CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > News  
ID

News & Events

Right-click and copy a URL to share an article. Send feedback about this page to cwe@mitre.org.

5 Products from 3 Organizations Now Registered as Officially "CWE-Compatible"

June 14, 2018 | Share this article

CWE Compatible

Five additional cyber security products from three organizations have achieved the final stage of the formal CWE Compatibility Program and are now officially "CWE-Compatible." The products are now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CWE-Compatible Products and Services page on the CWE website. A total of 53 products to-date have been recognized as officially compatible.

The following 5 products are now registered as officially "CWE-Compatible":

Use of the official CWE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting SwA products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CWE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CWE compatibility and to review all products and services listed, visit CWE Compatibility Program and CWE-Compatible Products and Services.

CWE Version 3.1 Now Available

March 29, 2018 | Share this article

CWE Version 3.1 has been posted on the CWE List page. A detailed report is available that lists specific changes between Version 3.0 and Version 3.1.

Main Changes

CWE 3.1 has 17 new entries and 4 deprecated entries. In all, 145 entries had important changes, primarily due to relationship changes, references, names, and descriptions.

The main changes include: (1) adding a new view for the 2017 OWASP Top Ten; (2) adding new entries related to processor optimization and Meltdown/Spectre (CWE-1037: Processor Optimization Removal or Modification of Security-critical Code, CWE-1038: Insecure Automated Optimizations), adversarial inputs in machine learning (CWE-1039: Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations); and comparison (CWE-1023: Incomplete Comparison with Missing Factors, CWE-1024: Comparison of Incompatible Types, CWE-1025: Comparison Using Wrong Factors); (3) including various modifications as suggested by community members; and (4) better consistency in frequently-used references.

The CWE Schema was updated to v6.0.1.

Summary:

There are now 716 weaknesses and a total of 1040 entries on the CWE List.

Changes for the new version include the following:

  • New Entries Added:
17
  • Entries Deprecated:
4
  • Entries with Important Changes:
94
  • Entries with Major Changes:
145
  • Entries with Minor Changes:
96
  • Entries Unchanged:
800

See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v3.0_v3.1.html.

Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to cwe@mitre.org.

How “Meltdown” and “Spectre” Can Be Defined by CWE and CAPEC

January 31, 2018 | Share this article

There has been a lot of press (rightly so) regarding the “Meltdown”- and “Spectre”-style attacks. The CWE and CAPEC teams have been reviewing the available information and trying to determine if new weaknesses or attack patterns should be added. Below are our current thoughts. We welcome additional discussion.

Common Weakness Enumeration (CWE™)

Both Meltdown and Spectre are technically attacks. They take advantage of a processor executing instructions out of order, in a way that causes some instructions to be executed even though the logic of the original code would not execute these instructions. This condition leads to a case where data in memory is cached before a permission check is performed. The end result is the ability to perform side-channel style attacks against the cache to learn the exact value of data.

The root cause of both of these attacks is the out of order execution. The processor uses this feature to increase the speed at which a program can be executed. This is very similar to compiler optimizations where a compiler makes changes to the source code to improve performance. In both instances, the computer is no longer executing exactly what the developer told it to execute, but rather is executing a variation that the processor/compiler thinks is “better.”

Unfortunately, these optimizations can sometimes lead to an exploitable weakness. There already exists a base-level CWE for the compiler version of this:

CWE-733: Compiler Optimization Removal or Modification of Security-critical Code

A new base-level CWE should be added to cover the case where the processor changes the order of security-critical code.

In addition, a new class-level CWE should also be considered around the topic of “Insecure Optimizations.” This class-level CWE would be a member of the Behavioral Problems category in the Development Concepts view, and a child of Interaction Error in the Researcher view. Both the existing compiler optimization (CWE-733) weakness and the new processor execution order weakness would be children of this new class.

CWE CATEGORY: Behavioral Problems

CWE-435: Improper Interaction Between Multiple Entities

Finally, there should be a CanFollow relationship between the existing class CWE-696: Incorrect Behavior Order and this new class “Insecure Optimizations”. We see this relationship in Meltdown/Spectre with the optimizations resulting in a change in the order of execution.

One last note, many discussions of Meltdown and Spectre focus on the side channel attack that arises from timing discrepancies. In this case, the timing discrepancy is not a weakness as it is legitimate behavior (since caching improves efficiency) and is not introduced by choices made by the application developer. Therefore, this is not a focus from the CWE classification perspective; the ability to see this (legitimate) timing discrepancy arises from the insecure optimization.

Common Attack Pattern Enumeration and Classification (CAPEC™)

Shifting to the attack pattern side of things, both the compiler and processor weaknesses are not currently well represented in CAPEC.

The compiler weakness (CWE-733) is not directly attacked, but rather results in a different weakness (e.g., buffer overflow) being present in the software, and that weakness is the one that is used in an attack. CWE thinks of this as a chain. The processor weakness can be thought of in the same way. Even though an adversary can manipulate when/how a processor decides to execute out of order, it is the resulting exposure of data that contributes to the vulnerability. See CWE-668: Exposure of Resource to Wrong Sphere.

For both the Meltdown and Spectre attacks, CAPEC already has a relevant standard-level attack pattern that can be leveraged:

CAPEC-141: Cache Poisoning

This attack pattern has a detailed-level child that covers the DNS version of cache poisoning. Meltdown and Spectre expose a different type of cache poisoning where the adversary doesn't insert malicious data into the cache, but rather cause the cache to contain data that shouldn’t be allowed. CAPEC-141 needs to be cleaned up a bit, but the overall idea behind it is valid. A new detailed-level pattern should be added to cover the Flush+Reload attack pattern (and potentially others) that are leveraged by the Meltdown and Spectre attacks.

What do you think?

Please let us know your thoughts on the above by sending an email message to the CWE Researcher community discussion list, or directly to cwe@mitre.org.

We look forward to hearing from you!

CWE Version 3.0 Now Available

November 16, 2017 | Share this article

CWE Version 3.0 has been posted on the CWE List page. A detailed report is available that lists specific changes between Version 2.11 and Version 3.0.

The main changes for CWE 3.0 include:

Views:

  • One new view was added, Architectural Concepts, which is based on work by the Rochester Institute of Technology. We thank them for their contributions. This new view organizes weaknesses according to common architectural security tactics, and is intended to assist architects in identifying potential weaknesses when designing software.
  • There were numerous refinements to the Development Concepts view, primarily focusing on simplifying the top-level categories and improving the relationships amongst the individual weaknesses within (this is ongoing work that will continue into 2018).
  • The Seven Pernicious Kingdoms view was updated to more closely align it to the original white paper on which it based, and to make it easier to use.
  • Finally, three views were deprecated because they were duplicative or under-used within the community: Weaknesses Examined by SAMATE, Resource-specific Weaknesses, and Chain Elements.

Entries:

CWE 3.0 has three new Weaknesses:

Schema:

Summary:

There are now 714 weaknesses and a total of 1023 entries on the CWE List.

Changes for the new version includes the following:

  • New Entries Added:
17
  • Entries Deprecated:
24
  • Entries with Important Changes:
447
  • Entries with Major Changes:
756
  • Entries with Minor Changes:
118
  • Entries Unchanged:
238

See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v2.11_v3.0.html.

Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to cwe@mitre.org.

IMPORTANT: Release of CWE 3.0 Includes Major Changes to CWE Schema

November 8, 2017 | Share this article

The release of CWE Version 3.0 includes major changes to the CWE Schema, which was updated from v5.4.4 to v6.0.

The main changes for the CWE Schema Version 6.0 include:

  • Made the <Weakness_Catalog> the only valid root element. Since the focus of CWE on weaknesses, make the <Weaknesses> child element required, while the other children (Views, Categories, and External_References) become optional.
  • Removed the <Compound_Element> and added a new "structure" attribute to <Weakness> element with values of: simple, chain, composite.
  • Added the <External_References> element to the weakness catalog that will function as a central collection of references that individual weaknesses can pull from as needed. As a side benefit, there is no longer a need to have a local reference ID as the main ID can be used.
  • Within the Applicable_Platform element, moved the CPE platform reference element to be an optional attribute on <Operating_System> because CPE is only applicable for the OS field and not languages, architectures, paradigms, or environments.
  • Changed the <Relationships> element to only be used for views and categories, and limited the values to memberOf and hasMember. As part of this, a new <Related_Weaknesses> element was added that holds all the different types of relationships that weaknesses can have with each other in order to eliminate the incorrect use memberOf and hasMember relationships with weaknesses, and the incorrect use of parentOf and childOf with views and categories.
  • Combined all the different note elements into a single <Notes> element. Also, to simplify the schema and have fewer elements in the resulting XML, added a type attribute that allows for a distinction between maintenance, platform, relationship, terminology, theoretical, and other.
  • Also, made minor modifications to the child elements of <View>, <Category>, and <Weakness>; renamed the <Description> top-level elements; and revised the StructuredTextType and added a new StructuredCodeType that leverages XHTML but includes a couple of existing attributes (language, nature).

See a detailed list of schema changes at https://cwe.mitre.org/data/reports/diff_reports/xsd_v5.4.4_v6.0.html.

Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to cwe@mitre.org.

CWE Version 2.12 Released

November 8, 2017 | Share this article

As part of preparation for the release of CWE Version 3.0 (see news article above), CWE Version 2.12 was released to support changes for CWE 3.0. A detailed report is available that lists specific changes between v2.11 and v2.12. The schema was also updated to v5.4.4 to also support changes for CWE Version 3.0. As an added benefit, CWE Version 2.12 also provides CWE Version 3.0 content in the older schema format.

1 Product from Optimyth Software Now Registered as Officially "CWE-Compatible"

June 15, 2017 | Share this article

CWE Compatible

One additional cyber security product has achieved the final stage of MITRE's formal CWE Compatibility Program and is now officially "CWE-Compatible." The product is now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CWE-Compatible Products and Services page on the CWE Web site. A total of 48 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CWE-Compatible":

Use of the official CWE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting SwA products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CWE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CWE compatibility and to review all products and services listed, visit CWE Compatibility Program and CWE-Compatible Products and Services.

Parasoft Makes 6 Declarations of CWE Compatibility

June 15, 2017 | Share this article

Parasoft Corporation declared that its static code analysis tools, C/C++test Versions 10.x, C/C++test Versions 9.x, Jtest Versions 10.x, Jtest Versions 9.x, dotTEST Versions 10.x, and dotTEST Versions 9.x, are CWE-Compatible. For additional information about these and other compatible products, visit the CWE Compatibility and Effectiveness section.

CWE Version 2.11 Now Available

May 5, 2017 | Share this article

CWE Version 2.11 has been posted on the CWE List page. A detailed report is available that lists specific changes between Version 2.10 and Version 2.11.

CWE 2.11 has one new entry and two deprecated entries. In all, 116 entries had important changes, primarily due to continued reorganization of the Development Concepts View (CWE-699), updated CAPEC mappings, and focused improvements on individual entries.

The main changes include: (1) relationship changes for 28 entries (mostly in the Development View); (2) updates to 52 entries to align with attack pattern mappings from the recently-released Common Attack Pattern Enumeration and Classification (CAPEC™) Version 2.10; (3) error fixes and improved completeness for many individual entries based on external feedback and internal quality review; and (4) small consistency changes to mitigations for 47 entries. The schema was updated to 5.4.3.

There are now 705 weaknesses and a total of 1006 entries on the CWE List.

Changes for the new version includes the following:

  • New Entries Added:
1
  • Entries Deprecated:
2
  • Entries with Important Changes:
30
  • Entries with Major Changes:
116
  • Entries with Minor Changes:
2
  • Entries Unchanged:
887

See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v2.10_v2.11.html.

Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to cwe@mitre.org.

CWE Privacy Policy Updated

May 2, 2017 | Share this article

The CWE Privacy Policy was updated to notify users that cookies are now being used on the CWE website for the sole purpose of saving "Presentation Filter" and "Show Details" (previously "Mapping-Friendly") selections so users do not have to continuously update the filter to navigate the CWE List.

CWE a Major Focus of DARPA’s New System Security Integrated Through Hardware and Firmware (SSITH) Program

April 10, 2017 | Share this article

CWE is cited in an April 10, 2017 article on the DARPA website entitled “Baking Hack Resistance Directly into Hardware” as a major focus of DARPA’s new System Security Integrated Through Hardware and Firmware (SSITH) program.

As stated on the website, the purpose of the SSITH program is to "develop hardware design tools that provide security against hardware vulnerabilities that are exploited through software in Department of Defense (DoD) and commercial electronic systems. SSITH seeks to leverage current research in hardware design and software security to propel new research in the area of hardware security at the microarchitecture level."

CWE is mentioned in the article as follows: "SSITH specifically seeks to address the seven classes of hardware vulnerabilities listed in the Common Weakness Enumeration (cwe.mitre.org), a crowd-sourced compendium of security issues that is familiar to the information technology security community. In cyberjargon, these classes are: permissions and privileges, buffer errors, resource management, information leakage, numeric errors, crypto errors, and code injection. Researchers have documented some 2800 software breaches that have taken advantage of one or more of these hardware vulnerabilities, all seven of which are variously present to in the integrated microcircuitry of electronic systems around the world. Remove those hardware weaknesses … and you would effectively close down more than 40% of the software doors intruders now have available to them."

Read the complete article at http://www.darpa.mil/news-events/2017-04-10.

CWE Mentioned in Article about Software Code and Security on Information Age

March 31, 2017 | Share this article

CWE is mentioned as a main topic in a March 31, 2017 article entitled "Does software quality equal software security? It depends" on Information Age. The main topic of the article is a discussion of software code quality versus software code security.

CWE is the focus of a section of the article entitled "CWE," in which the author describes what CWE is and how to use it and other tools to check code for weaknesses. The author also states: "Checking against various CWEs can also be a step toward achieving industry compliance. And CWEs can also be associated with common vulnerabilities and exposures (CVE), another intersection between quality and security."

CWE is mentioned again as the author concludes the article: "Producing software free of CWEs or CVEs makes it quality code. However, failure to maintain the code with the latest updates of its individual component and/or using fuzz testing to truly harden the code against future threats is vital. Both are necessary to have secure software applications."

Read the complete article at http://www.information-age.com/quality-software-security-123465456/.

CWE Version 2.10 Now Available

January 19, 2017 | Share this article

CWE Version 2.10 has been posted on the CWE List page. A detailed report is available that lists specific changes between Version 2.9 and Version 2.10.

CWE Version 2.10 has one new entry and one deprecated entry. In all, 127 entries had important changes, primarily due to reorganization of higher-level entries in the Development Concepts View (CWE-699), in order to simplify navigation of this view and reduce near-duplicate relationships. These changes were described in a post to the CWE Researcher email discussion list in late 2016, and are expected to continue in future CWE versions.

The main changes include: (1) relationship changes for 126 entries (mostly in the Development Concepts); (2) updates to 16 entries to align with attack pattern mappings from the recently-released Common Attack Pattern Enumeration and Classification (CAPEC™) Version 2.9; and (3) updated maintenance notes for 13 entries, primarily to identify Category entries that might be deprecated in the future as a result of the reorganization of the Development View. No changes were made to the schema.

There are now 707 weaknesses and a total of 1005 entries on the CWE List.

Changes for the new version release include the following:

  • New Entries Added:
1
  • Entries Deprecated:
1
  • Entries with Important Changes:
127
  • Entries with Major Changes:
142
  • Entries with Minor Changes:
5
  • Entries Unchanged:
858

See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v2.9_v2.10.html.

Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to cwe@mitre.org.

CWE Refreshes Website with Easier-to-Use Navigation Menus & Streamlined CWE List Page

January 19, 2017 | Share this article

We have updated the CWE website to streamline site navigation for an improved user experience. The main navigation menu is now located in an easy-to-access menu bar at the top of every page, with Section Contents menus for each section of the website just below the new main menu.

The main CWE List page has also been streamlined for ease-of-use into four main sections:

Navigate CWE – Offers two hierarchical representations, Research Concepts and Development Concepts, to help you navigate all weaknesses according to your specific point of view.
External Mappings – Offers views used to represent mappings to external groupings such as a Top-N list, as well as to express subsets of entries that are related by some external factor.
Helpful Views – Offers additional helpful views based on specific criteria and hopes to provide insight for a certain domain or use case, such as a specific source code language or phase of development.
Release Downloads – Provides an archive of previous release versions of the core content downloads, schemas, schema documentation, and difference reports.

Please send any comments or concerns to cwe@mitre.org.

1 Product from Evenstar Now Registered as Officially "CWE-Compatible"

April 27, 2016 | Share this article

CWE Compatible

One additional information security product has achieved the final stage of MITRE's formal CWE Compatibility Program and is now officially "CWE-Compatible." The product is now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CWE-Compatible Products and Services page on the CWE Web site. A total of 45 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CWE-Compatible":

Use of the official CWE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting SwA products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CWE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CWE compatibility and to review all products and services listed, visit the CWE Compatibility Program and CWE-Compatible Products and Services.

1 Product from Soft4Soft Now Registered as Officially "CWE-Compatible"

March 15, 2016 | Share this article

CWE Compatible

One additional information security product has achieved the final stage of MITRE's formal CWE Compatibility Program and is now officially "CWE-Compatible." The product is now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CWE-Compatible Products and Services page on the CWE Web site. A total of 44 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CWE-Compatible":

Use of the official CWE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting SwA products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CWE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CWE compatibility and to review all products and services listed, visit the CWE Compatibility Program and CWE-Compatible Products and Services.

Evenstar Makes Declaration of CWE Compatibility

January 15, 2016 | Share this article

Evenstar declared that its Code verification tool for ensuring source code compliance with domestic and international code security guidelines, BigLook, is CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.

1 Product from AdaCore Now Registered as Officially "CWE-Compatible"

January 4, 2016 | Share this article

CWE Compatible

One additional information security product has achieved the final stage of MITRE's formal CWE Compatibility Program and is now officially "CWE-Compatible." The product is now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CWE-Compatible Products and Services page on the CWE Web site. A total of 43 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CWE-Compatible":

Use of the official CWE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting SwA products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CWE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CWE compatibility and to review all products and services listed, visit the CWE Compatibility Program and CWE-Compatible Products and Services.

Soft4Soft Co., Ltd. Makes Declaration of CWE Compatibility

January 3, 2016 | Share this article

Soft4Soft Co., Ltd. declared that its static analysis tool and coding rules checker, RESORT Code Analysis, is CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.


More information is available — Please select a different filter.
Page Last Updated: June 14, 2018