Teacher
Professional
- Messages
- 2,670
- Reaction score
- 775
- Points
- 113
The US National Vulnerability Database has stopped analyzing vulnerabilities in software and services. It is not maintained for more than a month, which affects the process of eliminating "holes". The same thing happens with the database of well-known information security vulnerabilities-CVE. This carries the risk of new hacker attacks – some experts call what is happening a "crisis", while others are afraid of big problems in the information security sphere.
Global information security problem
The US National Vulnerability Database (NVD) has suspended work on collecting and analyzing information about vulnerabilities in software and services. This was first noticed by a user of the Morphisec portal under the pseudonym Brad LaPorte – he called what was happening a "crisis".
As it turned out, NVD, being one of the most important resources in the field of information security, almost does not fulfill its priority task from February 12, 2024, that is, for more than a month. The problem also affected the database of well-known information security vulnerabilities, better known as Common Vulnerabilities and Exposures, better known as CVE. In it, each vulnerability receives a unique identification number in the "CVE-year-number" format, a description, and a number of publicly available links with a description.
As a result of the suspension of NVD activity, 42% of the data entered in the CVE database in recent weeks does not contain critical metadata, including the vulnerability Risk assessment (CVSS). In addition, several thousand vulnerabilities have not been analyzed at all and are awaiting analysis. In total, Brad LaPorte estimated that as of March 11, 2024, the NVD list contained more than 2,400 vulnerability entries that did not contain any additional information.
CVE and NVFD are the largest vulnerability databases in the world.
Why explain something to someone
The NVD database is located on the portal of the National Institute of Standards and Technology (NIST). Representatives of the Institute preferred not to comment on what is happening with the database.
In fact, NIST did not provide specific reasons for stopping the analysis, hinting at improving processes and referring to the creation of a certain "consortium".
At the time of the material's release, the NVD website posted a notice with the following content:
"NIST is currently working to create a consortium to solve problems in the NVD program and develop improved tools and techniques. During this transition, you will see time delays in performing vulnerability analysis. We apologize for the inconvenience and ask you to be patient while we work to improve the NVD program."
What kind of consortium we are talking about, what exactly it will do in the course of "solving NVD problems", who will join it and under what conditions – all these questions remain unanswered.
The CVE site is also changing. By the end of the second quarter of 2024, it will completely get rid of the old design, and the new version has a notification posted on it: "The CVE program works with community members around the world to develop CVE content and expand its use." There are no details about the need for these changes on the site.
Opinion of Russian experts
As Alexander Leonov, an expert on vulnerability management at Positive Technologies, wrote in his Telegram channel "Vulnerability Management and other", the shutdown of NVD had very serious consequences. According to him, the database has been completely updated with information on vulnerabilities (CVE CVSS, CWE, CPE).
Leonov separately stressed that the global community of experts in vulnerability management (VM) is "growing panic". "Everyone was used to using publicly available NVD content and took updating it as a matter of course. It turned out that everything can stop, and we will have to figure out where to get technical data for each vulnerability ourselves," said Alexander Leonov.
There are thousands of CVE references in the Russian vulnerability database
The expert also expressed the hope that the problem with NVD is temporary, which will be resolved after the database is reorganized. "But if not, it will be interesting to see what it will lead to," he concluded.
Tadviser writes that NVD is "an important source of information on vulnerabilities", information in which was checked and classified by NIST specialists. The disappearance of such a tool "can lead to serious disruptions in the global system of notification of detected vulnerabilities, "Tadviser noted, adding that even the Russian" Database of Information Security Threats", supervised by the Federal Customs and Export Control Service (FSTEC), regularly refers to the CVE numbering and NVD materials.
Global information security problem
The US National Vulnerability Database (NVD) has suspended work on collecting and analyzing information about vulnerabilities in software and services. This was first noticed by a user of the Morphisec portal under the pseudonym Brad LaPorte – he called what was happening a "crisis".
As it turned out, NVD, being one of the most important resources in the field of information security, almost does not fulfill its priority task from February 12, 2024, that is, for more than a month. The problem also affected the database of well-known information security vulnerabilities, better known as Common Vulnerabilities and Exposures, better known as CVE. In it, each vulnerability receives a unique identification number in the "CVE-year-number" format, a description, and a number of publicly available links with a description.
As a result of the suspension of NVD activity, 42% of the data entered in the CVE database in recent weeks does not contain critical metadata, including the vulnerability Risk assessment (CVSS). In addition, several thousand vulnerabilities have not been analyzed at all and are awaiting analysis. In total, Brad LaPorte estimated that as of March 11, 2024, the NVD list contained more than 2,400 vulnerability entries that did not contain any additional information.
CVE and NVFD are the largest vulnerability databases in the world.
Why explain something to someone
The NVD database is located on the portal of the National Institute of Standards and Technology (NIST). Representatives of the Institute preferred not to comment on what is happening with the database.
In fact, NIST did not provide specific reasons for stopping the analysis, hinting at improving processes and referring to the creation of a certain "consortium".
At the time of the material's release, the NVD website posted a notice with the following content:
"NIST is currently working to create a consortium to solve problems in the NVD program and develop improved tools and techniques. During this transition, you will see time delays in performing vulnerability analysis. We apologize for the inconvenience and ask you to be patient while we work to improve the NVD program."
What kind of consortium we are talking about, what exactly it will do in the course of "solving NVD problems", who will join it and under what conditions – all these questions remain unanswered.
The CVE site is also changing. By the end of the second quarter of 2024, it will completely get rid of the old design, and the new version has a notification posted on it: "The CVE program works with community members around the world to develop CVE content and expand its use." There are no details about the need for these changes on the site.
Opinion of Russian experts
As Alexander Leonov, an expert on vulnerability management at Positive Technologies, wrote in his Telegram channel "Vulnerability Management and other", the shutdown of NVD had very serious consequences. According to him, the database has been completely updated with information on vulnerabilities (CVE CVSS, CWE, CPE).
Leonov separately stressed that the global community of experts in vulnerability management (VM) is "growing panic". "Everyone was used to using publicly available NVD content and took updating it as a matter of course. It turned out that everything can stop, and we will have to figure out where to get technical data for each vulnerability ourselves," said Alexander Leonov.
There are thousands of CVE references in the Russian vulnerability database
The expert also expressed the hope that the problem with NVD is temporary, which will be resolved after the database is reorganized. "But if not, it will be interesting to see what it will lead to," he concluded.
Tadviser writes that NVD is "an important source of information on vulnerabilities", information in which was checked and classified by NIST specialists. The disappearance of such a tool "can lead to serious disruptions in the global system of notification of detected vulnerabilities, "Tadviser noted, adding that even the Russian" Database of Information Security Threats", supervised by the Federal Customs and Export Control Service (FSTEC), regularly refers to the CVE numbering and NVD materials.
