What is a CVE?
CVE stands for Common Vulnerabilities and Exposures. It's a dictionary of publicly known cybersecurity vulnerabilities and exposures. MITRE manages the CVE program, assigning unique identifiers (CVE IDs) to each vulnerability. These IDs provide a common language for security professionals to discuss and track vulnerabilities, regardless of the affected software or vendor. A CNA (CVE Numbering Authority), like Microsoft’s MSRC, is authorised to assign CVE IDs. These authorities work with vendors to ensure accurate and timely identification.
CVE in Australian tenants today
Australian organisations utilising Microsoft Defender Vulnerability Management will see CVEs surfaced alongside discovered software vulnerabilities. The ACSC (Australian Cyber Security Centre) publishes monthly advisory notices, often referencing CVEs, and provides recommended patching SLAs. Adherence to the Essential Eight, particularly control IE6 (Implement Patch Management), relies heavily on understanding and responding to CVE information. Compliance frameworks like APRA CPS 234 also necessitate robust vulnerability management processes, informed by CVE data, to protect sensitive information.