MITRE sets deadline for releasing new CVEs with different ID format syntax, regardless of how many vulnerabilities we see in 2014.
The growing number of vulnerabilities found by IT manufacturers has created the need for a revamp of the way the security industry identifies them, and if practitioners and vendors don't get ready soon they could be in for some trouble. With so many security products and other IT systems dependent on Common Vulnerabilities and Exposures (CVE) identifiers, an impending change in the syntax of CVE numbers could cause products and vulnerability management processes to break unless accommodations are made.
Full Article
Userlevel 7
Good read Jasper thanks for the article
by Michael Mimoso September 18, 2014
There was a time when 9,999 vulnerabilities in a calendar year was an exaggeration of the problem. There was no way—folks at MITRE said in 1999—that they would have to produce that many CVE identifiers. The syntax for CVE identifiers supporting four digits was an unnecessary cushion.
Yet here we are 15 years after that four-digit assumption was made and a major change is coming to CVE identifiers. Starting in January, MITRE will support a new numbering format for CVE-IDs one whose syntax will accommodate five or more digits. The current format, CVE-2014-xxxx, is coming close to outliving its usefulness.
Full Article
There was a time when 9,999 vulnerabilities in a calendar year was an exaggeration of the problem. There was no way—folks at MITRE said in 1999—that they would have to produce that many CVE identifiers. The syntax for CVE identifiers supporting four digits was an unnecessary cushion.
Yet here we are 15 years after that four-digit assumption was made and a major change is coming to CVE identifiers. Starting in January, MITRE will support a new numbering format for CVE-IDs one whose syntax will accommodate five or more digits. The current format, CVE-2014-xxxx, is coming close to outliving its usefulness.
Full Article
Userlevel 7
The following article is a update on CVE
By Brian Prince on September 18, 2014
Software vulnerabilities have continued to grow, so perhaps it was inevitable that one day The MITRE Corporation would have to make a change to the Common Vulnerabilities and Exposures Identifiers (CVE-IDs) they produce.
Previously, the four-digit restriction on the CVE-IDs only allowed up to 9,999 a year - a number that could be eclipsed by the end of the year.
As a result, MITRE is readying to issue CVE-IDs with new syntax that allows for five or more end digits. Already, several major software vendors and cyber-security organizations are now consuming or producing CVE-IDs in the new numbering format. By doing so, these organizations are ensuring that their products, tools, and processes that use CVE will continue to work properly once CVE-ID numbers are issued using the new syntax, which could happen before the end of 2014, and will happen no later than Jan. 13, 2015, according to MITR
SecurityWeek/ full article here http://www.securityweek.com/cve-id-vulnerability-numbering-format-change-could-challenge-vendors-who-dont-adopt
(CVE-ID Vulnerability Numbering Format Change Could Challenge Vendors Who Don't Adopt)
By Brian Prince on September 18, 2014
Software vulnerabilities have continued to grow, so perhaps it was inevitable that one day The MITRE Corporation would have to make a change to the Common Vulnerabilities and Exposures Identifiers (CVE-IDs) they produce.
Previously, the four-digit restriction on the CVE-IDs only allowed up to 9,999 a year - a number that could be eclipsed by the end of the year.
As a result, MITRE is readying to issue CVE-IDs with new syntax that allows for five or more end digits. Already, several major software vendors and cyber-security organizations are now consuming or producing CVE-IDs in the new numbering format. By doing so, these organizations are ensuring that their products, tools, and processes that use CVE will continue to work properly once CVE-ID numbers are issued using the new syntax, which could happen before the end of 2014, and will happen no later than Jan. 13, 2015, according to MITR
SecurityWeek/ full article here http://www.securityweek.com/cve-id-vulnerability-numbering-format-change-could-challenge-vendors-who-dont-adopt
Reply
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.