CPE Entries for Acrobat 8.1.4, 9.0, 9.1?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

CPE Entries for Acrobat 8.1.4, 9.0, 9.1?

rdefuria
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I was looking at a couple of CVEs as follows:
CVE-2009-2028 (released 06/11/2009)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2028

CVE-2009-1492 (released 04/30/2009)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1492



CVE-2009-2028 applies to (among other CPEs)
cpe:/a:adobe:acrobat:9.0::standard and to
cpe:/a:adobe:acrobat:9.1::standard

CVE-2009-1492 applies to (among other CPEs) cpe:/a:adobe:reader:8.1.4
and to cpe:/a:adobe:acrobat:9.1


However, the latest CPE dictionary that I have (dated 07/15/2009) does
not contain CPE entries for Acrobat 9.0, Acrobat 9.1, or Acrobat 8.1.4.
I got that CPE dictionary from the following URL:
http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-diction
ary_v2.2.xml


In fact, the highest Acrobat version referenced in that CPE dictionary
is 8.1.


Am I getting the CPE dictionary from the correct place?  If not, why
doesn't it include the CPEs referenced by the 2 CVEs listed above?


Thanks.

- -Rich

- --
Rich DeFuria  <[hidden email]>
Belarc, Inc.  <http://www.belarc.com/>
"IT Management for the Internet Age"



-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: us-ascii

wj8DBQFKZNTX/jfZczYbnHURAso7AKC2IoNX1o79AJynwXJTvLY2S4I3PgCg5VvY
QRQXd28ZUAPUYuESHGNMHJs=
=IWPe
-----END PGP SIGNATURE-----
--
RDeFuria
rich@belarc.com
Reply | Threaded
Open this post in threaded view
|

Re: CPE Entries for Acrobat 8.1.4, 9.0, 9.1?

Stav Raviv

Hi,

 

I'm joining Rich's question:

Same is true for older NVD entries, with products that do not appear at all in the CPE dictionary (I have the same version as mentioned below):

 

E.g.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1825

* cpe:/a:wasd:wasd_http_server:7.1

                                    * cpe:/a:wasd:wasd_http_server:7.2

                                    * cpe:/a:wasd:wasd_http_server:7.2.1

                                    * cpe:/a:wasd:wasd_http_server:7.2.2

                                    * cpe:/a:wasd:wasd_http_server:7.2.3

                                    * cpe:/a:wasd:wasd_http_server:8.0

I couldn't find any mention of "wasd" in CPE dictionary

 

Is there not supposed to be a correspondence between NVD and CPE?

I'm confused…

 

Thanks,

 

Stav

Skybox Security

www.skyboxsecurity.com

 

-----Original Message-----
From: Rich DeFuria [mailto:[hidden email]]
Sent: Monday, July 20, 2009 11:34 PM
To: [hidden email]
Subject: [CPE-DISCUSSION-LIST] CPE Entries for Acrobat 8.1.4, 9.0, 9.1?

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

Hello,

 

I was looking at a couple of CVEs as follows:

CVE-2009-2028 (released 06/11/2009)

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2028

 

CVE-2009-1492 (released 04/30/2009)

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1492

 

 

 

CVE-2009-2028 applies to (among other CPEs)

cpe:/a:adobe:acrobat:9.0::standard and to

cpe:/a:adobe:acrobat:9.1::standard

 

CVE-2009-1492 applies to (among other CPEs) cpe:/a:adobe:reader:8.1.4

and to cpe:/a:adobe:acrobat:9.1

 

 

However, the latest CPE dictionary that I have (dated 07/15/2009) does

not contain CPE entries for Acrobat 9.0, Acrobat 9.1, or Acrobat 8.1.4.

I got that CPE dictionary from the following URL:

http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-diction

ary_v2.2.xml

 

 

In fact, the highest Acrobat version referenced in that CPE dictionary

is 8.1.

 

 

Am I getting the CPE dictionary from the correct place?  If not, why

doesn't it include the CPEs referenced by the 2 CVEs listed above?

 

 

Thanks.

 

- -Rich

 

- --

Rich DeFuria  <[hidden email]>

Belarc, Inc.  <http://www.belarc.com/>

"IT Management for the Internet Age"

 

 

 

-----BEGIN PGP SIGNATURE-----

Version: PGP Desktop 9.8.3 (Build 4028)

Charset: us-ascii

 

wj8DBQFKZNTX/jfZczYbnHURAso7AKC2IoNX1o79AJynwXJTvLY2S4I3PgCg5VvY

QRQXd28ZUAPUYuESHGNMHJs=

=IWPe

-----END PGP SIGNATURE-----

 

______________________________________________________________________

Scanned for viruses by Security Server ML @ Skybox Security.

 

Reply | Threaded
Open this post in threaded view
|

Re: CPE Entries for Acrobat 8.1.4, 9.0, 9.1?

Andrew Buttner
Administrator

All of the issues raised are valid concerns and ones that we (MITRE and NIST) are actively trying to solve.  As mentioned, CPE Names that are used by NVD should be included in the Official CPE Dictionary.  NIST is aware of this problem and is trying to come up with a feasible solution to fixing it.

 

For new releases and versions, if a CPE Name is missing in the dictionary then I encourage a submission (sent to [hidden email]) with the new names so that they can be added and the dictionary be brought up to date.


With regards to the missing names like Apache Nutch, NIST instituted a policy on dictionary submissions that requires the first 4 components to be used in order for the name to be part of the dictionary.  This policy should be made available to the community and I will work with NIST to get it up on the dictionary page.  Note that some older names did make it into the dictionary with less than 4 components.  (e.g. cpe:/a:3com:3c16115-us)  Both MITRE and NIST know that a dictionary clean-up task is much overdue.

 

I will actively work these specific issues and try my best to keep the community up to date with any changes.

 

I am constantly working with NIST to improve the policies around the Official CPE Dictionary and therefore I really appreciate hearing the concerns that members of the community have.  Please let me know if you have problems or would like to see things done a different way as this will help us gauge the best way forward.

 

Thanks

Drew

 

 

 

 

From: Stav Raviv [mailto:[hidden email]]
Sent: Tuesday, July 21, 2009 4:31 AM
To: cpe-discussion-list CPE Community Forum
Subject: Re: [CPE-DISCUSSION-LIST] CPE Entries for Acrobat 8.1.4, 9.0, 9.1?

 

Hi,

 

I'm joining Rich's question:

Same is true for older NVD entries, with products that do not appear at all in the CPE dictionary (I have the same version as mentioned below):

 

E.g.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1825

* cpe:/a:wasd:wasd_http_server:7.1

                                    * cpe:/a:wasd:wasd_http_server:7.2

                                    * cpe:/a:wasd:wasd_http_server:7.2.1

                                    * cpe:/a:wasd:wasd_http_server:7.2.2

                                    * cpe:/a:wasd:wasd_http_server:7.2.3

                                    * cpe:/a:wasd:wasd_http_server:8.0

I couldn't find any mention of "wasd" in CPE dictionary

 

Is there not supposed to be a correspondence between NVD and CPE?

I'm confused…

 

Thanks,

 

Stav

Skybox Security

www.skyboxsecurity.com

 

-----Original Message-----
From: Rich DeFuria [mailto:[hidden email]]
Sent: Monday, July 20, 2009 11:34 PM
To: [hidden email]
Subject: [CPE-DISCUSSION-LIST] CPE Entries for Acrobat 8.1.4, 9.0, 9.1?

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

Hello,

 

I was looking at a couple of CVEs as follows:

CVE-2009-2028 (released 06/11/2009)

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2028

 

CVE-2009-1492 (released 04/30/2009)

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1492

 

 

 

CVE-2009-2028 applies to (among other CPEs)

cpe:/a:adobe:acrobat:9.0::standard and to

cpe:/a:adobe:acrobat:9.1::standard

 

CVE-2009-1492 applies to (among other CPEs) cpe:/a:adobe:reader:8.1.4

and to cpe:/a:adobe:acrobat:9.1

 

 

However, the latest CPE dictionary that I have (dated 07/15/2009) does

not contain CPE entries for Acrobat 9.0, Acrobat 9.1, or Acrobat 8.1.4.

I got that CPE dictionary from the following URL:

http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-diction

ary_v2.2.xml

 

 

In fact, the highest Acrobat version referenced in that CPE dictionary

is 8.1.

 

 

Am I getting the CPE dictionary from the correct place?  If not, why

doesn't it include the CPEs referenced by the 2 CVEs listed above?

 

 

Thanks.

 

- -Rich

 

- --

Rich DeFuria  <[hidden email]>

Belarc, Inc.  <http://www.belarc.com/>

"IT Management for the Internet Age"

 

 

 

-----BEGIN PGP SIGNATURE-----

Version: PGP Desktop 9.8.3 (Build 4028)

Charset: us-ascii

 

wj8DBQFKZNTX/jfZczYbnHURAso7AKC2IoNX1o79AJynwXJTvLY2S4I3PgCg5VvY

QRQXd28ZUAPUYuESHGNMHJs=

=IWPe

-----END PGP SIGNATURE-----

 

______________________________________________________________________

Scanned for viruses by Security Server ML @ Skybox Security.

 

Reply | Threaded
Open this post in threaded view
|

Re: CPE Entries for Acrobat 8.1.4, 9.0, 9.1?

Ernest Park-2
Hi Drew - 

Perhaps I can help you. 

We resolve dictionary discrepencies daily for CVE and CPE, and also provide aliases, groupings and more. 


Let me know if we can use our "engine" to provide more reliable names and product reference.



Regards,


Ernie

On Tue, Jul 21, 2009 at 1:46 PM, Buttner, Drew <[hidden email]> wrote:

All of the issues raised are valid concerns and ones that we (MITRE and NIST) are actively trying to solve.  As mentioned, CPE Names that are used by NVD should be included in the Official CPE Dictionary.  NIST is aware of this problem and is trying to come up with a feasible solution to fixing it.

 

For new releases and versions, if a CPE Name is missing in the dictionary then I encourage a submission (sent to [hidden email]) with the new names so that they can be added and the dictionary be brought up to date.


With regards to the missing names like Apache Nutch, NIST instituted a policy on dictionary submissions that requires the first 4 components to be used in order for the name to be part of the dictionary.  This policy should be made available to the community and I will work with NIST to get it up on the dictionary page.  Note that some older names did make it into the dictionary with less than 4 components.  (e.g. cpe:/a:3com:3c16115-us)  Both MITRE and NIST know that a dictionary clean-up task is much overdue.

 

I will actively work these specific issues and try my best to keep the community up to date with any changes.

 

I am constantly working with NIST to improve the policies around the Official CPE Dictionary and therefore I really appreciate hearing the concerns that members of the community have.  Please let me know if you have problems or would like to see things done a different way as this will help us gauge the best way forward.

 

Thanks

Drew

 

 

 

 

From: Stav Raviv [mailto:[hidden email]]
Sent: Tuesday, July 21, 2009 4:31 AM
To: cpe-discussion-list CPE Community Forum
Subject: Re: [CPE-DISCUSSION-LIST] CPE Entries for Acrobat 8.1.4, 9.0, 9.1?

 

Hi,

 

I'm joining Rich's question:

Same is true for older NVD entries, with products that do not appear at all in the CPE dictionary (I have the same version as mentioned below):

 

E.g.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1825

* cpe:/a:wasd:wasd_http_server:7.1

                                    * cpe:/a:wasd:wasd_http_server:7.2

                                    * cpe:/a:wasd:wasd_http_server:7.2.1

                                    * cpe:/a:wasd:wasd_http_server:7.2.2

                                    * cpe:/a:wasd:wasd_http_server:7.2.3

                                    * cpe:/a:wasd:wasd_http_server:8.0

I couldn't find any mention of "wasd" in CPE dictionary

 

Is there not supposed to be a correspondence between NVD and CPE?

I'm confused…

 

Thanks,

 

Stav

Skybox Security

www.skyboxsecurity.com

 

-----Original Message-----
From: Rich DeFuria [mailto:[hidden email]]
Sent: Monday, July 20, 2009 11:34 PM
To: [hidden email]
Subject: [CPE-DISCUSSION-LIST] CPE Entries for Acrobat 8.1.4, 9.0, 9.1?

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

Hello,

 

I was looking at a couple of CVEs as follows:

CVE-2009-2028 (released 06/11/2009)

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2028

 

CVE-2009-1492 (released 04/30/2009)

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1492

 

 

 

CVE-2009-2028 applies to (among other CPEs)

cpe:/a:adobe:acrobat:9.0::standard and to

cpe:/a:adobe:acrobat:9.1::standard

 

CVE-2009-1492 applies to (among other CPEs) cpe:/a:adobe:reader:8.1.4

and to cpe:/a:adobe:acrobat:9.1

 

 

However, the latest CPE dictionary that I have (dated 07/15/2009) does

not contain CPE entries for Acrobat 9.0, Acrobat 9.1, or Acrobat 8.1.4.

I got that CPE dictionary from the following URL:

http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-diction

ary_v2.2.xml

 

 

In fact, the highest Acrobat version referenced in that CPE dictionary

is 8.1.

 

 

Am I getting the CPE dictionary from the correct place?  If not, why

doesn't it include the CPEs referenced by the 2 CVEs listed above?

 

 

Thanks.

 

- -Rich

 

- --

Rich DeFuria  <[hidden email]>

Belarc, Inc.  <http://www.belarc.com/>

"IT Management for the Internet Age"

 

 

 

-----BEGIN PGP SIGNATURE-----

Version: PGP Desktop 9.8.3 (Build 4028)

Charset: us-ascii

 

wj8DBQFKZNTX/jfZczYbnHURAso7AKC2IoNX1o79AJynwXJTvLY2S4I3PgCg5VvY

QRQXd28ZUAPUYuESHGNMHJs=

=IWPe

-----END PGP SIGNATURE-----

 

______________________________________________________________________

Scanned for viruses by Security Server ML @ Skybox Security.

 


Reply | Threaded
Open this post in threaded view
|

Re: CPE Entries for Acrobat 8.1.4, 9.0, 9.1?

McCormick, Christopher [USA]
In reply to this post by Andrew Buttner
The NVD hosts the Official CPE Dictionary and also analyzes CVE data from MITRE which produces a CPE or CPEs as added value.  The hosting / maintenance of the CPE Dictionary and NVD analysis are distinct and separate workflows with different resources allocated.
 
Please direct any questions relating to CVE to CPE mappings directly to the National Vulnerability Database (NVD) at <A title=blocked::mailto:nvd@nist.gov href="blocked::mailto:nvd@nist.gov">nvd@...
 
To reiterate Drew's message, please submit proposed CPE Dictionary submissions to MITRE at <A title=blocked::mailto:cpe@mitre.org href="blocked::mailto:cpe@mitre.org">cpe@...
 
NIST is in the process of revising entry requirements for Official CPE Dictionary and is working to post them to the nvd.nist.gov/cpe.cfm webpage.  NIST is also working to implement a workflow of data, specifically CPE production via CVE analysis, for vetting and eventual inclusion to the CPE Dictionary.  At the current time, the rate in which NVD creates CPEs via CVE analysis is much faster than requests to MITRE for CPEs to be added to the Dictionary.  New CPE names submitted for inclusion to the CPE Dictionary are also vetted upon by members of the community including MITRE and NIST.  This is something that isn't done at the time a CPE is created via NVD CVE analysis.
 
 


From: Buttner, Drew [mailto:[hidden email]]
Sent: Tuesday, July 21, 2009 1:46 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] CPE Entries for Acrobat 8.1.4, 9.0, 9.1?

All of the issues raised are valid concerns and ones that we (MITRE and NIST) are actively trying to solve.  As mentioned, CPE Names that are used by NVD should be included in the Official CPE Dictionary.  NIST is aware of this problem and is trying to come up with a feasible solution to fixing it.

 

For new releases and versions, if a CPE Name is missing in the dictionary then I encourage a submission (sent to [hidden email]) with the new names so that they can be added and the dictionary be brought up to date.


With regards to the missing names like Apache Nutch, NIST instituted a policy on dictionary submissions that requires the first 4 components to be used in order for the name to be part of the dictionary.  This policy should be made available to the community and I will work with NIST to get it up on the dictionary page.  Note that some older names did make it into the dictionary with less than 4 components.  (e.g. cpe:/a:3com:3c16115-us)  Both MITRE and NIST know that a dictionary clean-up task is much overdue.

 

I will actively work these specific issues and try my best to keep the community up to date with any changes.

 

I am constantly working with NIST to improve the policies around the Official CPE Dictionary and therefore I really appreciate hearing the concerns that members of the community have.  Please let me know if you have problems or would like to see things done a different way as this will help us gauge the best way forward.

 

Thanks

Drew

 

 

 

 

From: Stav Raviv [mailto:[hidden email]]
Sent: Tuesday, July 21, 2009 4:31 AM
To: cpe-discussion-list CPE Community Forum
Subject: Re: [CPE-DISCUSSION-LIST] CPE Entries for Acrobat 8.1.4, 9.0, 9.1?

 

Hi,

 

I'm joining Rich's question:

Same is true for older NVD entries, with products that do not appear at all in the CPE dictionary (I have the same version as mentioned below):

 

E.g.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1825

* cpe:/a:wasd:wasd_http_server:7.1

                                    * cpe:/a:wasd:wasd_http_server:7.2

                                    * cpe:/a:wasd:wasd_http_server:7.2.1

                                    * cpe:/a:wasd:wasd_http_server:7.2.2

                                    * cpe:/a:wasd:wasd_http_server:7.2.3

                                    * cpe:/a:wasd:wasd_http_server:8.0

I couldn't find any mention of "wasd" in CPE dictionary

 

Is there not supposed to be a correspondence between NVD and CPE?

I'm confused…

 

Thanks,

 

Stav

Skybox Security

www.skyboxsecurity.com

 

-----Original Message-----
From: Rich DeFuria [mailto:[hidden email]]
Sent: Monday, July 20, 2009 11:34 PM
To: [hidden email]
Subject: [CPE-DISCUSSION-LIST] CPE Entries for Acrobat 8.1.4, 9.0, 9.1?

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

Hello,

 

I was looking at a couple of CVEs as follows:

CVE-2009-2028 (released 06/11/2009)

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2028

 

CVE-2009-1492 (released 04/30/2009)

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1492

 

 

 

CVE-2009-2028 applies to (among other CPEs)

cpe:/a:adobe:acrobat:9.0::standard and to

cpe:/a:adobe:acrobat:9.1::standard

 

CVE-2009-1492 applies to (among other CPEs) cpe:/a:adobe:reader:8.1.4

and to cpe:/a:adobe:acrobat:9.1

 

 

However, the latest CPE dictionary that I have (dated 07/15/2009) does

not contain CPE entries for Acrobat 9.0, Acrobat 9.1, or Acrobat 8.1.4.

I got that CPE dictionary from the following URL:

http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-diction

ary_v2.2.xml

 

 

In fact, the highest Acrobat version referenced in that CPE dictionary

is 8.1.

 

 

Am I getting the CPE dictionary from the correct place?  If not, why

doesn't it include the CPEs referenced by the 2 CVEs listed above?

 

 

Thanks.

 

- -Rich

 

- --

Rich DeFuria  <[hidden email]>

Belarc, Inc.  <http://www.belarc.com/>

"IT Management for the Internet Age"

 

 

 

-----BEGIN PGP SIGNATURE-----

Version: PGP Desktop 9.8.3 (Build 4028)

Charset: us-ascii

 

wj8DBQFKZNTX/jfZczYbnHURAso7AKC2IoNX1o79AJynwXJTvLY2S4I3PgCg5VvY

QRQXd28ZUAPUYuESHGNMHJs=

=IWPe

-----END PGP SIGNATURE-----

 

______________________________________________________________________

Scanned for viruses by Security Server ML @ Skybox Security.