On Friday, before our weekly OWASP SBOM Forum meeting, Bruce Lowenthal of Oracle and Andrey Lukashenkov of Vulners provided the group an update on how the National Vulnerability Database (NVD) is doing in getting out of the huge hole it started digging for itself on February 12 of this year. The last update I provided was exactly one month ago. You’ll be pleased (?) to hear they’re making progress: the hole is getting deeper by the day!
The “hole” I’m referring to is the number of new CVE (vulnerability)
reports released by CVE.org, that the NVD has not “enriched” by adding a CPE
name to them. To learn why having a CPE name (or more than one) in the report
is so important, see the post I just referenced, and also this
post. Before February 12, the NVD usually enriched almost every new CVE report
they received every month. However, starting on that day, the number of CVEs
enriched each day dropped to literally zero on some days, and not much more
than that on other days.
A month ago, Andrey said the NVD had a backlog of 17,000
vulnerabilities since February 12; yesterday, he said the backlog is “well over”
18,000. Bruce added some great details:
1.
After enriching only a tiny percentage of CVEs
between February 12 and June 1, the NVD started at least enriching some –
although they were still increasing the backlog by 75-100 CVEs a day (I developed
that estimate, based on data that Andrey provided me a month ago).
2.
However, it seems even that was too good to
last, since Bruce says that now the NVD seems to have stopped enriching June CVE
reports, after enriching about 37% of them. Not only have they abandoned June CVEs,
but they have mostly skipped over July altogether, and are concentrating on
August CVEs.
3.
He provided some interesting details: Since last
Friday, 652 new CVEs have been published by CVE.org for July and August (and
none for June, mind you. So June remains at 37% enriched). But the NVD only
enriched 37 CVEs from July and 174 from August. Given that we’re in the middle
of August but July is over, one would think they would be enriching many more
from July than August; instead, it’s the other way around.
4.
In any case, the 211 CVEs enriched since last Friday
means the backlog grew by 652 – 211 = 441; this is within the 75-100 daily
range I estimated a month ago. At least you have to credit the NVD’s
consistency: they’re growing the backlog by a fairly steady amount every day. On
the other hand, I don’t think they deserve hearty thanks for that dubious
achievement.
5.
And what has the NVD said about all this? The last
time they said anything about the backlog was May 29, when they announced, “We
anticipate that that this backlog will be cleared by the end of the (government)
fiscal year.” Let’s see…The FY ends on September 30, which is 44 days from now.
To be charitable, let’s say the backlog is currently 18,000 and it’s growing by
61 a day (the daily rate it grew since Friday, August 9); that means it will be
20,684 on September 30. Since they’re enriching about 30 CVEs a day (at least since
last Friday), that means they will have to crank up their daily enrichment rate
from 30 to 470 per day, which is an increase of over 1400 percent! Do you think
they can do this?...I didn’t think so.
The worst part about this whole episode (if that’s the right
word. “Total collapse” would be better) is that they’ve provided zero useful
information on a) the cause of the problem, b) when the problem will be fixed
(meaning they’ll not only eliminate the backlog, but get back to an enrichment
pace with zero backlog growth), and c) what they’ll do to prevent the problem
from recurring. Given their silence, I have to assume the answers are:
a)
We aren’t going to tell you.
b)
Never.
c)
Nothing.
Have a good day!
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have
read here, I would love to hear from you. Please email me at tom@tomalrich.com.
I lead the OWASP SBOM Forum and its Vulnerability Database Working Group. These two
groups work to understand and address issues like what’s discussed in this
post; please email me to learn more about what we do or to join us. You can
also support our work through easy directed donations to OWASP, a 501(c)(3)
nonprofit, which are passed through to the SBOM Forum. Please email me to
discuss that.
My book "Introduction to SBOM and VEX"
is available in paperback
and Kindle versions! For background on the book and the link to order it,
see this post.
No comments:
Post a Comment