7900 Vulnerabilities Didn't Make It into the CVE Database in 2017

Last year broke the previous all-time record for the highest number of reported vulnerabilities, with 20,832 of them cataloged.

According to an analysis of its own VulnDB, Risk Based Security discovered that 7,900 flew under the radar and weren’t reported to MITRE’s Common Vulnerabilities and Exposures (CVE) and the National Vulnerability Database (NVD).

“Organizations that track and triage vulnerability patching saw no relief in 2017, as it was yet another record-breaking year for vulnerability disclosures,” said Brian Martin, vice president of vulnerability intelligence for Risk Based Security. He added, “Incredibly, we see too many companies still relying on CVE and NVD for vulnerability tracking, despite the US government-funded organization falling short year after year. While some argue that the CVE/NVD solution is ‘good enough,’ that simply isn’t the case. Just look at the number of web and computer hacking data breaches reported on a regular basis. In addition to a false sense of security, the ‘good enough’ mindset often leads some to believe that the important vulnerabilities are covered, and that isn’t the case either.”

In addition, of the more than 18,000 CVE IDs that were assigned or allotted to CVE Numbering Authorities (CNAs), almost 7,000 were in reserved status, despite 1,342 of them having a public disclosure.

About 39.3% of reported vulnerabilities received Common Vulnerability Scoring System (CVSS) scores above 7.0. This means that not only has the number of vulnerabilities been increasing but also that the CVSS scores have been trending higher over the last five years. In 2017, web-related issues accounted for over 50% of all vulnerabilities disclosed, 31.5% had public exploits, and 24.1% had no solution at the time of the report.

The VulnDB QuickView report also revealed that while relationships between researchers and vendors can at times appear strained, they are continuing to attempt to work together. Vulnerabilities disclosed in a coordinated fashion with vendors was relatively consistent at 44.8%, compared to 45.6% in 2016.

“From operating systems and software installed on client and server systems to IoT and SCADA devices, vulnerabilities continue to be a major concern,” said Carsten Eiram, chief research officer, Risk Based Security. “Using metrics to help determine which vendors and products are putting your organization at risk needs to be a key part of your vendor risk management and procurement process. The ability to properly use vulnerability data to help with the decision making process is important and we have ensured this is built into our VulnDB solution.”

What’s Hot on Infosecurity Magazine?