Bruce Lowenthal, Senior Director of Product Security for Oracle, has been following the ups and downs (mostly the latter) of the National Vulnerability Database (NVD) since February 2024. On the 12th of that month, the NVD without warning almost completely stopped creating CPE (“Common Platform Enumeration”) identifiers for vulnerable products that were identified in new CVE records. It’s no exaggeration to say that creating CPE names is one of the few most important things the NVD does.
CVE records are vulnerability reports prepared by CVE
Numbering Authorities (CNAs). Oracle is one of the largest CNAs in terms of number
of CVEs reported, so Bruce’s interest in the NVD and in the CVE program isn’t
just academic (I briefly explained how CVE.org and the NVD work, as well as why
this problem is so serious, in this
post last December. A second
post added to the first one, but isn’t essential to read).
Despite various NVD promises to have the problem fixed last
year, the problem only got worse, not better. In fact, at the end of December
it seemed like the NVD might be about to literally
give up creating new CPE names. By March, that outcome seemed, if anything,
to be more
likely.
However, a little more than two weeks ago, I asked Bruce for
an NVD update, and he painted a different
picture: In the last few months, the NVD has picked up its pace of adding
CPE names to CVE records that don’t now have them; that’s the good news.
However, the bad news is that they’re wasting most of their efforts by creating
CPEs for CVE records that are more than three months old.
The big problem with this practice is that most suppliers
patch new vulnerabilities within two or three months. This means the CVE record
is usually out of date when NIST adds the CPE name to it; the CVE can be
discovered by a search using the product’s CPE name, but the product is no
longer affected by the CVE – as long as the user has applied the patch the
supplier provided.
Yesterday, Bruce emailed me an update: the good news is
better and the bad news is worse. That is, the NVD seems to be “enriching”
(i.e., adding a CPE name to) more CVE records than at any time since February 2024;
but they’re still concentrating most of their effort on vulnerabilities that
are likely to be patched already, vs. ones that aren’t. Why are they doing
this?
He sent me the table shown below, which lists, for every
month since March of 2024, the percentage of CVE records that have at least one
CPE name assigned to them (no matter when the CPE was assigned). Note that:
1.
Bruce says that in the past three weeks, NIST
has assigned a CPE name to at least one CVE record published in each of the months
in the table. So, despite his advice to stop updating older CVE records altogether
and just focus on the most recent records, the NVD seems to want to treat all records
equally, no matter when they were created.
2.
For the most recent four months (including this
month, July), an average of only 36% of the new CVE records published in that
month have been assigned a CPE name. On the other hand, the average for the four
months starting in June of 2024 is 78%. Obviously, the NVD could have made
Bruce (and a lot of his peers) happier by concentrating on recently-identified
vulnerabilities, not “oldies but (not-so-)goodies”.
3.
Bruce conducted a good thought experiment. He asked,
“What if, starting today, the NVD focused all of its efforts on adding CPE
names to CVE records that have been created in the past six weeks?” (Remember,
before February 2024, the NVD was normally adding CPE names to CVE records that
had been created within the past week). He says that, by the end of August and
with no increase in resources (which isn’t likely to occur anyway), the monthly
percentages of new CVE records with CPE names in the table below for June, July
and August would be 95% during each of those three months. Of course, were this
to be done, searches of the NVD would be much more likely to identify recently
created CVEs than they are today.
Bruce concluded his email by saying, “This data is really
interesting. It suggests that NVD can provide an acceptable (level of) service
with their current resources by just changing their priorities!” However,
he added, “But the current approach probably means they will never catch up
unless they get more resources or become more efficient.”
Unfortunately, in today’s Washington, the likelihood of
getting more resources is small. And what’s the likelihood that the NVD will become
more efficient? Given their performance over the past year and a half, I
certainly wouldn’t bet the farm on it.
|
CPE Assignment by
Month of 2024 starting March |
||||||
|
Month |
Total |
With |
Percent |
|||
|
2025-07-01 |
2,245 |
650 |
29% |
|||
|
2025-06-01 |
3,358 |
1,464 |
44% |
|||
|
2025-05-01 |
3,759 |
1,811 |
48% |
|||
|
2025-04-01 |
4,062 |
1,461 |
36% |
|||
|
2025-03-01 |
3,952 |
1,815 |
46% |
|||
|
2025-02-01 |
2,960 |
1,397 |
47% |
|||
|
2025-01-01 |
4,150 |
1,732 |
42% |
|||
|
2024-12-01 |
3,025 |
1,482 |
49% |
|||
|
2024-11-01 |
3,631 |
2,206 |
61% |
|||
|
2024-10-01 |
3,378 |
2,375 |
70% |
|||
|
2024-09-01 |
2,420 |
2,039 |
84% |
|||
|
2024-08-01 |
2,708 |
2,247 |
83% |
|||
|
2024-07-01 |
2,894 |
2,091 |
72% |
|||
|
2024-06-01 |
2,752 |
2,004 |
73% |
|||
|
2024-05-01 |
3,350 |
1,900 |
57% |
|||
|
2024-04-01 |
3,239 |
1,953 |
60% |
|||
|
2024-03-02 |
2,549 |
1,796 |
70% |
|||
My blog is more popular than
ever, but I need more than popularity to keep it going. I’ve often been told
that I should either accept advertising or put up a paywall and charge a
subscription fee, or both. However, I really don’t want to do either of these
things. It would be great if everyone who appreciates my posts could donate a $20-$25 (or more) “subscription fee” once a year. Will
you do that today?
If you would like to comment on
what you have read here, I would love to hear from you. Please email me
at tom@tomalrich.com.
No comments:
Post a Comment