Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

CVE-ID Vulnerability Numbering Format Change Could Challenge Vendors Who Don’t Adopt

Software vulnerabilities have continued to grow, so perhaps it was inevitable that one day The MITRE Corporation would have to make a change to the Common Vulnerabilities and Exposures Identifiers (CVE-IDs) they produce.

Previously, the four-digit restriction on the CVE-IDs only allowed up to 9,999 a year – a number that could be eclipsed by the end of the year.

Software vulnerabilities have continued to grow, so perhaps it was inevitable that one day The MITRE Corporation would have to make a change to the Common Vulnerabilities and Exposures Identifiers (CVE-IDs) they produce.

Previously, the four-digit restriction on the CVE-IDs only allowed up to 9,999 a year – a number that could be eclipsed by the end of the year.

As a result, MITRE is readying to issue CVE-IDs with new syntax that allows for five or more end digits. Already, several major software vendors and cyber-security organizations are now consuming or producing CVE-IDs in the new numbering format. By doing so, these organizations are ensuring that their products, tools, and processes that use CVE will continue to work properly once CVE-ID numbers are issued using the new syntax, which could happen before the end of 2014, and will happen no later than Jan. 13, 2015, according to MITRE.

“We are assigning new CVE-IDs at an unprecedented rate,” said Steve Christey Coley, principal information security engineer at MITRE and editor of the CVE List, in a statement. “It’s too close to call right now, but we could exceed the four-digit limit before the end of this year.”

“If we need more than 9,999 CVE-IDs in 2014, we will follow the new syntax and start using five-digit CVE-IDs,” he added. “If organizations don’t update to the new CVE-ID format, their products and services could break or report inaccurate vulnerability identifiers, making vulnerability management more difficult. To make it easy to update, we have added a section on the CVE website that provides free technical guidance and test data for developers and consumers to use to verify that their products and services will work correctly.”

So far, early adopters of the new CVE-ID format include Symantec, IBM and Microsoft.

Advertisement. Scroll to continue reading.

“Rapid7 is aware of the change and we’re on track to have converted over in plenty of time,” said Tod Beardsley, engineering manager at Rapid7. “Changing over from four to five digits was inevitable, and we’ve all…had plenty of time to adjust. I imagine there will be stragglers, just like with the Y2K changeover, and just like with Y2K, the failures will be more amusing than catastrophic.”

The CVE dictionary has more than 63,000 unique entries.

“Many vendors will likely have issues with this type of change,” said Chris Goettl, product manager at Shavlik Technologies, adding that Shavlik products and content have changes coming down the pipeline to accomodate the new format. “Vendors will have to examine the way they collect, store, and display CVE data to ensure that content from start to finish is not impacted by the format change.”

According to MITRE, if the format change is not implemented in a timely manner, it could significantly impact CVE users’ vulnerability management practices.

“The clock is ticking,” added Steve Boyle, principal information security engineer at MITRE and CVE program manager, in a statement. “Even if we don’t have to move to the new syntax before the end of 2014, we will ensure that we issue at least one five-digit CVE-ID by Tuesday, January 13, 2015. All organizations that use CVE-IDs need to take action now to make the upgrade before this rapidly-approaching deadline.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.