-
Notifications
You must be signed in to change notification settings - Fork 21
Proposal: Expand VulnerabilityType in Exploit Target
Status: Accepted with modifications
Comment Period Closes: 1/3/2014
Affects Backwards Compatibility: NO
Relevant Issue: https://github.com/STIXProject/schemas/issues/53
The ExploitTarget component has a field called Vulnerability that is used to represent a vulnerability that is the target of a particular threat. Currently, that field is essentially either an external reference to a vulnerability defined in CVE or OSVDB or a representation of that vulnerability defined inline in CVRF.
It has been suggested that this type be expanded to include metadata about vulnerabilities. In particular, the following fields were suggested:
| Field | Datatype | Description |
|---|---|---|
| @is_known | Boolean | A flag for whether the vulnerability is known (not a 0-day) at the time of characterization |
| Title | String | The name/identifier of the vulnerability, especially useful if no vulnerability database ID is available |
| Description | String | A description of the vulnerability, especially useful if no vulnerability database ID is available |
| Short_Description | String | A short description of the vulnerability, especially useful if no vulnerability database ID is available |
| Discovered | Datetime | The date and time that the vulnerability was discovered |
| Published | Datetime | The date and time that the vulnerability was published |
| Source | String | The source of the CVE description, as a textual description |
| References | List[URI] | A list of external references describing the vulnerability |
| Affected_Software | List[CybOX Observables] | A list of software products that are vulnerable |
There is no expected compatibility impact. Producers will have the option to use the new fields and consumers can choose to handle them or not as with any other field in STIX.
- Should this capability be added to STIX?
- Is the list of suggestions correct?
- If not, what should be added or removed?
This proposal was accepted with some modifications. Specifically, the @is_publicly_acknowledged field will be added and the annotations will state that the field is used to denote whether the vulnerability is publicly acknowledged by the vendor. We will also ensure that either in this version or a future one, CPE names may be used for the Affected_Software field.