Coverage" list [1].  We defined and used a
    semi-automated process that randomly determined which issues
    received 5- or 6-digit IDs, and which references received the first
    valid 5-digit and 6-digit IDs, namely CVE-2014-10001 and
    CVE-2014-100001.

3. Since REJECTED or RESERVED IDs are often treated differently from
    regular entries, we issued some new-syntax IDs with these
    characteristics.  The REJECTed IDs include IDs that would normally
    be rejected, such as the inadvertent use of multiple 5-digit IDs in
    a public advisory during 2014, or their use in the ID-Syntax test
    data.  The RESERVED IDs will show up in vulnerability advisories in
    external data sources, which are also likely to have different
    processing code.

4. We chose to include 6-digit IDs in addition to 5-digit IDs for
    several reasons.  Near the end of 2014, there was evidence that
    some implementers were making a 5-digit assumption, or making
    other, similarly incorrect assumptions.  We wanted to guard against
    having a series of tools emerge that might solve "CVE-10K" but
    still be subject to a "CVE-100K" problem due to incorrect
    implementations.

5. Note that we have exceeded over 9,705 4-digit CVE-2014-xxxx IDs so
    far. There is still a gap with the 5-digit CVE-2014-10000 IDs, but
    this gap will slowly be closed as additional CVE IDs continue to be
    assigned to older issues published in 2014.  This gap is for 2014
    only, and it is due to our commitment to easing the transition to
    the new syntax IDs by releasing other real-world IDs that can
    ensure compliance with the new syntax.

Within a matter of weeks, we will have one additional, limited release
of 5-digit and 6-digit IDs, which will be useful for exercising any
functionality that performs change detection.  We do not plan to make
any formal announcements when we execute these steps.

After the release of this additional set of 5-digit and 6-digit IDS, we 
believe our work regarding the syntax change will be complete, bringing 
over 2 years of community discussion and effort to a close.

We hope that this clarifies any questions or concerns that people have
had.  MITRE has been committed to making the transition for the new ID
syntax as smooth and transparent as possible, for consumers and
vendors.

As always, we welcome everybody's thoughts and feedback.

- Steve Christey Coley

Prev by Date: Update: CVE Editorial Board meeting at RSA
Next by Date: Two draft Editorial Board governance documents for review and comment
Prev by thread: Update: CVE Editorial Board meeting at RSA
Next by thread: Two draft Editorial Board governance documents for review and comment
Index(es):
- Date
- Thread