Common Weakness Enumeration

CWE Glossary Definition

TECHSPEC: Technology Specific Issues and Examples
TECHSPEC: Technology Specific Issues and Examples

There is a fairly large group of entries in CWE (at least 50, up to 100) that describe weaknesses specific to a particular technology. "Technology" might mean a specific OS:

CWE #60, Unix Path Link Problems (and children)
CWE #67, Windows MS-DOS device names
CWE #70, Mac Virtual File Problems (and children)

or a specific framework such as .NET or J2EE

CWE #519, .NET Environment Issues (and children) CWE #4, J2EE Environment Issues (and children)

or, with some overlap of the Language Specific materials, there can be problems specific to technologies like XML, HTTP, SSL, SQL, etc. such as

CWE #91, XML Injection (aka Blind XPath Injection) CWE #113, HTTP Response Splitting CWE #618, Exposed Unsafe ActiveX Method

These different types of problems raise several abstraction issues for CWE because many of these entries represent instantiations of a more general weakness in the context of a certain technology. For example, XML Injection is an examlpe of a failed protection mechanism in which characters special to XML were allowed to pass through.

Possible Solutions / Questions to Discuss

Note:The mechanisms for node restructuring are still being defined. See the node restructuring page for details.

• Leave CWE as it is.
• Enumerate each individual technology-specific variation as its own CWE entry.
• Include all technology-specific issues as "variants" in a more general CWE entry.
• Create a new type of entry that will allow for capturing each type of technology-specific issue as an individual "sub-node" within the more general weakness CWE entry.
• Create a technology-independent entry identifying the more abstract weakness, and include each related technology-specific CWE entry as a child.
• Create a technology-independent entry identifying the more abstract weakness, and MERGE all current technology-specific entries from CWE into this more abstract entry (see the node restructuring page for possible approaches).

Relevant Use-Cases

Assessment Vendors: Search for different issues based upon the technology used.

Assessment Customers: Pick out the weaknesses that apply to technologies used by their codebase.

Academic Researchers: Not applicable.

Applied Vulnerability Researchers: Tailor testing and research to the specific issues of the technologies being explored.

Refined Vulnerability Information (RVI) Providers: Useful to be able to identify "more secure" technologies and make recommendations.

Educators: Not applicable.

Software Customers: Useful to know what the more secure technologies are.

Software Developers: Be aware of problems with technologies being used in their work

Note: This obviously has a good amount of overlap with language-specific weaknesses, but we have done our best to break it down into the unique issues.

Recommendation

The CWE Researcher Community is strongly encouraged to provide feedback to the CWE team or the researchers list regarding this recommendation.

To minimize the data loss and maximize the usability by all of the potential CWE customers, the MITRE CWE team recommends introducing a new type of entry to the CWE specification, and including all the technology-specific issues as "sub-nodes" under a CWE entry for the more general CWE weakness.

For example, this would mean that all Relative Path Traversal entries would be included as "variants" under the "Relative Path Traversal" CWE-23 entry. So, the technology-specific entry of "dot dot backslash" (CWE-28) would be MERGED under CWE-23 as a "sub-node" along with other specific entries. Note: the mechanisms for node restructuring are still being defined; see the node restructuring page for possible approaches.

Additional Notes

Below is preliminary work done in order to more clearly identify problems present in CWE. Any issues not addressed above should be brought to the attention of the whole list, especially if the CWE ID is missing from the notes below.

• Mac
  *70-72
• ActiveX
  *618, 623
• SQL
  *89, 564
• Windows
  *58, 67-69, 422, 63-65
• Unix
  *60, 61, 62
• Categories for generic Tech-Specific issues
  *3, 100, 380, 573
• XML
  *91, 112, 611
• HTTP / SSL / Other Web Specific
  *113, 350, 444, 593, 598, 599, 614
• .Net Issues
  *10-13, 519, 520, 554, 556
• J2EE/Java/EJB
  *4-9, 245, 246, 381-383, 486, 536 (double listed as both tech & resource specific), 537, 543, 555, 568, 574-581, 594, 600
• STRUTS Issues
  *101-110, 608
• Uncertain
  *219 & 220(resource specific?), 304, 582, 583
• Omit
  *396, 397, 589
• Misc. Notes:
  *Many nodes are labeled as Java/J2EE specific when the issue is more generally applicable to most OO languages (C# for example). Examples of these nodes are any of the Mobile Code Issues, Erroneous Finalize Method, etc.

Complete List of Examples

All CWE nodes that are affected by this discussion point are listed on a separate page.

Document version: 0.1    Date: September 13, 2007

This is a draft document. It is intended to support maintenance of CWE, and to educate and solicit feedback from a specific technical audience. This document does not reflect any official position of the MITRE Corporation or its sponsors. Copyright © 2007, The MITRE Corporation. All rights reserved. Permission is granted to redistribute this document if this paragraph is not removed. This document is subject to change without notice.