What is CPE?
Common Platform Enumeration (CPE) is a standardized technique for identifying and documenting the many classes of software applications, operating systems, and hardware components that make up an organization's computer resources.
CPE is part of the Security Content Automation Protocol (SCAP)5 standard proposed by the National Institute of Standards and Technology (NIST).
The CPE Inventory uses the following format for CPE entries:
<part>: Specifies the kind of system that was discovered. It can have the following values:
- a – Application
- h – Hardware
- o – Operating System
<vendor>: It contains the name of the company that created the product.
<product>: Contains the product's name that has been detected.
<version>: lists the product's version number.
<update>: lists the product update and version that was found.
<edition>: shows the software's edition
<language>: Displays the identified language.
To be thorough, here is an example CPE for the Adobe Flash Player vulnerability CVE-2015-6682 on the NVD is:
cpe:/a:adobe:airsdk%26_compiler:184.108.40.206 and previous versions * cpe:/a:adobe:air_sdk:220.127.116.11 and previous versions * cpe:/a:adobe:air:18.104.22.168 and previous versions + OR cpe:/o:apple:mac_os_x:- cpe:/o:microsoft:windows:-
Benefits of CPE:
- It provides a standard method for encoding the names of IT systems and products in a machine-readable format.
- It works as a collection of methods for comparing names.
- It provides a language for creating logical statements called "applicability statements" that integrate CPE names with basic logical operators.
- It is considered a standard notion of a CPE Dictionary.
What is CVE?
CVE stands for Common Vulnerabilities and Exposures and has to do with the specific instance within a product or system—not the underlying flaw.
In order to compare security products and services and to make it simpler to link information from vulnerability databases, the CVE list was created. Each vulnerability and exposure has a unique CVE Identifier, which is listed in the CVE database.
YYYY stands for the year it was released
NNNN stands for a sequential number (in principle this number only has four digits, but it can be increased to five or more digits when needed)
The 2022 SQL injection issue in a database stored function in TrueConf Server was given the serial number CVE-2022-46763.
Benefits of CVE:
- CVE makes it easier to share information about known vulnerabilities so that cybersecurity plans can be updated with the most recent security flaws and security concerns.
- CVE numbers allow organizations to determine what each tool covers and whether it is suitable for their needs.
- Information about CVE vulnerabilities can be used by security advisories to look up known attack signatures and pinpoint specific vulnerability exploits.
How CVE and CPE can be used together?
The CVE feeds include a list of the software items that are impacted by each entry. The list is formatted as CPE URIs, making it easier to find CVEs for software products using their associated CPEs. The product, vendor, and version elements of the software product's CPE are compared with the corresponding values for each entry in the CVE susceptible software list to determine whether a CVE matches the software product.
Consider a CVE: CVE-2019-20387.
The package "libsolv" is impacted by this CVE, according to the Red Hat CVE database page for this CVE.
Red Hat Product Security has rated the overall effect of this CVE as "Moderate," however the impact rating for the package "libsolv" for Red Hat Platform (product) Satellite version 6 is "low," and the state is "Affected." However, for the same CVE and same package on Red Hat Platform RHEL7, the impact and state are, respectively, "moderate" and "Will not fix."
Because of this, it's essential to identify CPEs (product+version) in order to precisely determine how a CVE would affect a certain package or module.
When dealing with information from multiple sources, the use of consistent identifiers can improve data correlation, enable interoperability, and ease the gathering of metrics for use in situation awareness, IT security audits, and regulatory compliance.
SecOps Solution is an agent-less Risk-based Vulnerability Management Platform that helps organizations identify, prioritize and remediate security vulnerabilities and misconfigurations in seconds.
To schedule a demo, drop us a note at email@example.com