Announcement: CWE 4.4 Released 3/15!

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Announcement: CWE 4.4 Released 3/15!


Dear CWE Research Community,


I hope you are all well!


I am pleased to announce that CWE Version 4.4 was released on Monday, March 15th. The update adds 1 new ViewCWE Entries with Maintenance Notes, which assessment vendors may use to anticipate future changes to CWE and help their customers prepare for those changes; 2 new Software Development Weakness entries: Generation of Weak Initialization Vector (IV) and Inefficient Regular Expression Complexity; as well as updates to 244 other entries. A detailed report is available that lists specific changes between Version 4.3 and Version 4.4.


The CWE Content Team conducted in-depth research and analysis in the following areas:

  • Hardware: identified overlapping/duplicate issues, which will need community consultation to resolve. Also investigating a different way to organize entries besides the hardware view (CWE-1194), and adding Functional_Area elements related to Power and Clock.
  • Cryptography/randomness subtree analysis (CWE-330): the team began investigating how to describe randomness, entropy, and unpredictability in a consistent way and created a new Base (CWE-1204) prompted by community feedback about CWE-329. More changes for randomness are planned, and the CWE research community will be consulted for important decisions.
  • Root cause analysis for access of unintialized memory: this led to updates to several entries, with more demonstrative and observed examples, and identified the need to clarify differences between CWE-456 and CWE-457, and possibly deprecate CWE-456 in the future.
  • Maintenance view: created new maintenance view (CWE-1081) to make it easier for CWE users to anticipate future changes. Reviewed and updated maintenance notes for over 130 entries.
  • Content checks: improved checks for invalid or inconsistent content, such as relationship gaps (e.g., a Class being a parent of a Variant), incorrect relationships (e.g., a Weakness that is a “ChildOf” a category), or entries where more than one relationship is labeled “Primary”. This work will be ongoing.
  • Consistency: phrasing of mitigations was made more consistent. This work will be ongoing, in collaboration with the Common Attack Pattern Enumeration and Classification (CAPEC™) Team.
  • SEI CERT Perl secure coding view (CWE-1178): added member weaknesses to categories.


See the complete list of changes at


As always, thank you so much for your continued interest and support! We’d love to hear your thoughts and comments.

Here’s all our points of contact:

CWE page on LinkedIn, @cwecapec on Twitter, and our usual email channels [hidden email] (this email list) or [hidden email] to reach the team directly.






Alec J. Summers

Cyber Solutions Innovation Center

Group Leader, Software Assurance Research & Practice

Cyber Security Engineer, Lead

O: (781) 271-6970

C: (781) 496-8426


MITRE - Solving Problems for a Safer World