|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
 |
Vulnerability Notes Database Field DescriptionsThe US-CERT Vulnerability Notes Database contains two types of documents: Vulnerability Notes, which generally describe vulnerabilities independent of a particular vendor, and Vendor Information documents, which provide information about a specific vendor's solution to a problem. The fields in each of these documents are described here in more detail.
Vulnerability Notes
Vulnerability ID
US-CERT assigns vulnerability ID numbers at random to uniquely identify a vulnerability. These IDs are four to six digits long and are frequently prefixed with "VU#" to mark them as vulnerability IDs.
Vulnerability Name
The vulnerability name is a short description that summarizes the nature of the problem and the affected software product. While the name may include a clause describing the impact of the vulnerability, most names are focused on the nature of the defect that caused the problem to occur.
Overview
The overview is an abstract of the vulnerability that provides a summary of the problem and its impact to the reader. The overview field was not originally in the database, so older documents may not include this information.
Description
The vulnerability description contains one or more paragraphs of text describing the vulnerability.
Impact
The impact statement describes the benefit that an intruder might gain by exploiting the vulnerability. It also frequently includes preconditions the attacker must meet to be able to exploit the vulnerability.
Solution
The solution section contains information about how to correct the vulnerability. While vendor-specific patch information will be published in the appropriate vendor information document, the solution section will provide more general workarounds or solutions like "Apply a patch," or "Disable the service."
Systems Affected
This section includes a list of vendors who may be affected by the vulnerability. The vendor name is a link to more detailed information from the vendor about the vulnerability in question. Additional summary information is provided for each vendor as well, including a status field indicating whether the vendor has any vulnerable products for the issue described in the vulnerability note, and dates when the vendor was notified and when the vendor information was last updated.
References
The references are a collection of URLs at our web site and others providing additional information about the vulnerability.
Credit
We acknowledge individuals who report vulnerabilities to us. This section of the document identifies who initially discovered the vulnerability, anyone who was instrumental in the development of the vulnerability note, and the primary author of the document.
Date Public
This is the date on which the vulnerability was first known to the public, to the best of our knowledge. Usually this date is when the vulnerability note was first published, when an exploit was first discovered, when the vendor first distributed a patch publicly, or when a description of the vulnerability was posted to a public mailing list. If you're aware of a public reference to the vulnerability that appeared prior to our date, please let us know. By default, this date is set to be our vulnerability note publication date.
Date First Published
This is the date when we first published the vulnerability note. This date should be the date public or later.
Date Last Updated
This is the date the vulnerability note was last updated. Since each vulnerability note is updated as we receive new information, this date may change frequently. This date is also updated when a vendor information document changes for the vulnerability note so that you can easily locate notes with new information in the vendor statements.
CERT Advisory
If a CERT Advisory was published for this vulnerability, this field will contain a pointer to that advisory. Beginning January 28, 2004, CERT Advisories became a core component of US-CERT Technical Alerts.
CVE Name
The CVE name is the thirteen-character ID used by the "Common Vulnerabilities and Exposures" group to uniquely identify a vulnerability. The name is also a link to additional information on the CVE web site about the vulnerability. While the mapping between CVE names and US-CERT vulnerability IDs are usually pretty close, in some cases multiple vulnerabilities may map to one CVE name, or vice versa. The CVE group tracks a large number of security problems, not all of which meet our criteria for being considered a vulnerability. For example, we do not track viruses or Trojan horse programs in the vulnerability notes database.
Metric
The metric value is a number between 0 and 180 that assigns an approximate severity to the vulnerability. This number considers several factors, including
- Is information about the vulnerability widely available or known?
- Is the vulnerability being exploited?
- Is the Internet Infrastructure at risk because of this vulnerability?
- How many systems on the Internet are at risk from this vulnerability?
- What is the impact of exploiting the vulnerability?
- How easy is it to exploit the vulnerability?
- What are the preconditions required to exploit the vulnerability?
Because the questions are answered with approximate values that may differ significantly from one site to another, users should not rely too heavily on the metric for prioritizing vulnerabilities. However, it may be useful for separating the very serious vulnerabilities from the large number of less severe vulnerabilities described in the database. Typically, vulnerabilities with a metric greater than 40 are candidates for US-CERT Technical Alerts. The questions are not all weighted equally, and the resulting score is not linear (a vulnerability with a metric of 40 is not twice as severe as one with a metric of 20).
Document Revision
This field contains the revision number for this document. You can use this field to determine whether the document has changed since the last time you viewed it.
Vendor Information
Date Notified
This is the date that we notified the vendor of the vulnerability. In some cases, this may be the date that the vendor first contacted us, or it may be the earliest date when the vendor is known to have been aware of the vulnerability (for example, if they published a patch or an advisory).
Date Modified
This is when the vendor information was last updated. As vendors produce patches and publish advisories, vendor statement, vendor information or addendum fields may be updated, affecting this date.
Status Summary
This field indicates in broad terms whether the vendor has any products that we considers to be vulnerable. In many cases, the relationship between a vendor's products and a vulnerability is more complex than a simple "Vulnerable" or "Not Vulnerable" field. Users are encouraged to read the detailed vendor statements and to use this field only as a broad indicator of whether any products might be vulnerable.
Vendor Statement
This is the vendor's official response to our queries about the vulnerability. With little more than typographical edits, this information is provided directly by the vendor and does not necessarily reflect our opinions. In fact, vendors are welcome to provide statements which contradict other information in the vulnerability note. We suggest that the vendors include relevant information about correcting the problem, such as pointers to software patches and security advisories. We are highly confident that information in this field comes from the vendor. Statements are usually PGP signed or otherwise authenticated.
Vendor Information
This is information we are reasonably confident is from the vendor. Typically this includes public documents (that were not sent to us by the vendor) and statements that are not strongly authenticated.
Addendum
This addendum is one or more paragraphs of text from us commenting on this vulnerability. These are not statements from the vendor, and they are usually present when we disagree with the vendor's assessment of the problem, when the vendor did not provide a statement, or when we believe that we can contribute something in addition to the vendor-supplied statement.
If you have additional questions about the fields contained in our database, please let us know.
|
|
Get Adobe Reader