Definition[]
A vulnerability database is a collection of searchable information on vulnerabilities that affect information systems.
Overview[]
Many of these databases are publicly accessible via the Web. These websites are generally run by third parties not affiliated with software vendors, and can provide a wealth of information to system administrators and security professionals. They strive to cover most operating systems and software applications. Because they are not affiliated with software vendors, they often provide information that the vendor, or other organizations affiliated with the vendor, does not provide.
Vulnerability databases tend to be the quickest to report new vulnerabilities, which is both a benefit and a disadvantage. The provision of timely information on vulnerabilities can be critical to the success of a system administrator in securing a network.
Database information[]
Although the quantity and quality of information vary to some degree from site to site, vulnerability databases typically include the following types of information:
- Vulnerability Overview: An introduction to the vulnerability that includes the CVE name; type of vulnerability; date the vulnerability was first publicly identified; date the vulnerability or patch information was last updated; and the operating system, application, or hardware affected by the vulnerability.
- Discussion or Analysis: Detailed information on the vulnerability, from one paragraph to several pages, depending on the complexity of the vulnerability. This discussion may be highly technical.
- Solution: A detailed discussion on mitigating or eliminating the vulnerability. Generally contains hyperlinks to the pertinent vendor’s website for patches and updates. If available, other remediation techniques will typically be included.
- Exploit: Information on exploiting the vulnerability and any applicable code, or links to other sites that have more information and exploit code. This information can be useful to the system administrator in determining whether a system is susceptible to exploitation (before or after the patch is applied). However, great care should be exercised in using these techniques so as not to cause unintended harm to systems.
Overall, vulnerability databases are one of the most powerful resources available. Even if other sources are principally relied upon for vulnerability information, the general news and discussions provided on the vulnerability database sites can prove invaluable.
Source[]
- NIST, "Creating a Patch and Vulnerability Management Program," NIST Special Publication 800-40, Ver. 2 (Jan. 2006) (full-text).