Page 2: A look inside the container

Contents

CVE entries follow a defined schema in JSON format. A good example is the entry for CVE-2024-6714 in the vulnerability repository. The "adp" container contained therein forms the fixed framework for CISA's additions; the "cna" container, on the other hand, is taboo.

It is also precisely defined which metadata (can) end up in the ADP container. However, the prerequisite for this is that they are still missing in the CNA container and that sufficient information is available for the assessment:

• CVSS: The aforementioned assessment according to the Common Vulnerability Scoring System includes not only a numerical score and a severity classification from "None" to Critical", but also a vector string based on complex metrics for an exact hazard description.
• CWE: The Common Weakness Enumeration list is a community-based project that makes common vulnerability types easily searchable online. By assigning a numbered entry such as "CWE-79 / Cross-Site Scripting" to a CVE, you specify the type of threat. The CWE list entries that can be called up online then provide suitable background information on the attack process and conditions, possible consequences and typical defensive measures.
• CPE: The Official Common Platform Enumeration is a standardized naming convention whose flexible syntax can describe, among other things, software configurations and combinations that lead to the exploitability of a vulnerability.

An optional container component, as it is only available for selected vulnerabilities, is a reference to CISA's own Known Exploited Vulnerabilities Catalog (KEV). This provides online information on vulnerabilities that are known to have been exploited in the wild. KEV references are nothing completely new in the field of CVE entries, but have been an integral part of the NVD supplementary information researched by NIST for some time –, just like CVSS, CWE and CPE –. What is new, however, is the idea of a KEV block directly in the CVE entry.

In principle, the information that a CNA stores in the CVE entry weighs more heavily than that of the ADP. If the former subsequently adds some of the aforementioned standard metadata, this will "overwrite" the vulnerability information.

New: CVE preselection with SSVC

In the first phase of the project, the Vulnrichment team will work through all CVE list entries that have not been published since February 2024 and all newly published CVE list entries. However, as determining the standard metrics is time-consuming, the US authority makes a pre-selection: Only vulnerabilities that pose a sufficiently high risk are enriched with the metadata just mentioned. CISA's own methodology, which is completely new in the context of CVE entries, comes into play for rapid pre-selection: the so-called Stakeholder-Specific Vulnerability Categorization (SSVC).

Developed in 2019 by CISA and Carnegie Mellon University's Software Engineering Institute (SEI), this approach originally serves to assess and prioritize the risk posed by a vulnerability in the context of a specific (corporate) infrastructure. It can be depicted as a tree diagram in which decisions have to be made at various nodes, so-called "decision points".

Based on the chained selection by the stakeholder, it is ultimately possible to answer how to react to the vulnerability –, namely whether it should only be kept in mind ("Track" status, or somewhat more urgently: "Track*"), requires closer attention and action, for example in the form of an internal notification ("Attend"), or requires an immediate, comprehensive reaction ("Act").

You can find out more about this concept in an article on SSVC on the CISA website. In addition, you can try out the decision tree as a tool for yourself using the SSVC Calculator, which is available online and comes with detailed explanations.