[Date Prev][Date Next][Thread Prev][Thread Next][Date Index
We need some guidance on how to more accurately
reference CVE numbers.
As CVE begins to focus more on configuration
issues (a.k.a. "exposures"), we have encountered
the following general question:
Q: Should a data element that deals with a configuration
a) only the cve/can number related to that configuration
b) the cve/can number related to the configuration issue
AS WELL AS ALL cve/can NUMBERS OF VULNERABILITIES
THAT ARE REMOVED WHEN THE CONFIGURATION ISSUE IS
As a motivating example, consider:
CAN-1999-0630: The NT Alerter and Messenger services are running.
Disabling the Messenger service eliminates the following vulnerability:
CVE-1999-0224: Denial of service in Windows NT messenger service
through a long username.
As a second example, consider:
CAN-1999-0619: The Telnet service is running.
A partial list of vulnerabilities closed by disabling
this service is found here:
Product Manager, Policy & Compliance Products
Insight 2003 User Conference
October 15 - 17, Las Vegas
Pre-conference Workshops October 13 - 14
Early Bird Registration Available Now
BindView - Insight at Work