Quantcast

Problems with official CVE/CPE NVD content from NIST

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Problems with official CVE/CPE NVD content from NIST

Jan-Oliver Wagner-3
Hello,

in absence of a public CVE discussion list I'd like to share my thoughts here
on the CPE list where I know active and competent people are subscribed.
(Hope you don't mind, else tell me to stop)


Problem 1: Lack of content verification

We are still facing the problem that we can download CVE/CPE content from
the NIST but there is no way to verify the content has not been changed
by a man in the middle.
Neither a SSL webpage nor detached signatures or alike are available.

Does anyone know about a solution?
If not, how do other vendors handle the situation?
(We are currently doing manual/semi-automatic diff analysis each time which
is extremely time-consuming)


Problem 2: Alternating XML changes without actual content changes

Since long we are facing the problem that all old CVE files are changing
every day (according to date and check sums), but most older
ones only show XML changes that are irrelevant to the actual content.

I have attached a example from last November which we sent to NIST.
In January this year we still observed the behaviour (second patch).

The actual problem that derives from here is that our update sync mechanism
for OpenVAS downloads the whole huge SCAP data every day because of changes.
This is unnecessary bandwith and processing time.

We try to work around it as good as possible with semi-automatic diff analysis.
But it feels avoidable man power we invest here.

How do others here handle (or work around) this problem?


Problem 3: Currently SCAP content download is broken

Since a couple of days the SCAP data download is broken.
Only incomplete/broken Datafiles are transferred.

Maybe anyone here knows what happened?


Best regards

--
Dr. Jan-Oliver Wagner |  ++49-541-335084-0  |  http://www.greenbone.net/
Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner

scap-cve-2002.diff (4K) Download Attachment
scap-cve-2002-January2012.diff (47K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problems with official CVE/CPE NVD content from NIST

Kent Landfield
These are NVD specific issues. Contact the NVD Operations Management at [hidden email].

Kent Landfield
Director, Content Strategy, Architecture and Standards
McAfee, an Intel company
Mobile: +1.817.637.8026

On Mar 12, 2012, at 6:37 AM, "Jan-Oliver Wagner" <[hidden email]> wrote:

> Hello,
>
> in absence of a public CVE discussion list I'd like to share my thoughts here
> on the CPE list where I know active and competent people are subscribed.
> (Hope you don't mind, else tell me to stop)
>
>
> Problem 1: Lack of content verification
>
> We are still facing the problem that we can download CVE/CPE content from
> the NIST but there is no way to verify the content has not been changed
> by a man in the middle.
> Neither a SSL webpage nor detached signatures or alike are available.
>
> Does anyone know about a solution?
> If not, how do other vendors handle the situation?
> (We are currently doing manual/semi-automatic diff analysis each time which
> is extremely time-consuming)
>
>
> Problem 2: Alternating XML changes without actual content changes
>
> Since long we are facing the problem that all old CVE files are changing
> every day (according to date and check sums), but most older
> ones only show XML changes that are irrelevant to the actual content.
>
> I have attached a example from last November which we sent to NIST.
> In January this year we still observed the behaviour (second patch).
>
> The actual problem that derives from here is that our update sync mechanism
> for OpenVAS downloads the whole huge SCAP data every day because of changes.
> This is unnecessary bandwith and processing time.
>
> We try to work around it as good as possible with semi-automatic diff analysis.
> But it feels avoidable man power we invest here.
>
> How do others here handle (or work around) this problem?
>
>
> Problem 3: Currently SCAP content download is broken
>
> Since a couple of days the SCAP data download is broken.
> Only incomplete/broken Datafiles are transferred.
>
> Maybe anyone here knows what happened?
>
>
> Best regards
>
> --
> Dr. Jan-Oliver Wagner |  ++49-541-335084-0  |  http://www.greenbone.net/
> Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460
> Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
> <scap-cve-2002.diff>
> <scap-cve-2002-January2012.diff>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problems with official CVE/CPE NVD content from NIST

Jan-Oliver Wagner-3
On Montag 12 März 2012, Kent Landfield wrote:
> These are NVD specific issues. Contact the NVD Operations Management at [hidden email].

The NVD team is informed since Nov 9th 2011 about the "alternating-problem" (also forwarded
through MITRE) and on Dec 1st 2011 I send a reminder question. Never got an answer.

So, now I started to search for other people in the user community
who also need to work around the issues and discuss how to handle
the circumstances best.

Best regards

--
Dr. Jan-Oliver Wagner |  ++49-541-335084-0  |  http://www.greenbone.net/
Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problems with official CVE/CPE NVD content from NIST

Kent Landfield
Call David Waltermire or email directly.  He should be able to tell you where things stand.

Kent Landfield
Director, Content Strategy, Architecture and Standards
McAfee, an Intel company
Mobile: +1.817.637.8026

On Mar 12, 2012, at 8:21 AM, "Jan-Oliver Wagner" <[hidden email]> wrote:

> On Montag 12 März 2012, Kent Landfield wrote:
>> These are NVD specific issues. Contact the NVD Operations Management at [hidden email].
>
> The NVD team is informed since Nov 9th 2011 about the "alternating-problem" (also forwarded
> through MITRE) and on Dec 1st 2011 I send a reminder question. Never got an answer.
>
> So, now I started to search for other people in the user community
> who also need to work around the issues and discuss how to handle
> the circumstances best.
>
> Best regards
>
> --
> Dr. Jan-Oliver Wagner |  ++49-541-335084-0  |  http://www.greenbone.net/
> Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460
> Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problems with official CVE/CPE NVD content from NIST

Booth, Harold
In reply to this post by Jan-Oliver Wagner-3
Hi Jan,

  I apologize if this thread is a little off-topic, but in case others are interested in the answers I will respond on this list.

I will take each issue identified and suggest a solution or provide additional information.  Please let me know if any of these do not work for you.

Problem 1: Lack of content verification

 We are working on getting acceptable certificates that can be used for digitally signing content generated by the NVD. In the meantime you may use the following heuristic to obtain the feeds via SSL.  I will work to update the data feed page to make these links more obvious:

Change the url prefix from:

http://static.nvd.nist.gov/*

to

https://nvd.nist.gov/static/*

so for example:

http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2012.xml

would be:

https://nvd.nist.gov/static/feeds/xml/cve/nvdcve-2.0-2012.xml


Problem 2: Alternating XML changes without actual content changes

The nvdcve[-2.0]-<year>.xml files contain vulnerabilities that correspond to the <year> value in the CVE Identifier, with exception of nvd[-2.0]-2002.xml which contains vulnerabilities prior to and including 2002.  All the files are updated and generated nightly.  The nvdcve[-2.0]-recent.xml and nvdcve[-2.0]-modified.xml files are updated every few hours and include any vulnerabilities which have been modified over the previous eight days.  Generally, once you have downloaded all of the nvdcve[-2.0]-<year>.xml files you should be able to keep up-to-date by checking the nvdcve[-2.0]-recent.xml and nvdcve[-2.0]-modified .xml files.

Problem 3: Currently SCAP content download is broken

What do you mean by SCAP content?  If you are referring to the vulnerability data feeds, we have been experiencing some intermittent problems over the last few weeks where the data feeds are not correctly copied to the web server from where they are generated. Please send an email to [hidden email] if you happen to discover a feed is not copied correctly.

Regards,

-Harold


-----Original Message-----
From: Jan-Oliver Wagner [mailto:[hidden email]]
Sent: Monday, March 12, 2012 7:36 AM
To: [hidden email]
Subject: [CPE-DISCUSSION-LIST] Problems with official CVE/CPE NVD content from NIST

Hello,

in absence of a public CVE discussion list I'd like to share my thoughts here
on the CPE list where I know active and competent people are subscribed.
(Hope you don't mind, else tell me to stop)


Problem 1: Lack of content verification

We are still facing the problem that we can download CVE/CPE content from
the NIST but there is no way to verify the content has not been changed
by a man in the middle.
Neither a SSL webpage nor detached signatures or alike are available.

Does anyone know about a solution?
If not, how do other vendors handle the situation?
(We are currently doing manual/semi-automatic diff analysis each time which
is extremely time-consuming)


Problem 2: Alternating XML changes without actual content changes

Since long we are facing the problem that all old CVE files are changing
every day (according to date and check sums), but most older
ones only show XML changes that are irrelevant to the actual content.

I have attached a example from last November which we sent to NIST.
In January this year we still observed the behaviour (second patch).

The actual problem that derives from here is that our update sync mechanism
for OpenVAS downloads the whole huge SCAP data every day because of changes.
This is unnecessary bandwith and processing time.

We try to work around it as good as possible with semi-automatic diff analysis.
But it feels avoidable man power we invest here.

How do others here handle (or work around) this problem?


Problem 3: Currently SCAP content download is broken

Since a couple of days the SCAP data download is broken.
Only incomplete/broken Datafiles are transferred.

Maybe anyone here knows what happened?


Best regards

--
Dr. Jan-Oliver Wagner |  ++49-541-335084-0  |  http://www.greenbone.net/
Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
Loading...