Enhancing information security

Vulnerabilities:CPE (Common Platform Enumeration) Overview

Release Date:Oct 23, 2008

IT Security Center
Information-technology Promotion Agency, Japan

Structured Naming Scheme to Identify Information Technology Platforms

CPE (Common Platform Enumeration)(*1) is a structured naming scheme that aims to provide a standard naming specification to identify hardware and software that compose information technology systems.

CPE is a component of Security Content Automation Protocol (SCAP)(*2), which is a set of technical specifications supported by the U.S. government to promote standardization and automation of information security implementation.

CPE has been developed through the leadership of MITRE(*3) with the sponsorship of the U.S. Department of Homeland Security and the Version 1.0 was released on January 30, 2007.

Through its adoption into the U.S. national vulnerability database NVD(*4) operated by NIST(*5) and Federal Desktop Core Configuration (FDCC)(*6), CPE had been revised and the Version 2.1 was released on January 31, 2008.

CPE defines a naming structure to identify information system platforms, such as hardware, operating systems and applications. On April 15, 2008, NIST has released the official CPE Dictionary that is a list of information technology platforms uniquely identified pursuant to the CPE Specification.

Use of the CPE naming specification will enable venders, security experts, system administrators and users to identify and discuss IT platforms with vulnerabilities using a common language. It is also expected to be useful to apply CPE to asset management.

This overview is based on the MTIRE’s CPE Specification 2.1 released on January 31, 2008, and NIST’s CPE Dictionary pursuant to CPE version 2.1 released on April 15, 2008. For more information on CPE, please refer to the CPE Version 2.1 and the CPE Dictionary.

1.CPE Names

A CPE Name identifies IT platforms, such as hardware, operating systems and applications uniquely. It has two characteristics.

First is that a CPE Name contains the type of the IT platform, whether it is a hardware, operating systems or application, in its name.

Second is that a CPE Name is generated combining the vendor name and product name.

CPE Name Basic Structure

cpe:/{part}:{vendor}:{product}:{version}:{update}:{edition}:{language}

  • Note 1: It does NOT differentiate uppercase and lowercase.
  • Note 2: when a component of the basic structure is left blank, it is equal to specifying all. For example, if the version component is left blank, it means the CPE Name pertains to all versions of the specified product.

(1)Part Component

The first component of a CPE Name is a single letter code that designates the particular platform (hardware, operating system, application) being identified. The following codes are defined for CPE 2.0: ‘h’ for hardware part, ‘o’ for operating system part, ‘a’ for application part.

Additional codes, for example, 'd' for driver, 'l' for library, 'r' for runtime environment, or ‘v’ for virtualization, may be added as necessary in a future version of the specification.

(2)Vendor Component

The second component of a CPE Name is the vendor of the platform. The name used for the vender component should be the domain name of the vendor. If the domain name is different from the vendor name, the domain name still should be used for its CPE Name.

For example, in case of IPA, its CPE vendor name would be “ipa”, deprived from its domain name ipa.go.jp, although its official organization name is Information-technology Promotion Agency, Japan.

If two different vendors share the same organization-specific name but they differ in DNS suffix, the full DNS name should be used. For example, if cpe:/a:acme already exists in the CPE Dictionary and refers to www.acme.com, then a CPE Name for the vendor www.acme.org should be cpe:/a:acme.org.

In case where applications do not have a vendor or organization associated with them, the Vendor component should use the name of the platform’s developer. Please note that if the vendor/developer name is a multi-word name, use underscores instead of spaces.

The vendor name may change because of M&A or marketing purposes. In that case, the original CPE Name with the old vendor name will remain unchanged. A new CPE Name with the new vendor name will be generated for new products released under the new name.

(3)Product Component

The third component of a CPE Name is the product name of the platform. If product names and designations are multi-word, use full spelling, making sure to replace spaces with underscores.

For example, the Zone Labs ZoneAlarm Internet Security Suite version 7.0. would be designated as the following:
cpe:/a:zonelabs:zonealarm_internet_security_suite:7.0

If the vendor has designated an official abbreviation for a particular product and using the abbreviation would not make the CPE Name ambiguous, then the abbreviation of the multi-word product name may be used in its CPE Name.

For example, "Internet Explorer" should be shortened as "ie", and "Java Runtime Environment" should be shortened as "jre".

Just like the vendor component, even if a product name changes for some reasons, existing CPE Names should not be modified. Instead, new CPE names that are created for a new version of the product should use the new product name.

(4)Version Component

The forth component of a CPE Name is the version of the platform. The version should be written in the same way as described for the product component. Which means, for example, use periods, dashes, etc. as the delimiter in the same way as the product.

For example, Adobe Reader version 8.1 would be designated as the following:
cpe:/a:adobe:reader:8.1

(5)Update Component

The fifth component of a CPE Name is used for update or service pack information. The technical difference between version and update will depend on how vendors and products designate the information.

For example, Red Hat Enterprise Linux 4.0 Update 4 would be written as the following:
cpe:/o:redhat:enterprise_linux:4:update4

Usually, products are initially released without an update or service pack information. For example, "update 0" does not exist for Enterprise Linux and "Service Pack 0" does not exist for Microsoft Windows 2000.

However, if the information is specifically included by the vendor for the product’s initial release, the information should be used in the update component.

For example, Red Hat uses the term “ga” for General Availability. In this case, the CPE Name for the initial release of Enterprise Linux 4 would be designated as the following:
cpe:/o:redhat:enterprise_linux:4:ga

(6)Edition Component

The sixth component of a CPE Name is the edition of the platform. The Edition component is used to suggest specific target hardware and software architectures to be named, such as professional edition or free edition.

For example, all versions of Microsoft Windows 2000 Service Pack 4 Professional Edition would be written as the following:
cpe:/o:microsoft:windows_2000::sp4:pro

(7)Language Component

The seventh and final component of a CPE Name is the language associated with the specific platform. The value of this component should be pursuant to a valid language code defined by IETF RFC 4646: Tags for Identifying Languages(*7).

For example, the Japanese version of Mozilla Firefox version 2.0.0.6 for the Mac OSX operating system would be designated as the following:
cpe:/a:mozilla:firefox:2.0.0.6::osx:ja

(8)Abbreviations

To help shorten the longer CPE Names, abbreviations are applied where appropriate. The table 1 lists abbreviations for common terms and multi-words that should be considered when selecting CPE Name components.

Table 1. CPE Abbreviations

1. advanced

adv

2. professional

pro

3. server

srv

4. standard

std

5. edition

ed

6. version 3.4

3.4

7. patch level 3

pl3

8. release 3

r3

9. release candidate 2

rc2

10. service pack 4

sp4

11. support pack 2

sup2

12. service release 2

sr2

13. security rollup

sru

14. general availability

ga

(9)Percent Encoding

When designating a CPE Name, reserved characters must be represented in their percent-encoded form. When using reserved characters, refer to the table 2 and use their percent-encoded form.

Table 2. CPE Reserved Characters

1. colon

Character

:

%Encoded Form

%3A

2. slash

Character

/

%Encoded Form

%2F

3. question mark

Character

?

%Encoded Form

%3F

4. pound sign

Character

#

%Encoded Form

%23

5. open bracket

Character

[

%Encoded Form

%5B

6. close bracket

Character

]

%Encoded Form

%5D

7. at sign

Character

@

%Encoded Form

%40

8. exclamation point

Character

!

%Encoded Form

%21

9. dollar sign

Character

$

%Encoded Form

%24

10. ampersand

Character

&

%Encoded Form

%26

11. apostrophe

Character

'

%Encoded Form

%27

12. open parenthesis

Character

(

%Encoded Form

%28

13. close parenthesis

Character

)

%Encoded Form

%29

14. asterisk

Character

*

%Encoded Form

%2A

15. plus sign

Character

+

%Encoded Form

%2B

16. comma

Character

,

%Encoded Form

%2C

17. semi-colon

Character

;

%Encoded Form

%3B

18. equal sign

Character

=

%Encoded Form

%3D

19. percent-sign

Character

%

%Encoded Form

%25

20. angle bracket

Character

<

%Encoded Form

%3C

21. angle bracket

Character

>

%Encoded Form

%3E

22. double quote

Character

"

%Encoded Form

%22

2.CPE Dictionary

CPE Dictionary is the official collection of CPE Names written in the XML format and is maintained by NIST. An each entity, which uniquely identifies an IT product, is a pair of its common name and CPE name designated pursuant to the CPE specification.

<cpe-item name="cpe:/a:ipa:myjvn">
<title xml:lang="en-US">IPA MyJVN</title>
<title xml:lang="ja">Information-technology Promotion Agency MyJVN</title>
</cpe-item>

3.CPE Trial

 IPA has developed a filtered vulnerability countermeasure information tool “MyJVN”(*8) that enables cross-reference of vulnerability data published on JVN iPedia by CPE Names using the CPE Dictionary as a reference.  
By enabling cross-reference of vulnerability countermeasure information stored in JVN iPedia by CPE Names, MyJVN allows users not only to look up custom filtered information but also to view the results in an organized format grouped by vendor and product names.

IPA will continue its efforts in providing vulnerability countermeasure information and improving infrastructure for better flow and use of vulnerability countermeasure information by advancing cross-referenceability with the CPE Dictionary and adopting CPE Names as the product identifier.

Footnote

(*1)CPE: Common Platform Enumeration. A list of standard IT platform names designated to identify each IT platform.
http://cpe.mitre.org/

(*2)SCAP: Security Content Automation Protocol. A set of technical specifications supported by the U.S. government to promote standardization and automation of information security implementation.
http://nvd.nist.gov/scap.cfm

(*3)MITRE Corporation: A not-for-profit organization that provides information technology support and research and development to the U.S. government.
http://www.mitre.org/

(*4)NIST: National Institute of Standards and Technology. A federal agency that develops and promotes measurement, standards and technology.
http://www.nist.gov/

(*5)NVD: National Vulnerability Database. A vulnerability database run by NIST.
http://nvd.nist.gov/

(*6)FDCC: Federal Desktop Core Configuration. A mandated security standard that requires all federal agencies standardize the minimum configuration of PC settings.
http://nvd.nist.gov/fdcc/index.cfm

(*7)IETF RFC 4646: Tags for Identifying Languages.
http://www.ietf.org/rfc/rfc4646.txt

(*8)Press Release: Filtered Vulnerability Countermeasure Information Tool “MyJVN” Now Available
http://www.ipa.go.jp/security/english/vuln/200810_MyJVN_en.html

Reference

Contact information

IT Security Center, Information-technology Promotion Agency, Japan (ISEC/IPA)

  • E-mail

    vuln-infoアットマークipa.go.jp