CPE Entries for Acrobat 8.1.4, 9.0, 9.1?
|
|
rdefuria
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Hello, I was looking at a couple of CVEs as follows: CVE-2009-2028 (released 06/11/2009) http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2028 CVE-2009-1492 (released 04/30/2009) http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1492 CVE-2009-2028 applies to (among other CPEs) cpe:/a:adobe:acrobat:9.0::standard and to cpe:/a:adobe:acrobat:9.1::standard CVE-2009-1492 applies to (among other CPEs) cpe:/a:adobe:reader:8.1.4 and to cpe:/a:adobe:acrobat:9.1 However, the latest CPE dictionary that I have (dated 07/15/2009) does not contain CPE entries for Acrobat 9.0, Acrobat 9.1, or Acrobat 8.1.4. I got that CPE dictionary from the following URL: http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-diction ary_v2.2.xml In fact, the highest Acrobat version referenced in that CPE dictionary is 8.1. Am I getting the CPE dictionary from the correct place? If not, why doesn't it include the CPEs referenced by the 2 CVEs listed above? Thanks. - -Rich - -- Rich DeFuria <[hidden email]> Belarc, Inc. <http://www.belarc.com/> "IT Management for the Internet Age" -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.3 (Build 4028) Charset: us-ascii wj8DBQFKZNTX/jfZczYbnHURAso7AKC2IoNX1o79AJynwXJTvLY2S4I3PgCg5VvY QRQXd28ZUAPUYuESHGNMHJs= =IWPe -----END PGP SIGNATURE----- --
RDeFuria rich@belarc.com |
||||||||||||||||
Stav Raviv
|
Some javascript/style in this post has been disabled (why?)
Hi, I'm joining Rich's
question: Same is true for
older NVD entries, with products that do not appear at all in the CPE dictionary
(I have the same version as mentioned below): E.g. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1825 * cpe:/a:wasd:wasd_http_server:7.1 *
cpe:/a:wasd:wasd_http_server:7.2 *
cpe:/a:wasd:wasd_http_server:7.2.1 *
cpe:/a:wasd:wasd_http_server:7.2.2 *
cpe:/a:wasd:wasd_http_server:7.2.3 *
cpe:/a:wasd:wasd_http_server:8.0 I couldn't find
any mention of "wasd" in CPE dictionary Is there not
supposed to be a correspondence between NVD and CPE? I'm confused… Thanks, Stav Skybox Security www.skyboxsecurity.com -----Original
Message----- -----BEGIN PGP SIGNED
MESSAGE----- Hash: SHA1 Hello, I was looking at
a couple of CVEs as follows: CVE-2009-2028 (released
06/11/2009) http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2028 CVE-2009-1492 (released
04/30/2009) http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1492 CVE-2009-2028 applies
to (among other CPEs) cpe:/a:adobe:acrobat:9.0::standard
and to cpe:/a:adobe:acrobat:9.1::standard CVE-2009-1492 applies
to (among other CPEs) cpe:/a:adobe:reader:8.1.4 and to cpe:/a:adobe:acrobat:9.1 However, the
latest CPE dictionary that I have (dated 07/15/2009) does not contain CPE
entries for Acrobat 9.0, Acrobat 9.1, or Acrobat 8.1.4. I got that CPE
dictionary from the following URL: http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-diction ary_v2.2.xml In fact, the
highest Acrobat version referenced in that CPE dictionary is 8.1. Am I getting the
CPE dictionary from the correct place? If not, why doesn't it
include the CPEs referenced by the 2 CVEs listed above? Thanks. -
-Rich -
-- Rich
DeFuria <[hidden email]> Belarc, Inc.
<http://www.belarc.com/> "IT
Management for the Internet Age" -----BEGIN
PGP SIGNATURE----- Version: PGP
Desktop 9.8.3 (Build 4028) Charset: us-ascii wj8DBQFKZNTX/jfZczYbnHURAso7AKC2IoNX1o79AJynwXJTvLY2S4I3PgCg5VvY QRQXd28ZUAPUYuESHGNMHJs= =IWPe -----END
PGP SIGNATURE----- ______________________________________________________________________ Scanned for
viruses by Security Server ML @ Skybox Security. |
||||||||||||||||
Andrew Buttner
|
Some javascript/style in this post has been disabled (why?)
All of the issues raised are valid concerns and ones that we
(MITRE and NIST) are actively trying to solve. As mentioned, CPE Names
that are used by NVD should be included in the Official CPE Dictionary. NIST
is aware of this problem and is trying to come up with a feasible solution to
fixing it. For new releases and versions, if a CPE Name is missing in the
dictionary then I encourage a submission (sent to [hidden email])
with the new names so that they can be added and the dictionary be brought up
to date.
I will actively work these specific issues and try my best to
keep the community up to date with any changes. I am constantly working with NIST to improve the policies around
the Official CPE Dictionary and therefore I really appreciate hearing the
concerns that members of the community have. Please let me know if you
have problems or would like to see things done a different way as this will
help us gauge the best way forward. Thanks Drew From: Stav Raviv
[mailto:[hidden email]] Hi, I'm joining Rich's question: Same is true for older NVD entries, with products that do not
appear at all in the CPE dictionary (I have the same version as mentioned
below): E.g. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1825 * cpe:/a:wasd:wasd_http_server:7.1
* cpe:/a:wasd:wasd_http_server:7.2
*
cpe:/a:wasd:wasd_http_server:7.2.1
*
cpe:/a:wasd:wasd_http_server:7.2.2
*
cpe:/a:wasd:wasd_http_server:7.2.3
*
cpe:/a:wasd:wasd_http_server:8.0 I couldn't find any mention of "wasd" in CPE dictionary Is there not supposed to be a correspondence between NVD and CPE? I'm confused… Thanks, Stav Skybox Security www.skyboxsecurity.com -----Original Message----- -----BEGIN
PGP SIGNED MESSAGE----- Hash: SHA1 Hello, I was looking at a couple of CVEs as follows: CVE-2009-2028 (released 06/11/2009) http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2028 CVE-2009-1492 (released 04/30/2009) http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1492 CVE-2009-2028 applies to (among other CPEs) cpe:/a:adobe:acrobat:9.0::standard and to cpe:/a:adobe:acrobat:9.1::standard CVE-2009-1492 applies to (among other CPEs) cpe:/a:adobe:reader:8.1.4 and to cpe:/a:adobe:acrobat:9.1 However, the latest CPE dictionary that I have (dated 07/15/2009) does not contain CPE entries for Acrobat 9.0, Acrobat 9.1, or Acrobat 8.1.4. I got that CPE dictionary from the following URL: http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-diction ary_v2.2.xml In fact, the highest Acrobat version referenced in that CPE dictionary is 8.1. Am I getting the CPE dictionary from the correct place? If not,
why doesn't it include the CPEs referenced by the 2 CVEs listed above? Thanks. - -Rich - -- Rich DeFuria <[hidden email]> Belarc, Inc. <http://www.belarc.com/> "IT Management for the Internet Age" -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.3 (Build 4028) Charset: us-ascii wj8DBQFKZNTX/jfZczYbnHURAso7AKC2IoNX1o79AJynwXJTvLY2S4I3PgCg5VvY QRQXd28ZUAPUYuESHGNMHJs= =IWPe -----END PGP SIGNATURE----- ______________________________________________________________________ Scanned for viruses by Security Server ML @ Skybox Security. |
||||||||||||||||
Ernest Park-2
|
Hi Drew -
Perhaps I can help you. We resolve dictionary discrepencies daily for CVE and CPE, and also provide aliases, groupings and more.
Let me know if we can use our "engine" to provide more reliable names and product reference. Regards, Ernie
On Tue, Jul 21, 2009 at 1:46 PM, Buttner, Drew <[hidden email]> wrote:
|
||||||||||||||||
McCormick, Christopher [USA]
|
In reply to this post
by Andrew Buttner
Some javascript/style in this post has been disabled (why?)
The NVD hosts
the Official CPE Dictionary and also analyzes CVE data from
MITRE which produces a CPE or CPEs as added value. The hosting / maintenance of the CPE Dictionary
and NVD analysis are distinct and separate workflows with different
resources allocated.
Please direct any questions relating to CVE to CPE mappings
directly to the National Vulnerability Database (NVD) at nvd@...
To reiterate Drew's message, please submit proposed CPE
Dictionary submissions to MITRE
at cpe@...
NIST is in the process of revising entry requirements for
Official CPE Dictionary and is working to post them to the nvd.nist.gov/cpe.cfm
webpage. NIST is also working to implement a workflow of data,
specifically CPE production via CVE analysis, for vetting and eventual inclusion
to the CPE Dictionary. At the current time, the rate in which NVD creates
CPEs via CVE analysis is much faster than requests to MITRE for CPEs to be added
to the Dictionary. New CPE names submitted for inclusion to the CPE
Dictionary are also vetted upon by members of the community including MITRE and
NIST. This is something that isn't done at the time a CPE is created via
NVD CVE analysis.
From: Buttner, Drew [mailto:[hidden email]] Sent: Tuesday, July 21, 2009 1:46 PM To: [hidden email] Subject: Re: [CPE-DISCUSSION-LIST] CPE Entries for Acrobat 8.1.4, 9.0, 9.1? All
of the issues raised are valid concerns and ones that we (MITRE and NIST) are
actively trying to solve. As mentioned, CPE Names that are used by NVD
should be included in the Official CPE Dictionary. NIST is aware of this
problem and is trying to come up with a feasible solution to fixing
it. For
new releases and versions, if a CPE Name is missing in the dictionary then I
encourage a submission (sent to [hidden email]) with the new names so that they
can be added and the dictionary be brought up to date.
I
will actively work these specific issues and try my best to keep the community
up to date with any changes. I
am constantly working with NIST to improve the policies around the Official CPE
Dictionary and therefore I really appreciate hearing the concerns that members
of the community have. Please let me know if you have problems or would
like to see things done a different way as this will help us gauge the best way
forward. Thanks Drew From: Stav Raviv
[mailto:[hidden email]] Hi, I'm joining Rich's
question: Same is true for
older NVD entries, with products that do not appear at all in the CPE
dictionary (I have the same version as mentioned below): E.g. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1825 *
cpe:/a:wasd:wasd_http_server:7.1
*
cpe:/a:wasd:wasd_http_server:7.2
*
cpe:/a:wasd:wasd_http_server:7.2.1
*
cpe:/a:wasd:wasd_http_server:7.2.2
*
cpe:/a:wasd:wasd_http_server:7.2.3
*
cpe:/a:wasd:wasd_http_server:8.0 I couldn't find
any mention of "wasd" in CPE dictionary Is there not
supposed to be a correspondence between NVD and CPE? I'm
confused… Thanks, Stav Skybox
Security www.skyboxsecurity.com -----Original
Message----- -----BEGIN PGP
SIGNED MESSAGE----- Hash: SHA1 Hello, I was looking at a
couple of CVEs as follows: CVE-2009-2028
(released 06/11/2009) http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2028 CVE-2009-1492
(released 04/30/2009) http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1492 CVE-2009-2028
applies to (among other CPEs) cpe:/a:adobe:acrobat:9.0::standard
and to cpe:/a:adobe:acrobat:9.1::standard CVE-2009-1492
applies to (among other CPEs) cpe:/a:adobe:reader:8.1.4 and to
cpe:/a:adobe:acrobat:9.1 However, the
latest CPE dictionary that I have (dated 07/15/2009) does not contain CPE
entries for Acrobat 9.0, Acrobat 9.1, or Acrobat 8.1.4. I got that CPE
dictionary from the following URL: http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-diction ary_v2.2.xml In fact, the
highest Acrobat version referenced in that CPE dictionary is 8.1. Am I getting the
CPE dictionary from the correct place? If not, why doesn't it include
the CPEs referenced by the 2 CVEs listed above? Thanks. - -Rich - -- Rich DeFuria
<[hidden email]> Belarc, Inc.
<http://www.belarc.com/> "IT Management for the Internet Age" -----BEGIN PGP SIGNATURE----- Version: PGP
Desktop 9.8.3 (Build 4028) Charset:
us-ascii wj8DBQFKZNTX/jfZczYbnHURAso7AKC2IoNX1o79AJynwXJTvLY2S4I3PgCg5VvY QRQXd28ZUAPUYuESHGNMHJs= =IWPe -----END PGP SIGNATURE----- ______________________________________________________________________ Scanned for
viruses by Security Server ML @ Skybox Security. |
||||||||||||||||
| Free Embeddable Forum Powered by Nabble | Help |
