
Any computer system with security vulnerabilities can be exposed to cyberattacks, if that system is connected to the internet or any external network. (My hunch is that’s pretty much all computers.)
So, a true security strategy starts with knowledge—knowing where weaknesses in your systems and apps are. The Common Vulnerabilities and Exposures (CVE) is a rich source of knowledge for organizations. Knowing the potential weaknesses of your systems means you can evaluate your security measures against them to meet a critical purpose: building a more robust defense mechanism.
Dig deeper into this article and find out:
- What the CVE is
- Most exploited recent CVEs
- A before/after of the CVE
- How to create a CVE record
- Plenty of useful information
Defining vulnerabilities and exposures
Before defining the term CVE, let’s first understand vulnerability and exposure. A vulnerability is a computer system's weakness that can potentially be exploited to gain unauthorized access by cyber attackers. A vulnerability can present on different levels, such as hardware, software, network, personal, organizational, etc. Vulnerabilities can be almost anything. Common examples include:
- Lack of authentication
- Input validation errors
- SQL injections
Exposure is any incident that allows attackers to gain advantages over your system's vulnerabilities in order to perform unauthorized activities. Exposure can cause adverse, often serious effects like sensitive data leaks, malware injection, ransomware attacks and many more.
(Understand how vulnerabilities lead to threats and risk.)
How The CVE works
The Common Vulnerabilities and Exposures (CVE) is a publicly available list of frequently occurring information security vulnerabilities and exposures. The objective of the CVE is to build awareness and share information about such security loopholes and the effects these loopholes might have. This helps organizations to:
- Evaluate their cybersecurity strategies and frameworks.
- Find the latest security breach trends.
- Update systems to fight against those security flaws.
You can find the list of CVEs at https://cve.mitre.org/, which is transitioning to a new website at WWW.CVE.ORG (it’s currently in beta). At the start of 2023, there were 191,499 CVE Records. There is no monetary fee or contract associated with publishing a CVE record. We’ll cover more of this shortly.
Most frequently exploited CVEs
The CVE publishes its annual report of CVEs in April. The following are the top CVEs in 2021:
- The Log4Shell vulnerability affects Apache’s Log4j library. Successful exploitation of this vulnerability allows the execution of arbitrary code, taking full control of the system, and ultimately conducting other malicious activities like stealing information and ransomware attack.
- The ProxyLogon vulnerability affects Microsoft Exchange email servers. Successful exploitation of this vulnerability allows the execution of arbitrary code, allowing bad actors to gain continued access to files and mailboxes, and credentials stored on the servers.
- ProxyShell vulnerability resides within the Microsoft Client Access Service (CAS) that impacts Microsoft Exchange email servers. The exploitation enables bad actors to execute arbitrary code.
- A vulnerability that impacted the Atlassian Confluence Server and Data Center. The exploitation of this vulnerability allows the execution of arbitrary code.
While it’s too soon for the CVE list reflecting 2022’s worst CVEs (as of publication), according to purplesec, these are the top CVEs of 2022:
- The Log4Shell vulnerability continues to be a significant concern.
- The Folina vulnerability was detected in the Ruby on Rails web framework. Successful exploitation of this vulnerability allows the execution of arbitrary code using a malicious request. Ruby on Rails later introduced a patch security patch for this in their later version.
- Spring4Shell vulnerability was found in the popular Spring framework of Java. By exploiting this vulnerability, attackers could execute arbitrary code. A security patch was introduced to remove this vulnerability in the later version Spring framework.
- Google Chrome Zero Day. is a vulnerability in the Google Chrome web browser. successful exploitation of this vulnerability allows the execution of arbitrary code by tricking the user into entering a malicious website. Google chrome later released a patch to remove this vulnerability.
(Get more vulnerabilities and threat research from SURGe and the Splunk Threat Research Team.)
The risk associated with CVE
Some argue that disclosing this information publicly can make hackers aware of them, making it easier to exploit them. CVE proponents, however, say that more people knowing more about the vulnerabilities accelerates prevention.
Importantly, the CVE contains only publicly known vulnerabilities and exposures. The details about the vulnerability are usually not disclosed there until a disclosed party introduces a fix. That means the risk of making them open to the public is less concerning compared to the educational and actionable benefits the CVE provides.
(MITRE is also well-known for the MITRE ATT&CK Framework. See 10 ways to operationalize the MITRE ATT&CK Framework in your security org.)
Brief history of the CVE
It all began in 1999 when the U.S.-based MITRE Corporation launched the CVE system as a reference system to identify and classify common vulnerabilities in exposures in computer systems worldwide. Today, the CVE is maintained by the National Cybersecurity FFRDC, operated by MITRE, and sponsored by the Cybersecurity Infrastructure Security Agency (CISA), housed within the Department of Homeland Security.
In a pre-CVE world, getting information on vulnerabilities and exposures was not easy. A variety of CVE databases with their attributes and own identification systems were siloed and owned by different folks. The CVE system breaks down this barrier, allows data sharing across other databases, and evaluates cyber security tools against a wide list of security flaws.
Business benefits from CVEs
CVE records provide security-concerned organizations with many benefits:
- If you are looking to invest in a new security tool, CVEs allow setting the baseline for evaluating security tools. Organizations can view what vulnerabilities each security tool covers to select the one that provides the highest coverage.
- By including vulnerabilities in the CVE list as soon as they are detected and fixed, organizations showcase their commitment to better cybersecurity.
- A fast, reliable source for organizations to get accurate information on a particular vulnerability or exposure.
- Allows organizations to prioritize vulnerabilities for better vulnerability management.
- Simplifies vulnerability dissemination processes.
- Creates ongoing to current and potential customers.
(Learn how to evaluate CVE severity and prioritize accordingly.)
How to create a CVE record
When you or your organization identifies a vulnerability, you can report it to the CVE program via CVE Program Partners. Then, you can request to assign a CVE ID for that vulnerability, which will be secured. This means the CVE record will initially bear the ‘Reserved’ status but not yet publicly disclosed.
Each vulnerability must have one record in the CVE list. There are certain criteria to be satisfied to assign a CVE id to a vulnerability:
- The vulnerability should have a negative impact on security.
- The vulnerability can be fixed independently.
- The vulnerability impacts only one product. (It will get a separate CVE ID if it affects more than one.)
Next, the CVE Program Partner provides details about the vulnerability, such as the type of the vulnerability, root cause, the products and version affected by it and finally, the fixed version, with at least one public reference to the vulnerability.
When the minimum required information is submitted, a CVE record is created and published by the CNA so that anyone can see and download it. Thus, the CVE record now shows as ‘Published.’ If the CVE record cannot be used anymore, it will be placed in the list as ‘Rejected’ so that everyone knows it is invalid.
CVE includes only limited information about any vulnerability. For more details, you can refer to the NIST National Vulnerability Database (NVD), which is fully synchronized with the CVE. You can also read about how Splunk integrates with Known Exploited Vulnerabilities Catalog, from CISA.
Components of a CVE Record
The CVE record consists of the following fields:
- CVE-ID
- Description
- References
- Assigning CNA
- Record created date
Outdated/legacy fields that persist in old records include:
- Phase
- Votes: Board members vote on whether the record can be accepted as a CVE
- Comments: Comments on the vulnerability
- Proposed: the proposed date of the vulnerability
Let’s take a look at some of these components in detail.
What is a CVE ID?
A CVE ID is a unique ID assigned to each vulnerability by one of the CVE Numbering Authorities (CNAs). A CVE ID has the following format.
CVE-Year-Number
In the past, the CVE ID initially had the ‘candidate’ or ‘CAN’ status — this practice was sunset in 2005. Today, all identifiers have the CVE as the prefix. A number is a sequential number, and the year shows the year it was reported. Following is an example of a CVE ID assigned by Microsoft Corporation in 2022 for Windows Terminal Remote Code Execution Vulnerability.
CVE-2022-44702: Windows Terminal Remote Code Execution Vulnerability
Some CVE IDs get nicknames with exposure to a lot of media to make them easier to remember. For example, CVE-2019-0709 - Windows Hyper-V Remote Code Execution Vulnerability later became famous as BlueKeep.
What is a CNA?
Short for CVE Numbering Authority, a CNA is an organization that has permission to assign a CVE ID to a vulnerability and publish CVE records. They can assign and publish vulnerabilities only within their scope.
For example, The CNA CloudFare is responsible only for assigning and creating CVEs in “all Cloudflare products, projects hosted at https://github.com/cloudflare/, and any vulnerabilities discovered by Cloudflare that are not in another CNA’s scope.” CNAs volunteer their time for their own advantage.
Examples of some famous CNAs include
- IT vendors like Apache Software Foundation, Microsoft Corporation, Apple Inc, etc.
- Open-source projects like Eclipse Foundation (Eclipse IDE), Docker Inc (Docker maintained open-source projects)
- National and Industry CERTs like Cybersecurity and Infrastructure Security Agency (CISA) and Industrial Control Systems (ICS)
- Bug bounty services providers like HackerOne and Frappe Technologies Pvt. Ltd.
- Hosted services such as Carrier Global Inc.
- Vulnerability researchers seeking out vulnerabilities in third-party software discovered by IBM X-Force, Meta, Airbus, etc.
The CVE Board
The CVE Board comprises various cyber-security professionals like cybersecurity organizations, academia, research institutions, security experts, government departments and agencies and end-users. Its responsibility is to ensure the standards of the CVE Program. Through an open and collaborative process, the board provides useful inputs to the goals, strategic direction, and many other critical opinions.
You can see the current and past members of the CVE board on the CVE website page CVE Board Character. Also, the public can see the meetings and email discussions in email discussions and meeting archives.
Summarizing CVEs
A CVE is a publicly available dictionary of security vulnerabilities and exposures. Any organization can report a vulnerability to include in the CVE list via a CVE program participant. After submitting the mandatory information and meeting the required criteria, a record can be submitted and created by a CNA.
All CVEs have a unique identifier. CVEs are very helpful sources of information about common vulnerabilities. They let organizations assess their security mechanisms against cyberattacks free of charge and demonstrate their commitment to achieving maximum security for their potential clients.
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.