[RndTbl] Remotely exploitable netfilter

dndyck6 at gmail.com dndyck6 at gmail.com
Wed Mar 16 10:37:01 CDT 2022


As far as I can tell/recall, the numbers are not assigned sequentially
(thankfully, to your point). 

Here: https://cve.mitre.org/cve/identifiers/syntaxchange.html they're called
arbitrary, and here:
https://cve.mitre.org/cve/identifiers/tech-guidance.html under
"Considerations for Output Format" and "Sorting", they say "CVE IDs are not
allocated sequentially based on the disclosure date".

I believe that CNAs (CVE Numbering Authorities) are allocated blocks by the
CNA or other authority above them in the hierarchy, so CVE-2022-25XXX would
be allocated to a specific CNA, and they would hand out numbers as needed
(or assign to vulnerabilities within their own products). Though, in this
case, that was handed out by Mitre Corp., which is a top-level CNA. 

That assignment process I don't have a source for, though, so I may be
wrong. Here's a bit of explanation on the hierarchy though:
https://www.cve.org/ProgramOrganization/Structure

David Dyck 
david at ddyck.ca


-----Original Message-----
From: Roundtable <roundtable-bounces at muug.ca> On Behalf Of Glen Ditchfield
Sent: March 16, 2022 9:49 AM
To: roundtable at muug.ca
Subject: Re: [RndTbl] Remotely exploitable netfilter

On Wednesday, March 16, 2022 8:47:48 A.M. CDT John Lange wrote:
> When you're firewall is the vulnerability, it's probably not good.
> Posting for awareness.
> 
> https://nvd.nist.gov/vuln/detail/CVE-2022-25636
> 
> John

I suppose CVE numbers are given out sequentially?  And we're at 25,636, in
mid-March?  Seems like it was only yesterday when they had to expand the CVE
ID format beyond 4 digits...



_______________________________________________
Roundtable mailing list
Roundtable at muug.ca
https://muug.ca/mailman/listinfo/roundtable



More information about the Roundtable mailing list