Common Weakness Enumeration

CWE Glossary Definition

News & Events - 2017 Archive

Right-click and copy a URL to share an article. Send feedback about this page to cwe@mitre.org.

CWE Version 3.0 Now Available

November 16, 2017 | Share this article

CWE Version 3.0 has been posted on the CWE List page. A detailed report is available that lists specific changes between Version 2.11 and Version 3.0.

The main changes for CWE 3.0 include:

Views:

• One new view was added, Architectural Concepts, which is based on work by the Rochester Institute of Technology. We thank them for their contributions. This new view organizes weaknesses according to common architectural security tactics, and is intended to assist architects in identifying potential weaknesses when designing software.
• There were numerous refinements to the Development Concepts view, primarily focusing on simplifying the top-level categories and improving the relationships amongst the individual weaknesses within (this is ongoing work that will continue into 2018).
• The Seven Pernicious Kingdoms view was updated to more closely align it to the original white paper on which it based, and to make it easier to use.
• Finally, three views were deprecated because they were duplicative or under-used within the community: Weaknesses Examined by SAMATE, Resource-specific Weaknesses, and Chain Elements.

Entries:

CWE 3.0 has three new Weaknesses:

• CWE-1007 "Insufficient Visual Distinction of Homoglyphs Presented to User"
• CWE-1021 "Improper Restriction of Rendered UI Layers or Frames"
• CWE-1022 "Improper Restriction of Cross-Origin Permission to window.opener.location," which was submitted by David Deatherage of Silicon Valley Bank. We thank you for your contribution.

Schema:

• There were major changes to the CWE Schema, which was updated from v5.4.4 to v6.0. See our schema news article below for details.

Summary:

There are now 714 weaknesses and a total of 1023 entries on the CWE List.

Changes for the new version includes the following:

See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v2.11_v3.0.html.

Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to cwe@mitre.org.

IMPORTANT: Release of CWE 3.0 Includes Major Changes to CWE Schema

November 8, 2017 | Share this article

The release of CWE Version 3.0 includes major changes to the CWE Schema, which was updated from v5.4.4 to v6.0.

The main changes for the CWE Schema Version 6.0 include:

• Made the <Weakness_Catalog> the only valid root element. Since the focus of CWE on weaknesses, make the <Weaknesses> child element required, while the other children (Views, Categories, and External_References) become optional.
• Removed the <Compound_Element> and added a new "structure" attribute to <Weakness> element with values of: simple, chain, composite.
• Added the <External_References> element to the weakness catalog that will function as a central collection of references that individual weaknesses can pull from as needed. As a side benefit, there is no longer a need to have a local reference ID as the main ID can be used.
• Within the Applicable_Platform element, moved the CPE platform reference element to be an optional attribute on <Operating_System> because CPE is only applicable for the OS field and not languages, architectures, paradigms, or environments.
• Changed the <Relationships> element to only be used for views and categories, and limited the values to memberOf and hasMember. As part of this, a new <Related_Weaknesses> element was added that holds all the different types of relationships that weaknesses can have with each other in order to eliminate the incorrect use memberOf and hasMember relationships with weaknesses, and the incorrect use of parentOf and childOf with views and categories.
• Combined all the different note elements into a single <Notes> element. Also, to simplify the schema and have fewer elements in the resulting XML, added a type attribute that allows for a distinction between maintenance, platform, relationship, terminology, theoretical, and other.
• Also, made minor modifications to the child elements of <View>, <Category>, and <Weakness>; renamed the <Description> top-level elements; and revised the StructuredTextType and added a new StructuredCodeType that leverages XHTML but includes a couple of existing attributes (language, nature).

See a detailed list of schema changes at https://cwe.mitre.org/data/reports/diff_reports/xsd_v5.4.4_v6.0.html.

Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to cwe@mitre.org.

CWE Version 2.12 Released

November 8, 2017 | Share this article

As part of preparation for the release of CWE Version 3.0 (see news article above), CWE Version 2.12 was released to support changes for CWE 3.0. A detailed report is available that lists specific changes between v2.11 and v2.12. The schema was also updated to v5.4.4 to also support changes for CWE Version 3.0. As an added benefit, CWE Version 2.12 also provides CWE Version 3.0 content in the older schema format.

1 Product from Optimyth Software Now Registered as Officially "CWE-Compatible"

June 15, 2017 | Share this article

One additional cyber security product has achieved the final stage of MITRE's formal CWE Compatibility Program and is now officially "CWE-Compatible." The product is now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CWE-Compatible Products and Services page on the CWE Web site. A total of 48 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CWE-Compatible":

Use of the official CWE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting SwA products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CWE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CWE compatibility and to review all products and services listed, visit CWE Compatibility Program and CWE-Compatible Products and Services.

Parasoft Makes 6 Declarations of CWE Compatibility

June 15, 2017 | Share this article

Parasoft Corporation declared that its static code analysis tools, C/C++test Versions 10.x, C/C++test Versions 9.x, Jtest Versions 10.x, Jtest Versions 9.x, dotTEST Versions 10.x, and dotTEST Versions 9.x, are CWE-Compatible. For additional information about these and other compatible products, visit the CWE Compatibility and Effectiveness section.

CWE Version 2.11 Now Available

May 5, 2017 | Share this article

CWE Version 2.11 has been posted on the CWE List page. A detailed report is available that lists specific changes between Version 2.10 and Version 2.11.

CWE 2.11 has one new entry and two deprecated entries. In all, 116 entries had important changes, primarily due to continued reorganization of the Development Concepts View (CWE-699), updated CAPEC mappings, and focused improvements on individual entries.

The main changes include: (1) relationship changes for 28 entries (mostly in the Development View); (2) updates to 52 entries to align with attack pattern mappings from the recently-released Common Attack Pattern Enumeration and Classification (CAPEC™) Version 2.10; (3) error fixes and improved completeness for many individual entries based on external feedback and internal quality review; and (4) small consistency changes to mitigations for 47 entries. The schema was updated to 5.4.3.

There are now 705 weaknesses and a total of 1006 entries on the CWE List.

Changes for the new version includes the following:

See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v2.10_v2.11.html.

Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to cwe@mitre.org.

CWE Privacy Policy Updated

May 2, 2017 | Share this article

The CWE Privacy Policy was updated to notify users that cookies are now being used on the CWE website for the sole purpose of saving "Presentation Filter" and "Show Details" (previously "Mapping-Friendly") selections so users do not have to continuously update the filter to navigate the CWE List.

CWE a Major Focus of DARPA’s New System Security Integrated Through Hardware and Firmware (SSITH) Program

April 10, 2017 | Share this article

CWE is cited in an April 10, 2017 article on the DARPA website entitled “Baking Hack Resistance Directly into Hardware” as a major focus of DARPA’s new System Security Integrated Through Hardware and Firmware (SSITH) program.

As stated on the website, the purpose of the SSITH program is to "develop hardware design tools that provide security against hardware vulnerabilities that are exploited through software in Department of Defense (DoD) and commercial electronic systems. SSITH seeks to leverage current research in hardware design and software security to propel new research in the area of hardware security at the microarchitecture level."

CWE is mentioned in the article as follows: "SSITH specifically seeks to address the seven classes of hardware vulnerabilities listed in the Common Weakness Enumeration (cwe.mitre.org), a crowd-sourced compendium of security issues that is familiar to the information technology security community. In cyberjargon, these classes are: permissions and privileges, buffer errors, resource management, information leakage, numeric errors, crypto errors, and code injection. Researchers have documented some 2800 software breaches that have taken advantage of one or more of these hardware vulnerabilities, all seven of which are variously present to in the integrated microcircuitry of electronic systems around the world. Remove those hardware weaknesses … and you would effectively close down more than 40% of the software doors intruders now have available to them."

Read the complete article at http://www.darpa.mil/news-events/2017-04-10.

CWE Mentioned in Article about Software Code and Security on Information Age

March 31, 2017 | Share this article

CWE is mentioned as a main topic in a March 31, 2017 article entitled "Does software quality equal software security? It depends" on Information Age. The main topic of the article is a discussion of software code quality versus software code security.

CWE is the focus of a section of the article entitled "CWE," in which the author describes what CWE is and how to use it and other tools to check code for weaknesses. The author also states: "Checking against various CWEs can also be a step toward achieving industry compliance. And CWEs can also be associated with common vulnerabilities and exposures (CVE), another intersection between quality and security."

CWE is mentioned again as the author concludes the article: "Producing software free of CWEs or CVEs makes it quality code. However, failure to maintain the code with the latest updates of its individual component and/or using fuzz testing to truly harden the code against future threats is vital. Both are necessary to have secure software applications."

Read the complete article at http://www.information-age.com/quality-software-security-123465456/.

CWE Refreshes Website with Easier-to-Use Navigation Menus & Streamlined CWE List Page

January 19, 2017 | Share this article

We have updated the CWE website to streamline site navigation for an improved user experience. The main navigation menu is now located in an easy-to-access menu bar at the top of every page, with Section Contents menus for each section of the website just below the new main menu.

The main CWE List page has also been streamlined for ease-of-use into four main sections:

Please send any comments or concerns to cwe@mitre.org.