Vital data used to protect against cyberattacks is missing from more than 2,000 of the latest entries in the world’s most widely used vulnerability database.
A significant number of new CVEs (common vulnerabilities and exposures) added to the National Vulnerability Database (NVD) in recent weeks have lacked enrichment data — details necessary for researchers and security teams to understand the bugs.
The NVD was established in 2005 by the U.S. National Institute of Standards and Technology (NIST) and last year alone, information on more than 29,000 discovered flaws was added to the database.
Staff at NIST “enrich” the CVE entries by adding additional information such as basic descriptions of the bugs, the software they impact, CVSS severity scores, related common weakness and enumeration (CWE) and common platform enumeration (CPE) details, patch availability, and links to additional resources.
A notice added to the NVD homepage on Feb. 15 said users could expect temporary delays in the posting of CVE analysis.
“NIST is currently working to establish a consortium to address challenges in the NVD program and develop improved tools and methods,” the message reads. “We apologize for the inconvenience and ask for your patience as we work to improve the NVD program.”
Bug reporting spikes as funding shrinks
According to NetRise, only about 8% of the CVE entries added to the database since Feb. 12 have a CPE associated with them.
Enrichment was lacking from well over 2,000 entries according to separate analysis carried out by Anchore and Jerry Gamblin of Cisco Threat Detection & Response
NIST has not provided any public explanation for the situation beyond its website notice. However, VulnCheck security researcher Patrick Garrity noted on LinkedIn that the institute recently experienced its first budget cut in over a decade.
Meanwhile, the volume of CVEs published each year has almost doubled from under 15,000 in 2017 to over 29,000 in 2023.
“Human analysis is integral to processing CVEs, and the pause is likely due to limited resources to handle the exponential growth in CVE issuance,” Garrity said.
“With multiple projects and limited resources, tough decisions on prioritization are inevitable. While it’s not apparent to the public why CVE enrichment has paused, it’s evident that those at NIST are facing difficult decisions to ensure the program's sustainability.”
Vulnerability management tools depend on NVD
Chainguard CEO Dan Lorenc highlighted the lack of CPE matching to new vulnerabilities as being particularly problematic for organizations dependent on NVD data as part of their security efforts.
“Scanners, analyzers, and most vulnerability tools rely on the NVD to set these fields so they can determine what software is affected by which vulnerabilities. This is a massive issue and the lack of any real statement on the problem is troubling,” he said.
Aquia president Chris Hughes is among others concerned about the lack of detail provided by NIST.
“What exactly is this consortium, who will be involved, what changes will be made and what sort of delays will we see as an industry when it comes to vulnerability analysis from the most widely used vulnerability database?” Hughes posted.
“I’ve encountered many problems in my career, but I’ve never seen one where ‘a consortium’ actually helped address them. The lack of transparency here is especially worrying.”
John Pescatore, SANS Technology Institute director of emerging security trends, drew a comparison between cybersecurity and road safety.
“For automotive ‘vulnerabilities’ (recalls) that have to be fixed, vehicle manufacturers are required to notify the National Highway Traffic Safety Administration, who has maintained an easy to use database. Those manufacturers also have to pay for the vehicles to be fixed! The NHTSA had a 40-year head start over NIST/NVD, but it really is time for legislation to treat software more like we treat vehicles.”
