CVE Terminology And FAQ

Version 5

    Purpose

     

    The purpose of this document is to explain commonly asked question and terminology regarding CVE's.

     

    Overview

     

    Frequently Asked Questions

     

    Q: What is CVE?

    A: CVE is a list of information security vulnerabilities and exposures that aims to provide common names for publicly known problems. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this "common enumeration."

     

    Q: Is a CVE the same thing as a Patch?

    A: No. A CVE is not a patch. However, a patch can resolve a CVE vulnerability or exposure. This SQL query allows you to find CVE numbers associated with Q/KBnumbers. SQL Query To Find CVE Numbers Associated With Qnumbers

     

    Q: What is a "Vulnerability?"

    A: An information security "vulnerability" is a mistake in software that can be directly used by a hacker to gain access to a system or network.

     

    Q: What is an "Exposure?"

    A: An information security exposure is a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network.

     

    Q: What is a CVE Identifier?

    A: CVE Identifiers (also called "CVE names," "CVE numbers," "CVE-IDs," and "CVEs") are unique, common identifiers for publicly known information security vulnerabilities. Each CVE Identifier includes the following:

    - CVE identifier number (i.e., "CVE-1999-0067").

    - Indication of "entry" or "candidate" status.

    - Brief description of the security vulnerability or exposure.

    - Any pertinent references (i.e., vulnerability reports and advisories or OVAL-ID).

    - CVE Identifiers are used by information security product/service vendors and researchers as a standard method for identifying vulnerabilities and for cross-linking with other repositories that also use CVE Identifiers.

     

    Q: Isn't CVE just another vulnerability database?

    A: No. CVE is not a vulnerability database. CVE is designed to allow vulnerability databases and other capabilities to be linked together, and to facilitate the comparison of security tools and services. As such, CVE does not contain information such as risk, impact, fix information, or detailed technical information. CVE only contains the standard identifier number with status indicator, a brief description, and references to related vulnerability reports and advisories.

     

    Q: Can't hackers use this to break into my network?

    A: Any public discussion of vulnerability information may help a hacker. However, there are several reasons why the benefits of CVE outweigh its risks:

    -CVE is restricted to publicly known vulnerabilities and exposures.

    -For a variety of reasons, sharing information is more difficult within the information security community than it is for hackers.

    -It takes much more work for an organization to protect its networks and fix all possible holes than it takes for a hacker to find a single vulnerability, exploit it, and compromise the network.

    -There is a shift in community opinion towards sharing information, as reflected in the fact that the CVE Board and CVE Numbering Authorities (CNAs) as both include key organizations in information security.

     

    Q: Who owns CVE?

    A: CVE is sponsored by US-CERT the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Operating as DHS's Federally Funded Research and Development Center (FFRDC), MITRE has copyrighted the CVE List for the benefit of the community in order to ensure it remains a free and open standard, as well as to legally protect the ongoing use of it and any resulting content by government, vendors, and/or users. In addition, MITRE has trademarked ® the CVE acronym and the CVE logo to protect their sole and ongoing use by the CVE effort within the information security arena.

     

    MITRE maintains the CVE List and manages the CVE Compatibility Program, oversees the CVE Numbering Authorities (CNAs) and CVE Board, and provides impartial technical guidance throughout the process to ensure CVE serves the public interest.

     

    Affected Product(s)

     

    Shavlik Protect 9.X

    Ivanti Patch for Windows Servers 9.3.X