CVE-ID Vulnerability Numbering Format Change Could Challenge Vendors Who Don’t Adopt

Software vulnerabilities have continued to grow, so perhaps it was inevitable that one day The MITRE Corporation would have to make a change to the Common Vulnerabilities and Exposures Identifiers (CVE-IDs) they produce.

Previously, the four-digit restriction on the CVE-IDs only allowed up to 9,999 a year – a number that could be eclipsed by the end of the year.

As a result, MITRE is readying to issue CVE-IDs with new syntax that allows for five or more end digits. Already, several major software vendors and cyber-security organizations are now consuming or producing CVE-IDs in the new numbering format. By doing so, these organizations are ensuring that their products, tools, and processes that use CVE will continue to work properly once CVE-ID numbers are issued using the new syntax, which could happen before the end of 2014, and will happen no later than Jan. 13, 2015, according to MITRE.

“We are assigning new CVE-IDs at an unprecedented rate,” said Steve Christey Coley, principal information security engineer at MITRE and editor of the CVE List, in a statement. “It’s too close to call right now, but we could exceed the four-digit limit before the end of this year.”

“If we need more than 9,999 CVE-IDs in 2014, we will follow the new syntax and start using five-digit CVE-IDs,” he added. “If organizations don’t update to the new CVE-ID format, their products and services could break or report inaccurate vulnerability identifiers, making vulnerability management more difficult. To make it easy to update, we have added a section on the CVE website that provides free technical guidance and test data for developers and consumers to use to verify that their products and services will work correctly.”

So far, early adopters of the new CVE-ID format include Symantec, IBM and Microsoft.

“Rapid7 is aware of the change and we’re on track to have converted over in plenty of time,” said Tod Beardsley, engineering manager at Rapid7. “Changing over from four to five digits was inevitable, and we’ve all…had plenty of time to adjust. I imagine there will be stragglers, just like with the Y2K changeover, and just like with Y2K, the failures will be more amusing than catastrophic.”

The CVE dictionary has more than 63,000 unique entries.

“Many vendors will likely have issues with this type of change,” said Chris Goettl, product manager at Shavlik Technologies, adding that Shavlik products and content have changes coming down the pipeline to accomodate the new format. “Vendors will have to examine the way they collect, store, and display CVE data to ensure that content from start to finish is not impacted by the format change.”

According to MITRE, if the format change is not implemented in a timely manner, it could significantly impact CVE users’ vulnerability management practices.

“The clock is ticking,” added Steve Boyle, principal information security engineer at MITRE and CVE program manager, in a statement. “Even if we don’t have to move to the new syntax before the end of 2014, we will ensure that we issue at least one five-digit CVE-ID by Tuesday, January 13, 2015. All organizations that use CVE-IDs need to take action now to make the upgrade before this rapidly-approaching deadline.”