2020 Q1 in review

What is CVE? Keeping Track of Vulnerabilities with CVE Vulnerability Database

Standardization and sharing are two pillars of the modern approach to application development. Instead of monolithic applications built on proprietary code, today’s distributed applications incorporate open-source frameworks and libraries into a microservices architecture. The benefits are huge: ease of integration; high levels of interoperability; and shared efforts that encourage innovation, reduce times to market, and improve quality.

In this article, we describe how the Common Vulnerabilities and Exposures (CVE) program brings standardization and information sharing to the vulnerability management activities of cybersecurity teams.

What Is CVE?

CVE stands for Common Vulnerabilities and Exposures. CVE is a free service that identifies and catalogs known software or firmware vulnerabilities. CVE is not, in itself, an actionable vulnerability database. It is, in effect, a standardized dictionary of publicly known vulnerabilities and exposures. CVE is used by many security-related products and services such as vulnerability management and remediation, intrusion detection, incident management, and more.

How Does the CVE System Work?

The CVE List is a set of records, each one of which describes a specific vulnerability or exposure. The CVE List is maintained by a large community of trusted entities and individuals that are qualified to identify and describe coding flaws or security misconfigurations that could be exploited by bad actors to compromise a system or data. The key contributors to the CVE List include vendors, researchers, developers and even end-usrs.

As defined by CVE, a vulnerability is “[a] flaw in a software, firmware, hardware, or service component resulting from a weakness that can be exploited, causing a negative impact to the confidentiality, integrity, or availability of an impacted component or components.”

A vulnerability, therefore, provides an attacker with direct unauthorized access to a system or network, often with full privileges to execute commands or access restricted information. An exposure is a code or configuration error through which an attacker can gain indirect and often hard-to-discover access to application data such as customer information.

What Is a CVE Record?

Each CVE Record is associated with a unique alphanumeric ID and references a single specific vulnerability. The CVE Record includes a brief description of the vulnerability or exposure and at least one public reference. Authorized Data Publishers (ADPs) can then enrich a CVE Record with additional information such as risk scores or lists of affected products. CVE Records are added by CVE Numbering Authorities (CNAs)—organizations that are permitted to assign CVE IDs to vulnerabilities.

The primary CNA is MITRE but there are currently 149 CNAs in 25 countries, all acting within a kind of federated system.

Each CNA has a defined scope of responsibility for identifying and publishing vulnerabilities, often related to their own products. A CNA is issued a block of CVE IDs to attach to new issues as they arise. The list of CNAs includes the likes of Adobe Systems, Advanced Micro Devices (AMD), McAfee, Check Point, Red Hat, Microsoft, and Google, to name but a few. Root CNAs have the authority to recruit, train, and govern other CNAs or ADPs.

What Qualifies for a CVE?

In order to be added to the CVE List, a vulnerability or exposure has to be:

  • Independently fixable by the end-user.
  • Verified, either by the affected vendor or through other documentation, as negatively impacting security.
  • Relevant to a single affected codebase or product. A vulnerability that affects more than one product gets separate CVEs.

In addition to their own monitoring activities, there are a number of channels through which CNAs become aware of potential CVEs, including end users, cybersecurity companies, and bug bounty programs. It should be noted that not all CVEs are published immediately to the public CVE List. Sometimes the affected vendor reserves a CVE Record until a fix is ready.

What Is the Common Vulnerability Scoring System?

The Common Vulnerability Scoring System (CVSS) is a published standard that uses the CVE List and other sources to produce a numerical score that reflects a vulnerability’s severity. CVSS is used by organizations and services around the globe to prioritize vulnerabilities and assess their vulnerability management processes. CVSS is an excellent example of how the standardized, publicly available CVE List is leveraged by another service to add value to vulnerability management programs. 

To promote its integration with other products and services, the CVE List is available in a number of human- and machine-readable formats.

CVE, Security and Beyond

The CVE List plays a vital role in the cybersecurity world as an essential resource around which security products and services can share standardized information. However, the CVE List alone is not sufficient for building an effective vulnerability remediation program. Other information sources as well as advanced analytic capabilities are required in order to achieve the risk assessment and actionable remediation guidelines that are the hallmarks of a cutting-edge vulnerability remediation solution.

A good example is the industry-leading Snyk Vulnerability Database, which goes far beyond the CVE List to deliver advanced and accurate insights into open-source vulnerabilities. The Snyk Intel Vulnerability Database is based on a rich ecosystem of sources including:

  • Enriched and analyzed data from several vulnerability databases, including CVE (where Snyk is CNA).
  • A dedicated in-house security team that curates other severe vulnerabilities through ongoing independent research efforts.
  • Tight integration with a wide range of threat intelligence systems, carefully listening to chatter on security bulletins, Github commits, and Jira boards to identify vulnerabilities that have not yet been reported.
  • Community members and bug bounties.
  • Academic labs with which Snyk exclusively exchanges tools, methods, and data.

The result is remarkably comprehensive security coverage, including many non-CVE vulnerabilities as well as the exposure of many vulnerabilities before they appear in any public database. Snyk’s benchmarks demonstrate that vulnerabilities are identified 25 days faster in the Snyk database compared with the next largest commercial database.

Create a free Snyk account now to monitor and check your code for vulnerabilities

With its hand-curated content and enriched metadata, the Snyk Intel Vulnerability Database has a very low rate of false positives. Every vulnerability is assigned a risk-based CVSS score, and vulnerabilities with published exploit code are clearly indicated. The vulnerability remediation team is immediately alerted when a vulnerable function is called during runtime.

vulnerability database explanation

Figure 1: Snyk Vulnerability Database Listing

Figure 1 shows a typical listing in the Snyk Vulnerability Database. The CVSS score [1] shows that this vulnerability is of high severity, and its exploitability characteristics [2] indicate that the attack is of low complexity, requiring no privileges. The overview [5] is clear and concise, followed by remediation guidelines [6] and a reference [7] to a more detailed description. You can click “Test your applications” [4] to discover whether or not your application uses the vulnerable package. Last but not least, the vulnerability’s identifiers and timestamps are displayed in the lower right corner [8]. The Snyk Vulnerability Database also makes it easy for you to report new vulnerabilities [3] at any time.

How efficient is Snyk Vulnerability Database ?

Snyk has a comprehensive Security coverage offering you the best service in the market .

  • 40% of the Snyk’s Database is proprietary, and it goes beyond: Snyk’s database goes far beyond CVE vulnerabilities (which consist only 60% of the database) and includes many additional non-CVE vulnerabilities that are derived from several sources.
  • We offer the best coverage in the market : 280% better database coverage as compared to other counterparts. Snyk regularly wins head to head comparisons to other vendors and finds many more vulnerabilities not detected by others
  • 72% of the vulns in NPM Audit were already found in Snyk’s Database: We are the first to know and publish – Snyk exposes many vulnerabilities before they are added to public databases. On Average, Snyk publishes vulnerabilities 92 days sooner than NPM
January 13, 2021
| By Liran Tal