MITRE group updates list of software vulnerabilities, adding hundred-plus entries

By Rick Weber / January 4, 2019 at 2:10 PM

A MITRE Corp. group that tracks software vulnerabilities has issued an updated list by adding more than one hundred entities, with most of those new items posing indirect risks that could be difficult to identify or fix.

"In all, 534 entries had important changes, primarily due to relationship changes, references, names, and descriptions," according to a statement posted on MITRE's "Common Weakness Enumeration" webpage Thursday. The CWE update, dubbed version 3.2, includes 137 new entries and one "deprecated" item, according to the MITRE website.

"The main changes include: (1) adding 89 new entries related to quality issues that only indirectly make it easier to introduce a vulnerability and/or make the vulnerability more difficult to detect or mitigate (see the CWE-1040: Quality Weaknesses with Indirect Security Impacts view); (2) adding 1 new weakness, CWE-1173: Improper Use of Validation Framework, detailing the improper use of an available input validation framework; (3) adding 1 new view, CWE-1128: CISQ Quality Measures (2016), to map to the Consortium for IT Software Quality (CISQ) Automated Quality Characteristic Measures released in 2016; and (4) updating the views and categories associated with the Software Engineering Institute (SEI) Computer Emergency Response Team (CERT) Coding Standards," the announcement of the CWE update states.

The previous CWE update, or version 3.1, was issued March 29, 2018.

The CWE initiative is intended to serve as a "common language for describing software security weaknesses in architecture, design, or code . . . a standard measuring stick for software security tools targeting these weaknesses [and] Provide a common baseline standard for weakness identification, mitigation, and prevention efforts," the MITRE statement reads.

The MITRE initiative for listing software vulnerabilities dates back to the 1990s and builds on its "preliminary list of vulnerability examples for researchers," or PLOVER, issued in 2006. That work was done with the Department of Homeland Security and the National Institute of Technology as part of the Software Assurance Metrics and Tool Evaluation project. MITRE describes the CWE initiative as a "community-developed" list.

"The next step after PLOVER was to establish acceptable definitions and descriptions of these common weaknesses by the community under the NIST SAMATE project, which led to the creation of the 'Common Weakness Enumeration' list and associated classification taxonomy," the MITRE statement reads.

The updated CWE list "now serves as a mechanism for describing code vulnerability assessment capabilities in terms of their coverage of the different CWEs," MITRE said.