Enhancing information security
Vulnerabilities:CPE (Common Platform Enumeration) Overview
Release Date:Oct 23, 2008
IT Security Center
Information-technology Promotion Agency, Japan
Structured Naming Scheme to Identify Information Technology Platforms
CPE (Common Platform Enumeration)(*1) is a structured naming scheme that aims to provide a standard naming specification to identify hardware and software that compose information technology systems.
CPE is a component of Security Content Automation Protocol (SCAP)(*2), which is a set of technical specifications supported by the U.S. government to promote standardization and automation of information security implementation.
CPE has been developed through the leadership of MITRE(*3) with the sponsorship of the U.S. Department of Homeland Security and the Version 1.0 was released on January 30, 2007.
Through its adoption into the U.S. national vulnerability database NVD(*4) operated by NIST(*5) and Federal Desktop Core Configuration (FDCC)(*6), CPE had been revised and the Version 2.1 was released on January 31, 2008.
CPE defines a naming structure to identify information system platforms, such as hardware, operating systems and applications. On April 15, 2008, NIST has released the official CPE Dictionary that is a list of information technology platforms uniquely identified pursuant to the CPE Specification.
Use of the CPE naming specification will enable venders, security experts, system administrators and users to identify and discuss IT platforms with vulnerabilities using a common language. It is also expected to be useful to apply CPE to asset management.
This overview is based on the MTIRE’s CPE Specification 2.1 released on January 31, 2008, and NIST’s CPE Dictionary pursuant to CPE version 2.1 released on April 15, 2008. For more information on CPE, please refer to the CPE Version 2.1 and the CPE Dictionary.
1.CPE Names
A CPE Name identifies IT platforms, such as hardware, operating systems and applications uniquely. It has two characteristics.
First is that a CPE Name contains the type of the IT platform, whether it is a hardware, operating systems or application, in its name.
Second is that a CPE Name is generated combining the vendor name and product name.
- CPE Name Basic Structure
-
cpe:/{part}:{vendor}:{product}:{version}:{update}:{edition}:{language}
- Note 1: It does NOT differentiate uppercase and lowercase.
- Note 2: when a component of the basic structure is left blank, it is equal to specifying all. For example, if the version component is left blank, it means the CPE Name pertains to all versions of the specified product.
(1)Part Component
The first component of a CPE Name is a single letter code that designates the particular platform (hardware, operating system, application) being identified. The following codes are defined for CPE 2.0: ‘h’ for hardware part, ‘o’ for operating system part, ‘a’ for application part.
Additional codes, for example, 'd' for driver, 'l' for library, 'r' for runtime environment, or ‘v’ for virtualization, may be added as necessary in a future version of the specification.
(2)Vendor Component
The second component of a CPE Name is the vendor of the platform. The name used for the vender component should be the domain name of the vendor. If the domain name is different from the vendor name, the domain name still should be used for its CPE Name.
For example, in case of IPA, its CPE vendor name would be “ipa”, deprived from its domain name ipa.go.jp, although its official organization name is Information-technology Promotion Agency, Japan.
If two different vendors share the same organization-specific name but they differ in DNS suffix, the full DNS name should be used. For example, if cpe:/a:acme already exists in the CPE Dictionary and refers to www.acme.com, then a CPE Name for the vendor www.acme.org should be cpe:/a:acme.org.
In case where applications do not have a vendor or organization associated with them, the Vendor component should use the name of the platform’s developer. Please note that if the vendor/developer name is a multi-word name, use underscores instead of spaces.
The vendor name may change because of M&A or marketing purposes. In that case, the original CPE Name with the old vendor name will remain unchanged. A new CPE Name with the new vendor name will be generated for new products released under the new name.
(3)Product Component
The third component of a CPE Name is the product name of the platform. If product names and designations are multi-word, use full spelling, making sure to replace spaces with underscores.
For example, the Zone Labs ZoneAlarm Internet Security Suite version 7.0. would be designated as the following:
cpe:/a:zonelabs:zonealarm_internet_security_suite:7.0
If the vendor has designated an official abbreviation for a particular product and using the abbreviation would not make the CPE Name ambiguous, then the abbreviation of the multi-word product name may be used in its CPE Name.
For example, "Internet Explorer" should be shortened as "ie", and "Java Runtime Environment" should be shortened as "jre".
Just like the vendor component, even if a product name changes for some reasons, existing CPE Names should not be modified. Instead, new CPE names that are created for a new version of the product should use the new product name.
(4)Version Component
The forth component of a CPE Name is the version of the platform. The version should be written in the same way as described for the product component. Which means, for example, use periods, dashes, etc. as the delimiter in the same way as the product.
For example, Adobe Reader version 8.1 would be designated as the following:
cpe:/a:adobe:reader:8.1
(5)Update Component
The fifth component of a CPE Name is used for update or service pack information. The technical difference between version and update will depend on how vendors and products designate the information.
For example, Red Hat Enterprise Linux 4.0 Update 4 would be written as the following:
cpe:/o:redhat:enterprise_linux:4:update4
Usually, products are initially released without an update or service pack information. For example, "update 0" does not exist for Enterprise Linux and "Service Pack 0" does not exist for Microsoft Windows 2000.
However, if the information is specifically included by the vendor for the product’s initial release, the information should be used in the update component.
For example, Red Hat uses the term “ga” for General Availability. In this case, the CPE Name for the initial release of Enterprise Linux 4 would be designated as the following:
cpe:/o:redhat:enterprise_linux:4:ga
(6)Edition Component
The sixth component of a CPE Name is the edition of the platform. The Edition component is used to suggest specific target hardware and software architectures to be named, such as professional edition or free edition.
For example, all versions of Microsoft Windows 2000 Service Pack 4 Professional Edition would be written as the following:
cpe:/o:microsoft:windows_2000::sp4:pro
(7)Language Component
The seventh and final component of a CPE Name is the language associated with the specific platform. The value of this component should be pursuant to a valid language code defined by IETF RFC 4646: Tags for Identifying Languages(*7).
For example, the Japanese version of Mozilla Firefox version 2.0.0.6 for the Mac OSX operating system would be designated as the following:
cpe:/a:mozilla:firefox:2.0.0.6::osx:ja
(8)Abbreviations
To help shorten the longer CPE Names, abbreviations are applied where appropriate. The table 1 lists abbreviations for common terms and multi-words that should be considered when selecting CPE Name components.
| 1. advanced |
adv |
|---|---|
| 2. professional |
pro |
| 3. server |
srv |
| 4. standard |
std |
| 5. edition |
ed |
| 6. version 3.4 |
3.4 |
| 7. patch level 3 |
pl3 |
| 8. release 3 |
r3 |
| 9. release candidate 2 |
rc2 |
| 10. service pack 4 |
sp4 |
| 11. support pack 2 |
sup2 |
| 12. service release 2 |
sr2 |
| 13. security rollup |
sru |
| 14. general availability |
ga |
(9)Percent Encoding
When designating a CPE Name, reserved characters must be represented in their percent-encoded form. When using reserved characters, refer to the table 2 and use their percent-encoded form.
| 1. colon |
|
|---|---|
| 2. slash |
|
| 3. question mark |
|
| 4. pound sign |
|
| 5. open bracket |
|
| 6. close bracket |
|
| 7. at sign |
|
| 8. exclamation point |
|
| 9. dollar sign |
|
| 10. ampersand |
|
| 11. apostrophe |
|
| 12. open parenthesis |
|
| 13. close parenthesis |
|
| 14. asterisk |
|
| 15. plus sign |
|
| 16. comma |
|
| 17. semi-colon |
|
| 18. equal sign |
|
| 19. percent-sign |
|
| 20. angle bracket |
|
| 21. angle bracket |
|
| 22. double quote |
|
2.CPE Dictionary
CPE Dictionary is the official collection of CPE Names written in the XML format and is maintained by NIST. An each entity, which uniquely identifies an IT product, is a pair of its common name and CPE name designated pursuant to the CPE specification.
<cpe-item name="cpe:/a:ipa:myjvn">
<title xml:lang="en-US">IPA MyJVN</title>
<title xml:lang="ja">Information-technology Promotion Agency MyJVN</title>
</cpe-item>
3.CPE Trial
IPA has developed a filtered vulnerability countermeasure information tool “MyJVN”(*8) that enables cross-reference of vulnerability data published on JVN iPedia by CPE Names using the CPE Dictionary as a reference.
By enabling cross-reference of vulnerability countermeasure information stored in JVN iPedia by CPE Names, MyJVN allows users not only to look up custom filtered information but also to view the results in an organized format grouped by vendor and product names.
IPA will continue its efforts in providing vulnerability countermeasure information and improving infrastructure for better flow and use of vulnerability countermeasure information by advancing cross-referenceability with the CPE Dictionary and adopting CPE Names as the product identifier.
Footnote
(*1)CPE: Common Platform Enumeration. A list of standard IT platform names designated to identify each IT platform.
http://cpe.mitre.org/
(*2)SCAP: Security Content Automation Protocol. A set of technical specifications supported by the U.S. government to promote standardization and automation of information security implementation.
http://nvd.nist.gov/scap.cfm
(*3)MITRE Corporation: A not-for-profit organization that provides information technology support and research and development to the U.S. government.
http://www.mitre.org/
(*4)NIST: National Institute of Standards and Technology. A federal agency that develops and promotes measurement, standards and technology.
http://www.nist.gov/
(*5)NVD: National Vulnerability Database. A vulnerability database run by NIST.
http://nvd.nist.gov/
(*6)FDCC: Federal Desktop Core Configuration. A mandated security standard that requires all federal agencies standardize the minimum configuration of PC settings.
http://nvd.nist.gov/fdcc/index.cfm
(*7)IETF RFC 4646: Tags for Identifying Languages.
http://www.ietf.org/rfc/rfc4646.txt
(*8)Press Release: Filtered Vulnerability Countermeasure Information Tool “MyJVN” Now Available
http://www.ipa.go.jp/security/english/vuln/200810_MyJVN_en.html
Reference
- CVE (Common Vulnerabilities and Exposures) Overview
- OVAL (Open Vulnerability and Assessment Language) Overview
- CWE (Common Weakness Enumeration) Overview
Contact information
IT Security Center, Information-technology Promotion Agency, Japan (ISEC/IPA)
-
E-mail
