CVE ID Created Date != Much of Anything

Yesterday, SanSec published a blog post discussing the recent Adobe Commerce / Magento Open Source vulnerability that was discovered being exploited in the wild. In the blog, they said:

Adobe has been aware of the issue since at least January 27th but decided to issue a patch on Sunday, which is highly unusual.

They draw this conclusion because the CVE ID shows on MITRE’s website as being created on “20220127”. It is important to note that the CVE record explicitly states “Date Record Created”. This does not necessarily mean the ID was assigned to a valid vulnerability on that day, or that Adobe knew about the vulnerability at that time. It simply means that the ID was created.

In the past, MITRE would create pools of CVE IDs to assign to a CVE Numbering Authority (CNA) who could use them throughout the year. So an ID might be created 2021-01-01 but assigned to a new issue on 2021-12-15, almost a year later. The ID creation date is not indicative of anything else.

Apparently, MITRE has recently changed how this process happens, doing away with CNA pools mostly. At least, the large vendors like Oracle and IBM are no longer receiving 500+ IDs at the start of the year. They are moving more to an ‘on demand’ model of assignments. Despite that, a vendor that deals in hundreds of vulnerabilities a year, like Adobe, would logically request a few IDs in advance so they had IDs ready to assign at any point.

That means that Adobe did not necessarily know on January 27th. Even if they did know about the vulnerability on that day, releasing a patch 17 days later is nothighly unusual“. Developing a patch for two pieces of software, doing basic testing, regression testing, and organizing the release doesn’t happen in a matter of a couple days typically. We can argue that 17 days is a long time, or we can argue that since they said it was being exploited “in very limited attacks“, they opted to take a little time to ensure the patch was correct and work on all supported versions of the software.

I’ve never heard of SanSec and would typically ignore them, calling them vulnerability tourists. However, SanSec’s blog and that specific statement was picked up by Bleeping Computer who parroted that part and then made a bit worse:

Adobe knew about this critical severity flaw for more than two weeks, since at least January 27, when CVE-2022-24086 was submitted to MITRE’s Common Vulnerabilities and Exposures (CVE) database and received a tracking number.

Threatpost also picked up the SanSec blog and mentioned it in their article. Again, CVE shows that was the date the ID was created, not when it was “submitted” to them. The general lifecycle of a CVE ID is as follows:

  1. CVE IDs are created by MITRE as the very first step. (Date Record Created)
  2. The ID(s) are then assigned to a vendor or researcher (e.g. Larry Cashdollar, the only researcher CNA at the time of this blog). (Not Generally Public)
  3. The vendor or researcher assigns the ID to a specific vulnerability. (Not Generally Public)
  4. Finally, the vendor or researcher notifies MITRE of the assignment and location of the disclosure. (Public)

As you can see, there is a period of time in this process where we generally have no insight into those dates unless a vendor or researcher includes it in the disclosure timeline.

CVE is deceptively simple in some ways, and this is one of them. Reading into information on their website does not make for accurate reporting.

Leave a Reply

%d bloggers like this: