CWE 1.4 released

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

CWE 1.4 released

Steven M. Christey-2
CWE 1.4 has been released.  Changes include: (1) creation of 15 new
entries, most of which are newly-identified weaknesses; (2) deprecation of
one entry that inadvertently combined multiple weaknesses; (3) usage of a
more established vocabulary in the names and descriptions of 89 entries;
(4) updated relationships for 35 entries; (5) improvements and additions
to demonstrative examples for 75 entries; (6) updated CAPEC attack
patterns for 31 entries; and changes to 198 total entries.

A detailed report is available that lists specific changes between Version
1.3 and Version 1.4:

We've also updated the glossary for terms used in CWE (but please note
these are still in development):

We've also created new PDF files that contain the entire contents of CWE.
Note that these "Printable CWE" documents are hundreds of pages long, so
you may want to think twice before printing them:

The CWE Top 25 document has also been updated to reflect the latest
changes in names, mitigations, and attack patterns.  Note that mitigations
were not affected much:

There were no schema changes in this version.

The new entries are:

761   Free of Pointer not at Start of Buffer
762 Mismatched Memory Management Routines
763 Release of Invalid Pointer or Reference
764 Multiple Locks of a Critical Resource
765 Multiple Unlocks of a Critical Resource
766 Critical Variable Declared Public
767 Access to Critical Private Variable via Public Method
768 Incorrect Short Circuit Evaluation
769 File Descriptor Exhaustion
770 Allocation of Resources Without Limits or Throttling
771 Missing Reference to Active Allocated Resource
772 Missing Release of Resource after Effective Lifetime
773 Missing Reference to Active File Descriptor or Handle
774 Allocation of File Descriptors or Handles Without Limits or Throttling
775 Missing Release of File Descriptor or Handle after Effective Lifetime

The main additions are for throttling/limiting (as exploited by "resource
exhaustion" attacks) and improper free/delete operations (which previously
could only be classified under the high-level CWE-404).  These new entries
reflect some of the changes that we are making to certain "regions" of
CWE.  When we released 1.3, we performed a similar regional reorganization
for error handling, as reflected in CWE-754 and CWE-755.  We plan to post
short summaries that further explain this kind of organization.

This is the largest number of new weakness-focused entries since the
release of CWE 1.0 last year.  (Past releases have often included many new
categories in order to support new views.)  In the foreseeable future, we
expect to add more weakness-focused entries as we simultaneously improve
the quality and completeness of existing entries.  If you have any
suggestions for new weaknesses or major gaps in CWE, feel free to contact
us at [hidden email].  We can use non-disclosure agreements (NDA) if

Finally, Bob Martin and I would like to thank CWE team members Janis
Kenderdine, Conor Harris, Scott Bennett, and Tom Stracener for all their
contributions to this version.

Thank you for your support of CWE!

Steve Christey
CWE Technical Lead