1、 International Telecommunication Union ITU-T X.1520TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (01/2014) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Cybersecurity information exchange Vulnerability/state exchange Common vulnerabilities and exposures Recommendation ITU-T X.15
2、20 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS X.600X.69
3、9 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security management X.1050X.1069 Telebiometrics X.1080X.1099 SECURE APPLICATIONS AND
4、 SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.1179 IPTV security X.1180X.1199 CYBERSPACE SECURITY Cybersecurity X.120
5、0X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 CYBERSECURITY INFORMATION EXCHANGE Overview of cybersecurity X.1500X.1519 Vulnerability/state exchange X.1520X.
6、1539Event/incident/heuristics exchange X.1540X.1549 Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 CLOUD COMPUTING SECURITY Overview of cloud computing security X.1600X.1601 Cloud computing sec
7、urity design X.1602X.1639 Cloud computing security best practices and guidelines X.1640X.1659 Cloud computing security implementation X.1660X.1679 Other cloud computing security X.1680X.1699 For further details, please refer to the list of ITU-T Recommendations. Rec. ITU-T X.1520 (01/2014) i Recomme
8、ndation ITU-T X.1520 Common vulnerabilities and exposures Summary Recommendation ITU-T X.1520 on the use of the common vulnerabilities and exposures (CVE) provides a structured means to exchange information security vulnerabilities and exposures, which provides common names for publicly known proble
9、ms in the commercial or open source software used in communication networks, end-user devices or any of the other types of information and communication technology (ICT) capable of running software. The goal of the Recommendation is to define the use of CVE to make it easier to share data across sep
10、arate vulnerability capabilities (tools, repositories and services) with this common naming. This Recommendation defines the use of CVE to provide a mechanism for vulnerability databases and other capabilities to be used together, and to facilitate the comparison of security tools and services. CVE
11、does not contain information such as risk, impact, fix information or detailed technical information. CVE only contains the standard identifier number with status indicator, a brief description and references to related vulnerability reports and advisories. The repository of CVE identifiers is avail
12、able at cve.mitre.org/cve/cve.html. The intention of CVE, the use of which is defined in this Recommendation, is to be comprehensive with respect to all publicly known vulnerabilities and exposures. While CVE is designed to contain mature information, the primary focus is on identifying vulnerabilit
13、ies and exposures that are detected by security tools and any new problems that become public, and then addressing any older security problems that require validation. History Edition Recommendation Approval Study Group Unique ID*1.0 ITU-T X.1520 2011-04-20 17 11.1002/1000/11061 2.0 ITU-T X.1520 201
14、4-01-24 17 11.1002/1000/12040 _ *To access the Recommendation, type the URL http:/handle.itu.int/ in the address field of your web browser, followed by the Recommendations unique ID. For example, http:/handle.itu.int/11.1002/1000/11830-en. ii Rec. ITU-T X.1520 (01/2014) FOREWORD The International Te
15、lecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and
16、 tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Re
17、commendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Reco
18、mmendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure, e.g., interope
19、rability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that
20、compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, val
21、idity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be req
22、uired to implement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2014 All rights reserved. No part of this publication may be reprodu
23、ced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T X.1520 (01/2014) iii Table of Contents Page 1 Scope 1 2 References. 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this Recommendation . 1 4 Abbreviations and acronyms 2 5 Conventions 2 6 High
24、-level requirements . 2 7 Accuracy . 4 8 Documentation 4 9 CVE date usage 4 10 Different styles of CVE name support 5 11 Revocation of CVE compatibility 5 12 Review authority . 6 Annex A Type-specific requirements . 7 Annex B Media requirements . 10 Annex C Media requirements . 11 Bibliography. 14 i
25、v Rec. ITU-T X.1520 (01/2014) Introduction This Recommendation on the use of the common vulnerabilities and exposures (CVE) provides a structured means to exchange information security vulnerabilities and exposures, which provides common names for publicly known problems. The goal of this Recommenda
26、tion is to define use of CVE to make it easier to share data across separate vulnerability capabilities (tools, repositories and services) with this common naming. This Recommendation is designed to allow vulnerability databases and other capabilities to be used together, and to facilitate the compa
27、rison of security tools and services. CVE does not contain information such as risk, impact, fix information or detailed technical information. CVE only contains the standard identifier number with status indicator, a brief description and references to related vulnerability reports and advisories.
28、The repository of CVE identifiers is available at http:/cve.mitre.org/cve/cve.html. The intention of CVE, the use of which is defined in this Recommendation, is to be comprehensive with respect to all publicly known vulnerabilities and exposures. While CVE is designed to contain mature information,
29、the primary focus is on identifying vulnerabilities and exposures that are detected by security tools and any new problems that become public, and then addressing any older security problems that require validation. This Recommendation is one of a class of ITU-T Recommendations that comes from a lar
30、ge, existing, global development and user community that has written and evolved an open specification that is made available to the ITU-T for adoption, with agreement that any changes or updates to the specification will be done in a manner that ensures full technical equivalency and compatibility
31、will be maintained, that discussions about changes and enhancements will be done through the original user community, and includes explicit reference to the corresponding specific version maintained by the user community. Rec. ITU-T X.1520 (01/2014) 1 Recommendation ITU-T X.1520 Common vulnerabiliti
32、es and exposures 1 Scope This Recommendation on the use of the common vulnerabilities and exposures provides a “structured means“ for the global exchange of publicly known, mature vulnerabilities and exposures information that are detected by security tools or otherwise become public. This “structur
33、ed means“ is often referred to as “CVE compatibility“ and defines the correct use of CVE. An information security vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network. An information security exposure is a mistake in software that allows
34、access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network. The assignment of CVE identifiers is not within the scope of this Recommendation. Recommendation ITU-T X.1520 has been developed on a collaborative basis with the MITRE Corporation, beari
35、ng in mind the importance of maintaining, to the extent possible, technical compatibility between Recommendation ITU-T X.1520 and the “Requirements and Recommendations for CVE Compatibility“, 30 June 2013, available at https:/cve.mitre.org/compatible/Requirements_for_CVE_Compatibility_V1.3.pdf. 2 Re
36、ferences None. 3 Definitions 3.1 Terms defined elsewhere None. 3.2 Terms defined in this Recommendation This Recommendation defines the following terms: 3.2.1 accuracy percentage: The percentage of security elements in the review sample that reference the correct CVE identifiers. 3.2.2 capability: S
37、ecurity tool, database, website, advisory or service that provides a security vulnerability or exposure identification function. 3.2.3 exposure: An information security exposure is a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-ston
38、e into a system or network. 3.2.4 map/mapping: The specification of relationships between security elements in a repository and the CVE names that are related to those elements. 3.2.5 owner: The custodian (real person or company) having responsibility for the capability. 3.2.6 repository: An implici
39、t or explicit collection of security elements that supports a capability, e.g., a vulnerability database, advisory archive, the set of signatures in an intrusion detection system (IDS) or website. 3.2.7 review: The process of determining whether a capability is CVE-compatible. 3.2.8 review authority
40、: Any entity that performs a review. NOTE MITRE is the only review authority at this time. 2 Rec. ITU-T X.1520 (01/2014) 3.2.9 review date: The date of the CVE content that is being used for determining CVE compatibility of a capability. 3.2.10 review sample: The set of security elements in the capa
41、bilitys repository that is used by the review authority for evaluating accuracy. 3.2.11 sampling method: The method by which the review authority identifies the set of security elements in the review sample. 3.2.12 sample size: The percentage and/or the number of security elements to be examined by
42、the review authority. 3.2.13 security element: A database record, e-mail message, security advisory, assessment probe, signature, etc., which is related to a specific vulnerability or exposure. 3.2.14 task: A tools probe, check, signature, etc., which performs some action that produces security info
43、rmation (i.e., the security element). 3.2.15 tool: A software application or device that either examines a host or network and produces information that is related to vulnerabilities or exposures or aggregates this type of information, e.g., a vulnerability scanner, intrusion detection system, risk
44、management, security information management or compliance reporting tool or service. 3.2.16 user: A consumer or potential consumer of the capability. 3.2.17 vulnerability: Any weakness in software that could be exploited to violate a system or the information it contains (based upon b-ITU-T X.1500).
45、 4 Abbreviations and acronyms This Recommendation uses the following abbreviations and acronyms: ASCII American Standard Code for Information Interchange CVE Common Vulnerabilities and Exposures GUI Graphical User Interface HTML HyperText Markup Language HTTP HyperText Transfer Protocol IDS Intrusio
46、n Detection System PDF Portable Document Format POC Point Of Contact URL Uniform Resource Locator XML Extensible Markup Language 5 Conventions CVE is used as a noun in this Recommendation. 6 High-level requirements The following items define the concepts, roles and responsibilities related to the pr
47、oper use of CVE identifiers to share data across separate vulnerability capabilities (tools, repositories and services) to allow vulnerability databases and other capabilities to be used together, and to facilitate the comparison of security tools and services. Rec. ITU-T X.1520 (01/2014) 3 Prerequi
48、sites 6.1 The capability owner shall be a valid legal entity, i.e., an organization or a specific individual, with a valid phone number, e-mail address and postal address. 6.2 The capability shall provide additional value or information beyond that which is provided in CVE itself (i.e., name, descri
49、ption, references and associated data). 6.3 The capability owner shall provide the review authority with a technical point of contact who is qualified to answer questions related to the mapping and any CVE-related functionality of the capability. 6.4 The capability shall be available to the public, or to a set of consumers, in a production version. 6.5 The capability owner shall provide the review authority with a completed “CVE compatibility requirements evaluation form“. 6.6 For a capability with a repos
