Xen Project is now a CVE Numbering Authority (CNA)

By March 15, 2021Announcements

The Common Vulnerability and Exposures (CVE) Program’s mission is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.  CVE numbers (assigned when vulnerabilities are added to the CVE List) enable two or more people or tools to refer to a vulnerability and know they are talking about the same thing, resulting in significant time and cost savings.   Many organizations now require vendors to supply CVE numbers when providing hotfixes or other updates.  

The XenProject Security Team has been including CVE numbers with publicly disclosed vulnerabilities for many years now.  Until now, this has involved submitting each of our Xen Security Advisories (XSAs) to Mitre as they become public, waiting for them to issue us CVEs, and then re-sending the advisories with CVE numbers attached.  For the last several years, this has been a very manual process that involves an engineer translating our advisory into a webform (which has captchas to prevent any automation).  During this time, the demand for advisories to contain CVEs as soon as possible has grown.

As a CNA, this process is greatly simplified.  Mitre will issue the XenProject a block of CVE numbers. The XenProject Security Team will then assign CVEs from that block, in accordance with Mitre guidelines, before the advisory becomes public.  We will then inform Mitre what numbers we have assigned to which vulnerabilities via a process that will be much more conducive to automation.

The result will be that CVEs will be automatically included in every advisory before being issued, making the system more useful for security-conscious Xen users and downstreams, while freeing up effort for the XenProject Security Team to focus on other issues.

The CVE Program is sponsored by the Cybersecurity and Infrastructure Security Agency (CISA), of the U.S. Department of Homeland Security (DHS) and is operated by the MITRE Corporation in close collaboration with international industry, academic, and government stakeholders.