World TOP Headlines: > Latest Security News & Alerts

CVE (Common Vulnerability and Exposures) list and explanation


Have you wonder what this CVE and CCE numbers is related to in the security reports?
Her is the answer and explanation!

"Common Vulnerabilities and Exposures (CVE)"
"Common Configuration Enumeration (CCE)"

CVE (Common Vulnerability and Exposures) list and explanation

Link to CVE (Common Vulnerability and Exposures) website
Link to CCE (Common Configuration Enumeration) website

About CVE

Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e., CVE Identifiers) for publicly known information security vulnerabilities, while its Common Configuration Enumeration (CCE™) provides identifiers for security configuration issues and exposures.
CVE’s common identifiers make it easier to share data across separate network security databases and tools, and provide a baseline for evaluating the coverage of an organization’s security tools. If a report from one of your security tools incorporates CVE Identifiers, you may then quickly and accurately access fix information in one or more separate CVE-compatible databases to remediate the problem.
CVE is:
 •One name for one vulnerability or exposure
•One standardized description for each vulnerability or exposure
•A dictionary rather than a database
•How disparate databases and tools can "speak" the same language
•The way to interoperability and better security coverage
•A basis for evaluation among tools and databases
•Free for public download and use
•Industry-endorsed via the CVE Editorial Board and CVE-Compatible Products

CVE was launched in 1999 when most information security tools used their own databases with their own names for security vulnerabilities. At that time there was no significant variation among products and no easy way to determine when the different databases were referring to the same problem. The consequences were potential gaps in security coverage and no effective interoperability among the disparate databases and tools. In addition, each tool vendor used different metrics to state the number of vulnerabilities or exposures they detected, which meant there was no standardized basis for evaluation among the tools.
CVE’s common, standardized identifiers provided the solution to these problems.
CVE is now the industry standard for vulnerability and exposure names. CVE Identifiers provide reference points for data exchange so that information security products and services can speak with each other. CVE Identifiers also provides a baseline for evaluating the coverage of tools and services so that users can determine which tools are most effective and appropriate for their organization’s needs. In short, products and services compatible with CVE provide better coverage, easier interoperability, and enhanced security.

How CVE Works
The process of creating a CVE Identifier begins with the discovery of a potential security vulnerability.

The information is then assigned a CVE Identifier by a CVE Numbering Authority (CNA) and posted on the CVE List on the CVE Web site by the CVE Editor. As part of its management of CVE, The MITRE Corporation functions as Editor and Primary CNA.
The CVE Editorial Board oversees this process.

Each CVE Identifier includes:

•CVE Identifier number (i.e., "CVE-1999-0067").
•Brief description of the security vulnerability or exposure.
•Any pertinent references (i.e., vulnerability reports and advisories or OVAL-ID).

Read more about CVE her


Below are the CVE Initiative’s definitions of the terms "Vulnerability" and "Exposure":
An information security "vulnerability" is a mistake in software that can be directly used by a hacker to gain access to a system or network.
CVE considers a mistake a vulnerability if it allows an attacker to use it to violate a reasonable security policy for that system (this excludes entirely "open" security policies in which all users are trusted, or where there is no consideration of risk to the system).
For CVE, a vulnerability is a state in a computing system (or set of systems) that either:
 •allows an attacker to execute commands as another user
•allows an attacker to access data that is contrary to the specified access restrictions for that data
•allows an attacker to pose as another entity
•allows an attacker to conduct a denial of service

Examples of vulnerabilities include:
 •phf (remote command execution as user "nobody")
•rpc.ttdbserverd (remote command execution as root)
•world-writeable password file (modification of system-critical data)
•default password (remote command execution or other access)
•denial of service problems that allow an attacker to cause a Blue Screen of Death
•smurf (denial of service by flooding a network)
Review vulnerabilities on the Common Vulnerabilities and Exposures (CVE) List.

An information security "exposure" is a system configuration issue or a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network.
CVE considers a configuration issue or a mistake an exposure if it does not directly allow compromise but could be an important component of a successful attack, and is a violation of a reasonable security policy.
An "exposure" describes a state in a computing system (or set of systems) that is not a vulnerability, but either:
 •allows an attacker to conduct information gathering activities
•allows an attacker to hide activities
•includes a capability that behaves as expected, but can be easily compromised
•is a primary point of entry that an attacker may attempt to use to gain access to the system or data
•is considered a problem according to some reasonable security policy

Examples of exposures include:
 •running services such as finger (useful for information gathering, though it works as advertised)
•inappropriate settings for Windows NT auditing policies (where "inappropriate" is enterprise-specific)
•running services that are common attack points (e.g., HTTP, FTP, or SMTP)
•use of applications or services that can be successfully attacked by brute force methods (e.g., use of trivially broken encryption, or a small key space)
Review exposures on the Common Configuration Enumeration (CCE) List.

About CCE

The CCE List provides unique identifiers to security-related system configuration issues in order to improve workflow by facilitating fast and accurate correlation of configuration data across multiple information sources and tools.

For example, CCE Identifiers are included for the settings in Microsoft Corporation’s Windows Server 2008 Security Guide and 2007 Microsoft Office Security Guide; are the main identifiers used for the settings in the U.S. Federal Desktop Core Configuration (FDCC) data file downloads; and provide a mapping between the elements in configuration best-practice documents including the Center for Internet Security’s (CIS) CIS Benchmark Documents, National Institute of Standards and Technology’s (NIST) NIST Security Configuration Guides, National Security Agency’s (NSA) NSA Security Configuration Guides, and Defense Information Systems Agency’s (DISA) DISA Security Technical Implementation Guides (STIGS).

In addition, CCE is also one of six existing open standards used by NIST in its Security Content Automation Protocol (SCAP) program, which combines "a suite of tools to help automate vulnerability management and evaluate compliance with federal information technology security requirements." Numerous products have been validated by NIST as conforming to the CCE component of SCAP.


When dealing with information from multiple sources, use of consistent identifiers can improve data correlation; enable interoperability; foster automation; and ease the gathering of metrics for use in situation awareness, IT security audits, and regulatory compliance. For example, Common Vulnerabilities and Exposures (CVE®) provides this capability for information security vulnerabilities.

Similar to the CVE effort, CCE assigns a unique, common identifier to a particular security-related configuration issue. CCE identifiers are associated with configuration statements and configuration controls that express the way humans name and discuss their intentions when configuring computer systems (see CCE Editorial Policies for detailed content decisions). In this way, the use of CCE-IDs as tags provide a bridge between natural language, prose-based configuration guidance documents and machine-readable or executable capabilities such as configuration audit tools.

Each entry on the CCE List contains the following five attributes:
•CCE Identifier Number – "CCE-2715-1"
 •Description – a humanly understandable description of the configuration issue
 •Conceptual Parameters – parameters that would need to be specified in order to implement a CCE on a system
 •Associated Technical Mechanisms – for any given configuration issue there may be one or more ways to implement the desired result
 •References – pointers to the specific sections of the documents or tools in which the configuration issue is described in detail
Currently, CCE is focused solely on software-based configurations. Recommendations for hardware and/or physical configurations are not supported. Refer to the CCE List for more information.
Read more about CCE her

Perhaps this topic would be something to nail to the top for easy access and use? ;)


--- Quote from: Pez on 18. April 2012., 09:54:03 ---Perhaps this topic would be something to nail to the top for easy access and use? ;)

--- End quote ---

"Sticked" in to "Latest Security News & Alerts" area.  ;)

Thank you for sharing a very meaningful article, I think it will be very helpful for me and everyone. Play  mahjong online free

rocket bot royale Thank you for producing such a fascinating essay on this subject. This has sparked a lot of thought in me, and I'm looking forward to reading more.


[0] Message Index


Go to full version