“CVE or Common Vulnerabilities and Exposures is a list of common identifiers for known cybersecurity vulnerabilities”
cve.mitre.org
So what does that mean, well it is a way of providing a reference to all publicly known vulnerabilities and exposures. This list is maintained and operated by Mitre Corporation a non-profit corporation. They have been doing this since 1999, so going now on almost 20 years. The CVE list is a way of connecting all vulnerability databases together.
Why is this important?
This information is important for a few reasons. First off if you ever use a third party vulnerability scanner (I will be discussing those in a later post). Whether you run it yourself or have an outside company do it you will receive a report of vulnerabilities found and they should all be referenced by a CVE code. This is how you can research the vulnerability and find different ways to mitigate it.
Isn’t a list like this dangerous?
List all known vulnerabilities in software is very powerful information. That certainly in the wrong hands could do plenty of harm. This is the reason that the list is publicly available. Not only do the people looking to do bad have access to it but also those looking to do good. This is why as a Systems Administrator knowing about these lists is crucial.
How do I use this information?
If you don’t know the CVE but know a specific keyword you can search the cve.Mitre.org for the CVE. Once you know the CVE you can search the internet with that CVE which is used to link you to other articles and more detail information that the CVE list will give you. The CVE list does not break down into technical details but justs help to link all other vulnerability databases together that provide more information. Be sure to follow their suggestions when searching for a CVE https://cve.mitre.org/find/search_tips.html.
Wouldn’t it be better if these vulnerabilities were not published?
Many people think that if we don’t publish vulnerabilities then the malicious people won’t know about them to exploit them. That is called security by obscurity and is not a good practice to follow.
It is kind of like having a sensitive document shared on Google drive where anyone can see it but only if they have the URL.
That is Security by obscurity is not a good practice to get into. If a vulnerability exists it will be found through some means. Letting the good guys know about it so they can take the necessary precautions to keep their systems safe is the right and responsible thing to do.
Conclusion
With Great Power Comes Great Responsibility
Ben Parker
Clearly, I am a geek for putting that quote in but it really is true. There is a large amount of data out there. Being able to use this information responsibly is something we should all strive to do. As a Systems Administrator, you need to take this data and use it to protect your company from possible vulnerabilities that exist.
If you have any questions about CVE’s feel free to post in the comments, I would love to hear what you have to say. If you don’t have any questions also please post in the comments with any additional information you would like to add.