CVEs are a critical part of the cybersecurity knowledge base, but if you’re new to the industry it can be a little confusing at first. Let’s break it down!
What does CVE stand for?
CVE stands for “Common Vulnerabilities and Exposures”. Clear as mud? But that does really hit the nail on the head. If there is a security vulnerability identified in a product that can be fixed, it will be tied to a CVE. But a CVE is a numeric identifier, formatted as CVE-YYYY-XXXXX, where YYYY is the year and XXXXX can be a 4 to 6 digit unique number.
What is a CVE number?
A CVE number is a universally used numeric identifier assigned to one, and only one, vulnerability. This allows the community to have clarity on issues as they discuss them, rather than relying on vendor-specific identifiers. Sometimes vulnerabilities are given a name (typically by the party who identified it), like “Dirty Cow” or “Dirty Pipe”, but the CVE number is always assigned and is universal. With the ever-increasing number of vulnerabilities being discovered each year, a numeric naming convention is the best way to keep track of them.
So how does the number get assigned? Who does it? According to RedHat, “CVE identifiers are assigned by a CVE Numbering Authority (CNA). There are about 100 CNAs, representing major IT vendors—such as Red Hat, IBM, Cisco, Oracle, and Microsoft—as well as security companies and research organizations. MITRE can also issue CVEs directly.” MITRE manages The CVE Program and its regulations.
Typically, a batch of numbers is assigned to each CNA, so that when a vulnerability is discovered in their software they can reserve a number for it. This can help prevent double-dipping the same number for multiple vulnerabilities. Still, however, there is a possibility that multiple entities “discover” the vulnerability at nearly the same time, and need to go through an additional process to decide who gets to assign the CVE number.
What qualifies to have a CVE number?
There are some set guidelines used to decide if a vulnerability should be assigned a CVE number. The CVE Program provides general guidelines upon which CNAs and vendors can develop detailed lists as needed for their industry, country, etc. You can view the full list from the CVE Program here, but I’ve also listed a few below:
CNAs MUST intend to make the vulnerabilities for which they assign CVE IDs public if they are not already.
CNAs SHOULD NOT assign CVE IDs to vulnerabilities in products that are not publicly available or licensable.
CNAs MUST NOT assign a CVE ID to a vulnerability if the affected product(s) or service(s):
Are not owned by the CNA, and
Are not customer controlled.
Not all vulnerabilities will have a number. For instance, if there is no fix for the vulnerability, no CVE number should be assigned.
Do all CVEs have the same importance?
No. CVEs are ranked using a Common Vulnerability Scoring System (CVSS) score. This score allows the community to quickly identify the severity of the vulnerability so they can prioritize it appropriately. The score is not issued by the CNA or MITRE, it’s actually issued by the NVD (I know, another acronym). The National Vulnerability Database (NVD) builds off of the CVE system to create a score from 0.0 to 10.0, where 10.0 is the highest. There’s even a CVSS calculator that you can check out to get more details on criteria. I won’t get into the details here, but you can check it out more on the CVE Program website. The key takeaway here is that the score is just as important as the CVE number (if not more important) since it is what enables the community to take appropriate action.
Hopefully this helps clarify what a CVE number is and why it’s important. There’s a ton of details we could get into and spend a lot of time discussing, but we hope this gives some foundational knowledge as a jumping off point for you!
What other IT or cybersecurity topics would you like us to talk about? Drop a comment and let us know!
‘Til next time!
Jessica Starkey | Technical Marketing Engineer