CVRF (Common Vulnerability Reporting Framework)
Date : June 06, 2011
On May 19, the ICASI (Industry Consortium for the Advancement of Security on the Internet) publicly announced the release of a new standard in the security area: the CVRF standard (Common Vulnerability Reporting Framework). This standard, whose working group is made of several major editors (Cisco, Intel, IBM, Juniper Networks, Microsoft, Nokia, Oracle and Red Hat), aims at delivering a framework for the publication of the various documented related to security (vulnerability report, best practice, security bulletins, etc.).
CVRF goal
Up to now, each document producer uses its own formalism, which brings several drawbacks. First of all, document users must generally parse the whole documents in order to find the information regarding their environment. Then, the information structure is most of the time linear which prevents it from being used in automated processes. The goal of CVRF is to define a model based on XML and that allows to list (in an extensible way) the fields required for the elaboration of any security documents. As a reminder, the EISSP program (European Information Security Protection Promotion), launched in 2002 and for which the Cert-IST was greatly involved, had similar objectives, specifically regarding the use of a common format to evaluate vulnerabilities.
The CVE-2008-4609 vulnerability example
To demonstrate the need for this common format, the example of the CVE-2008-4609 vulnerability in the TCP/IP protocol handling (CERT-IST/AV-2009.396, CERT-IST/AV-2009.400 and CERT-IST/AV-2009.409) affecting several implementations of this protocol, enables to show the diversity of formats used by the editors. These editors use, for similar reports, fields with different names and formats. To retrieve for instance the information describing impacted systems, the reader will have to parse them totally to finally find this information, either as a list, or a text or a table.
Proposed solution
From these different formats, the work group in charge of CVRF built an XML format for this standard (in 1.0 version).
The CVRF language as defined as extensible as possible.
Here is the list of mandatory fields so that a document can be recognized as a CVRF document:
Two contextual roles are defined in the CVRF framework: document producers (editors, CERTs, security researchers) and document consumers (security consulting, administrators).
CVRF and other existing standards
Before CVRF, many normalization efforts have been made in recent years, about which the Cert-IST keeps you informed very regularly. The article named "Standard pour la gestion des vulnérabilités" (in French only), released in March 2007 presents a summary of all these standards.
CVRF is in line with the CVE, CME and CVSS standards, already adopted by the Cert-IST, and is derived from the IETF draft "Incident Object Description Exchange Format" (IODEF), released in September 2006.
Although it is strongly recommended, CVRF version 1.0 does not ask document producers to support CVE, CPE and CWE (they are optionally included to a CVRF document). The support of the OVAL language is scheduled in future CVRF versions.
Conclusion
The Cert-IST watch the evolution of this project with great attention directly related to its activity. We will keep monitoring this initiative in order to evaluate the advantage of integrate it in our processes.
For more information:
The Common Vulnerability Reporting Framework: http://www.icasi.org/docs/cvrf-whitepaper.pdf
ISS announcement: http://blogs.iss.net/archive/CVRF_announced.html
Internet Storm Center announcement: http://isc.sans.org/diary.html?storyid=10900
CVRF goal
Up to now, each document producer uses its own formalism, which brings several drawbacks. First of all, document users must generally parse the whole documents in order to find the information regarding their environment. Then, the information structure is most of the time linear which prevents it from being used in automated processes. The goal of CVRF is to define a model based on XML and that allows to list (in an extensible way) the fields required for the elaboration of any security documents. As a reminder, the EISSP program (European Information Security Protection Promotion), launched in 2002 and for which the Cert-IST was greatly involved, had similar objectives, specifically regarding the use of a common format to evaluate vulnerabilities.
The CVE-2008-4609 vulnerability example
To demonstrate the need for this common format, the example of the CVE-2008-4609 vulnerability in the TCP/IP protocol handling (CERT-IST/AV-2009.396, CERT-IST/AV-2009.400 and CERT-IST/AV-2009.409) affecting several implementations of this protocol, enables to show the diversity of formats used by the editors. These editors use, for similar reports, fields with different names and formats. To retrieve for instance the information describing impacted systems, the reader will have to parse them totally to finally find this information, either as a list, or a text or a table.
Proposed solution
From these different formats, the work group in charge of CVRF built an XML format for this standard (in 1.0 version).
The CVRF language as defined as extensible as possible.
Here is the list of mandatory fields so that a document can be recognized as a CVRF document:
- Document title
- Document type
- Document publisher
- Issuing authority
- Document ID
- Document status
- Document version
- Document revision history
- Document initial release data
- Document current release date
- Document generator (schema version only)
Two contextual roles are defined in the CVRF framework: document producers (editors, CERTs, security researchers) and document consumers (security consulting, administrators).
CVRF and other existing standards
Before CVRF, many normalization efforts have been made in recent years, about which the Cert-IST keeps you informed very regularly. The article named "Standard pour la gestion des vulnérabilités" (in French only), released in March 2007 presents a summary of all these standards.
CVRF is in line with the CVE, CME and CVSS standards, already adopted by the Cert-IST, and is derived from the IETF draft "Incident Object Description Exchange Format" (IODEF), released in September 2006.
Although it is strongly recommended, CVRF version 1.0 does not ask document producers to support CVE, CPE and CWE (they are optionally included to a CVRF document). The support of the OVAL language is scheduled in future CVRF versions.
Conclusion
The Cert-IST watch the evolution of this project with great attention directly related to its activity. We will keep monitoring this initiative in order to evaluate the advantage of integrate it in our processes.
For more information:
The Common Vulnerability Reporting Framework: http://www.icasi.org/docs/cvrf-whitepaper.pdf
ISS announcement: http://blogs.iss.net/archive/CVRF_announced.html
Internet Storm Center announcement: http://isc.sans.org/diary.html?storyid=10900