DISA releases IAVA-to-CVE mapping

The DOD keeps its own catalog of system vulnerabilities, the IAVM. You can think about this as the computer security alerting system for the DOD. If you get an IAVM, it will tell you what the vulnerability is, how critical it is, and if you need to patch it immediately.

The rest of the world keeps track of vulnerabilities using MITRE’s Common Vulnerability Enumeration, or CVE. Most commercial tools (like Yum) understand CVEs: you get a CVE, you drop it into your patching system, and away you go.

But if you’re in the DOD, it’s not that easy. You’re given new IAVMs almost every day. The most automated you could ever make the process is to have a human log in to the IAVM website with their DOD-issued smart card, read the IAVM information, hope to God the JTF-GNO mapped the IAVM to a CVE, otherwise find the CVE that matches the IAVM you were given, and then drop that CVE into your patch system. That’s tedious, which means nobody ever does it.

If we’re ever going to get to a world where we’re doing real-time threat monitoring, which we we’re slouching towards at a breakneck pace, we need IAVMs mapped to CVEs. And wouldn’t you know it, but that’s exactly what DISA did. They were quiet about it, but thanks to a tweet from C3i Security, I found this:

http://iase.disa.mil/stigs/Pages/iavm-cve.aspx

Boom. IAVM-to-CVE mappings in XML. They provided an Excel spreadsheet as well, but I’m sure they were just joking.

So DOD security nerds rejoice: we finally have machine-readable mappings for IAVMs. I don’t say this often, but: thanks, DISA!

[Update: If you’re a Red Hat customer and you’ve gotten this far, you’ll also enjoy Red Hat’s IAVM Mapper tool, available on the customer portal.]