Describing vulnerabilities in online services

GCVE
1

Workshop Follow-up: Advisories for Online Services

During our last workshop in Luxembourg on November 24th, a question was raised by a GNA (GCVE Numbering Authorities) regarding the ability to record and publish security advisories for online services.

We quickly reviewed the Common Vulnerabilities and Exposures (CVE) record format as used in BCP-05 and identified the following challenges when describing vulnerabilities in online services:

Challenges with the CVE Record Format

1. Versioning

  • A traditional version number rarely exists for continuously deployed online services, unless they incorporate off-the-shelf software (e.g., WordPress) where a version change may be tracked.
  • Proposed Strategy: An alternative strategy is to use a date/timestamp in the version field to indicate when the patch was deployed by the vendor on the vulnerable service online, effectively describing the service state after the fix.

2. Identifying the Affected Asset (CPE)

  • The current Common Platform Enumeration (CPE) format Reference: NIST CPE Specification does not inherently include a reference to a hostname or specific online Uniform Resource Locator (URL).
  • The standard CPE format uses the following types:
    • a for Applications
    • h for Hardware
    • o for Operating Systems
  • Proposed Extension (idea): The format could be extended by adding s for Service. In this case, the vendor field could be used for the hostname (or service name) and the product field could describe the scope (e.g., a specific path or component) of the online vulnerability.

CVSS and Specific Notes

3. Common Vulnerability Scoring System (CVSS)

  • The CVSS score and metrics still apply.
  • The Attack Vector metric will almost universally be set to Network (often interpreted as remote) since the service is accessible online.

4. Specific Advisory Notes

  • The Specific Notes or comments section should be used to provide critical context for consumers. Examples include:
    • No customer action/patch required; vendor fixed on server side.
    • Tenant-isolation issue in multi-tenant service.
    • service mis-configuration

Proposed Format Extension in BCP-05

For tracking the service scope, the existing GCVE format (if used as a meta format for advisories) could be extended in the BCP-05 structure to include the proposed service-scoping information (like hostname/path) in a dedicated field, even if the primary CPE itself remains un-updated.

1 Like