As a Certificate Naming Authority (CNA) who creates CVEs for Concrete CMS vulnerabilities, we were shocked to get the news yesterday that MITRE’s 25-year-old Common Vulnerabilities and Exposures (CVE) program would end today April 16 after DHS did not renew its funding contract for reasons unspecified.
The US Army, US Navy, US Airforce, NATO, and NORAD would be crippled if the CVE program disappeared. MITRE manages the library/database of CVEs vital for the US and its allies to prevent attacks from hostile nation states as well as from criminals against their industry, financial systems, industrial defense base, and defense forces.
A CVE is a tracking number for a specific vulnerability in a specific product. Responsible vendors and open source projects (such as Concrete CMS) create CVEs when it is important for their clients/users to take action to protect themselves. Perhaps there is an update you need to apply. Perhaps there isn’t a fix yet but bad actors are actively taking advantage of a flaw; wouldn’t you like to know about that?
The vulnerabilities nicely ranked by NIST …. will be stale as soon as there are no new published CVEs.
The weekly list that the Cybersecurity and Infrastructure Security Agency (CISA) sends out? Gone without new CVEs added to a database. No more IAVMs ensuring that U.S Army systems are updated.
Vulnerability scanners such as Tenable Nessus, Qualys, etc become useless without a constant feed of new CVEs. Ditto for Github’s Dependabot and GitLab Security Scanner. The ever growing set of cyber security products such as Crowdstrike, Red Canary, Splunk, SentinelOne, Black Duck, Invicti, Acunetix, Manage Engine etc will also be affected. (Want one added to this list? Contact us and I’ll amend the blog)
Oh, and other vulnerability lists such as FIRST., Open Source Vulnerabilty List (OSV) etc Well, they are sourced from the MITRE vulnerability database too and will be stale as soon as no more CVEs are published.
Could another U.S. agency, say NIST, take over MITRE’s responsibilities for maintaining the CVE database? Sure. Could a “non profit group” take over as is suggested by the CVE Foundation? With U.S. allies increasingly doubtful of US cooperation, the CVE Foundation will probably take off.
But I, for one, am relieved to see that MITREs contract has been extended for 11 months so that the CVE program doesn’t just get turned off without someone intelligent thinking through the national security implications of doing so.
-Lisa Nicholson, Chief Information Security Officer, PortlandLabs Inc