CVE ID Syntax Change - Deadline Approaching
Christey, Steven M. <coley@...
2014-09-17 19:31:49 GMT
As we approach the end of 2014, CVE identifiers are getting closer and
closer to the magic CVE-2014-9999 mark, which means that MITRE will be
issuing a 5-digit CVE ID within a matter of months, in accordance with
the new syntax that was selected in 2013 (basically using 5, 6, or
even more digits as needed). Some people are still unaware that this
change has happened or have been slow to implement it.
Once a CVE identifier is issued using the new syntax, some security
products and processes could break or report incorrect vulnerability
identifiers, making vulnerability management more difficult. Consider
a product that stops processing an XML document because its validation
step assumes that CVE IDs have only 4 digits. Perhaps worse, consider
a critical vulnerability in a popular product that is given a 5-digit
CVE ID, which is inadvertently and silently truncated to a 4-digit ID
for a low-priority issue in a rarely-used product. We know of at
least 5 different products or services that have had problems.
Custom, in-house software is not necessarily immune, either.
MITRE has been assigning CVE IDs faster than ever; we're up to
CVE-2014-6446 even though it's only September, which puts us on pace
to exceed 9000 for 2014 by the end of the year - and the rate of
assignment could increase in the coming months. Even if we don't
reach 10,000 CVE-2014-xxxx identifiers by the end of 2014, MITRE will
be issuing at least one 5-digit identifier no later than January 13,
2015, to ensure that all software is tested for support of the new
To help people address this problem, we have created a web page about
the ID syntax change, including the product features most likely to be