Dear CWE Community, We are thrilled to announce that CWE version 4.7 is now available on our website – https://cwe.mitre.org. Thank you to all our content submitters and community members for your time and efforts to collaborate and make this release possible.
CWE 4.7 adds support for the recently released categories of security vulnerabilities in industrial control systems (ICS) as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF)<https://inl.gov/wp-content/uploads/2022/03/SEI-ETF-NCSV-TPT-Categories-of-Security-Vulnerabilities-ICS-v1_03-09-22.pdf> in March 2022. Continued expansion into ICS and operational technology (OT) CWE content will be discussed in the CWE-CAPEC ICS/OT Special Interest Group (SIG)<https://cwe.mitre.org/news/index.html#april212022_Join_the_CWE_CAPEC_ICS_OT_SIG> launching on May 28, 2022. A detailed report listing the specific changes between Version 4.6 and 4.7 can be found here (diff report<https://cwe.mitre.org/data/reports/diff_reports/v4.6_v4.7.html>), but below I have listed some of the key highlights: * One (1) new view added: Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS<https://cwe.mitre.org/data/definitions/1358.html> * One (1) new software weakness added: CWE-1385: Missing Origin Validation in WebSockets<https://cwe.mitre.org/data/definitions/1385.html> * One (1) new hardware weakness added: CWE-1384: Improper Handling of Extreme Physical Environment Conditions<https://cwe.mitre.org/data/definitions/1384.html> * One (1) new software/hardware weakness added: CWE-1357: Reliance on Uncontrolled Component<https://cwe.mitre.org/data/definitions/1357.html> * One (1) software weakness updated to also include hardware: CWE-1059: Insufficient Technical Documentation<https://cwe.mitre.org/data/definitions/1059.html> * One (1) weakness deprecated: CWE-365: Race Condition in Switch<https://cwe.mitre.org/data/definitions/365.html> * Updated relationships for 144 existing entries<https://cwe.mitre.org/data/reports/diff_reports/v4.6_v4.7.html#detailed_difference_report> * The Status attribute in the top right corner of each CWE entry page will no longer be displayed. It is commonly misinterpreted and causes confusion with respect to quality and completeness of CWE content. The Status attribute will continue to be included in the XML of each entry * CWE schema<https://cwe.mitre.org/data/xsd/cwe_schema_v6.7.xsd> updated to add new entries to the TechnologyNameEnumeration to mirror existing entries, but with “IP” removed, in accordance with Hardware CWE SIG<http://cwedev1-mcl.mitre.org/documents/HW_CWE_SIG.pdf> discussions We are really excited about this release, and we look forward to you diving into the new content. On behalf of the CWE Program, thank you for your continued support. Cheers, Alec -- Alec J. Summers Center for Securing the Homeland (CSH) Cyber Security Engineer, Principal Group Lead, Cybersecurity Operations and Integration –––––––––––––––––––––––––––––––––––– MITRE - Solving Problems for a Safer World™
