CVE 101: Understanding What They Are and Why They Matter
You might have seen, or heard about CVE’s before, this post will provide a brief overview of what they are, how they get assigned, why they are important and what purpose they serve.
CVE otherwise known as Common Vulnerabilities and Exposures are publicly disclosed vulnerabilities that have been assigned with a unique identifier.
So what does that actually mean? First we need to understand what a vulnerability is.
When there is a weakness or flaw in software, or computer systems, that could be exploited by an adversary or attacker to compromise a system, it is known as a vulnerability.
When one of these vulnerabilities are publicly disclosed, they get assigned with a unique identifier. The purpose of this is to provide a standardized naming convention, which in turn allows for better tracking and management of vulnerabilities. Standardization ensures everyone is referring to the same issue when security professions, researchers and software vendors are communicating about different vulnerabilities.
The naming convention follows the following format: CVE - YEAR - UNIQUE NUMBER
Each CVE is also assigned a score. Scoring is referred to as the CVSS (Common Vulnerability Scoring System) and is calculated based on various factors such as its potential impact or the complexity required to exploit it.
| Rating | CVSS Score |
|---|---|
| Low | 0.1 - 3.9 |
| Medium | 4.0 - 6.9 |
| High | 7.0 - 8.9 |
| Critical | 9.0 - 10.0 |
So, for example let’s have a look at the Notorious Log4j vulnerability, otherwise known as CVE-2021-44228
This CVE affected the Log4j library, which is widely used on many platforms. The vulnerability allowed for remote code execution (RCE).
CVE-2021-4428 received a score of 10, which is the highest score a CVE can be assigned.
So you might be wondering who actually assigns a CVE or CVSS, they are assigned by the CVE Numbering Authority (CNA), which is responsible for assigning and managing CVEs. The CNA comprises various organizations, such as government agencies, software vendors, and security researchers.
When a new vulnerability is discovered, the discoverer can report it to a CNA, which will assign a CVE identifier to the vulnerability.
Once a CVE is assigned, it’s added to the National Vulnerability Database (NVD), a U.S. government-funded database of all known vulnerabilities.
The NVD provides detailed information about each CVE, including a description of the vulnerability, the severity of the vulnerability, and any known mitigations.
So why are they important?
CVEs are a valuable resource for security professionals who are responsible for managing and mitigating cybersecurity risks. By tracking CVEs, we can better understand the security risks associated with different software and systems and take steps to mitigate those risks.
Hopefully this overview has been helpful, if you have any questions, feel free to reach out or leave a comment below.
Thanks for reading