a recent debate on how we're going to fit the CVE into our database structure,
one of the DBAs commented on how a specific vulnerability might not just have
one CVE index, but several. Up to now, this group has discussed the potential of
one CVE mapping to zero or more records of a VDB, but the opposite has not been
discussed before; namely, a many-to-many relationship.
example, "Windows NT 4.0 prior to Service Pack 4" involves many
potential CVEs, possibly subsuming the CVEs in SP3, 2, and 1. How would a vendor
handle these, considering that it is probably out of the scope of the CVE to
reconcile these entries?
envision this question raising several points:
- Can a vendor go about assigning multiple CVEs to a
vulnerability or check outside of the framework of the CVE?
- Who verifies that the vendor is doing correct
- Do CVE indices get subsumed in later patches (for example NT
SP3 is subsumed in SP4)? (My opinion on this one is 'no, they do not,' but
almost everything in a VDB get a CVE? I know there are rules on what a
'vulnerability' is, but the draft CVE is a lot less stringent about the
definition than, say, the Common Criteria (CC).
would appreciate your thoughts on this matter.
X-Force Security Research
Security Systems, Inc.
678.443.6241 / fax 678.443.6479www.iss.net
Adaptive Network Security for