Mitre Warns of Issues With Software Flaw ID System if Count Tops 10K

With the annual tally of software flaws likely to exceed 10,000 in the coming years, government contractor MITRE will change the format of the standard identifiers that developers and security firms assign to software security issues.

Software Flaws 917

When government contractor MITRE came up with its widely used system for assigning a unique ID to each software flaw, known as the Common Vulnerabilities and Exposures (CVE) identifier, the group did not foresee a time when more than 9,999 vulnerabilities would be discovered in a year.

Yet, with 6,500 IDs already assigned to software firms this year, 2014 may set a record for the number of flaws reported by researchers. In what vulnerability researchers have taken to calling "CVE-10k issue," MITRE has warned companies and security software makers that the unique identifiers could expand to five digits or more this year.

But there's concern that the change could break some security software or possibly lead to different identifiers being confused in older systems.

The U.S. government's National Vulnerability Database, for example, originally rejected any identifier that includes more than four digits, Steve Christey Coley, CVE list editor and principal information security engineer at MITRE, told eWEEK. While the system is fixed, other systems may not be, he said.

"A lot of people depend on CVE working properly without even knowing it," he said. "CVE has become such a part of the infrastructure that we cannot know all of the different ways that it is being used."

Launched in 1999, the Common Vulnerabilities and Exposures (CVE) system gave companies and software researchers a common naming scheme for software vulnerabilities. While vendors typically have their own system for identifying and tracking software flaws, CVE identifiers allow their systems to essentially speak the same language. That year, less than 900 vulnerabilities were reported and given a CVE identifier.

By 2006, however, the number of vulnerabilities had skyrocketed, hitting 6,608, according to the National Vulnerability Database. Concerned, Coley brought up the problem with the CVE editorial board in January 2007, proposing four possible solutions. Eventually that grew to eight solutions, including modifying the year, using a set number of digits and allowing alphanumeric characters.

"In 1999, we could not imagine 10,000 vulnerabilities a year," he said. "Who knows what it will look like in 15 years, 20 years or more."

For the past seven years, however, the number of vulnerabilities had fallen from the 2006 peak, ranging from 4,150 (in 2011) to 6,514 (in 2007). Last year, 5,186 vulnerabilities were reported, according to the National Vulnerability Database. Yet, the pace seems to be increasing, once again. For the first eight months of 2014, some 4,800 issues have already been reported.

Eventually, the group decided that software should support any number of digits, and the change went into effect on Jan. 1, 2014.

Coley and others worry that something, somewhere will break when the first CVE identifier with five digits is issued. To make sure that security-software developers have accounted for the extra digits, MITRE will issue its first five-digit identifier by Jan. 13, 2015, Coley said.

"We can't predict when we will hit 10,000," he said. "We might hit 10,000 before the end of 2014, but we might not. If we don't reach that point naturally, we will do it artificially on the Jan. 13th deadline."

If there is software out there that cannot handle the fifth digit, MITRE expects it to become evident in January. Yet, silent errors and problems are a possibility, he said.

"Different products will manage CVEs in different ways, so when things break, they will not break the same way," Coley said.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...