Here are the notes I kept when researching this topic. The short answer is there are three types of configurations
…
In many cases product will only be vulnerable if it is being run in a certain way, or with other products. For example, Google Chrome 103.0.5060.114 might be vulnerable running on Apple MacOS 12.0.0 but not Apple MacOS 11.0.0 or any Windows OS.
Each CPE nodes
in the CVE configuration has either an OR
or an AND
operator
value (and in rare cases a negate
boolean) to convey the logical relationship of the CPEs within the cpeMatch
. For example, if the vulnerability exists only when both CPE products are present, the operator is AND
. If the vulnerability exists if either CPE is present, then the operator is OR
(as in the CVE-2019-1010218 example). Though the use of nodes and operators can create more complex relationships.
NVD describe three different types of configurations;
- Basic: A single node containing one or more sets of match criteria. This configuration type communicates that each CPE URI that matches the match criteria is considered vulnerable.
- Running On/With: A combination of nodes containing both vulnerable and non-vulnerable match criteria. This configuration type communicates that CPE URIs that match the match criteria from both nodes must be present before a vulnerability applies.
- Advanced: A complex combination of nodes with many enumerations based on the CPE 2.3 specification. Advanced configurations are displayed with the actual nodes and node values on the vulnerability detail page instead of in a simplified form such as the Basic and Running On/With configuration types.
Let me illustrate with some real examples.
1. Basic configurations
As the name would suggest, these are fairly simple.
CVE-2022-29098 offers a good example: NVD - CVE-2022-29098 (see Known Affected Software Configurations on that page)
Querying via the API;
GET https://services.nvd.nist.gov/rest/json/cves/2.0/?cveId=CVE-2022-29098
Here is what the API returns (note the full response has been cut for brevity shown using ...
);
{
"resultsPerPage": 1,
"startIndex": 0,
"totalResults": 1,
"format": "NVD_CVE",
"version": "2.0",
"timestamp": "2023-01-09T19:40:03.140",
"vulnerabilities": [
{
"cve": {
"id": "CVE-2022-29098",
"sourceIdentifier": "security_alert@emc.com",
"published": "2022-06-01T15:15:09.010",
"lastModified": "2022-06-08T19:14:09.453",
"vulnStatus": "Analyzed",
...
"configurations": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:dell:powerscale_onefs:9.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "30687628-5C7F-4BB5-B990-93703294FDF0"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:dell:powerscale_onefs:9.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "68291D44-DBE1-4923-A848-04E64288DC23"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:dell:powerscale_onefs:9.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DCC55FA4-AD91-4DA6-B60E-A4E34DDAE95A"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:dell:powerscale_onefs:9.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B948CD53-3D17-4230-9B77-FCE8E0E548B9"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:dell:powerscale_onefs:9.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5AB99A1A-8DD3-4DDE-B70C-0E91D1D3B682"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:dell:powerscale_onefs:9.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "61F14753-D64C-4E8B-AA94-07E014848B4D"
}
]
}
]
}
],
...
}
}
]
}
There is only one nodes
. The operator for the entire node is OR
.
Therefore each cpeMatch
object in is considered with the OR
statement.
Basic configurations only consider individual products (and not combinations) so all CPEs are "vulnerable": true
(meaning the product itself is always vulnerable).
In this case, the 6 configurations variations that lead to matches (note, the third, forth, and fifth nodes are omitted in the snippet above);
- Dell PowerScale OneFS version 9.0.0 (
"matchCriteriaId": "30687628-5C7F-4BB5-B990-93703294FDF0"
) OR
,
- Dell PowerScale OneFS version 9.1.0 (
"matchCriteriaId": "68291D44-DBE1-4923-A848-04E64288DC23"
) OR
,
- Dell PowerScale OneFS version 9.1.1 (
"matchCriteriaId": "DCC55FA4-AD91-4DA6-B60E-A4E34DDAE95A"
) OR
,
- Dell PowerScale OneFS (version 9.2.0) (
"matchCriteriaId": "B948CD53-3D17-4230-9B77-FCE8E0E548B9"
) OR
,
- Dell PowerScale OneFS (version 9.2.1) (
"matchCriteriaId": "5AB99A1A-8DD3-4DDE-B70C-0E91D1D3B682"
) OR
,
- Dell PowerScale OneFS (version 9.3.0) (
"matchCriteriaId": "61F14753-D64C-4E8B-AA94-07E014848B4D"
)
In this example, each matchCriteriaId
returns the same CPE URI as shown in the CVE, e.g.
GET https://services.nvd.nist.gov/rest/json/cvehistory/2.0/?matchCriteriaId=30687628-5C7F-4BB5-B990-93703294FDF0
"matches": [
{
"cpeName": "cpe:2.3:a:dell:powerscale_onefs:9.0.0:*:*:*:*:*:*:*",
"cpeNameId": "2B8F2852-98F4-44E1-BBF2-6597C2481DB1"
}
]
However, keep in mind as I move on that this is not always the case (more CPEs might be returned by a matchCriteriaId
).
2. Running On/With
This type of configuration is defined using a combination of products that have a relationship (Running On/With) that makes at least one of these products vulnerable.
In this example, nodes
can now contain both vulnerable and non-vulnerable products.
To explain this I will use CVE-2022-27948 as a an example: NVD - CVE-2022-27948 (see Known Affected Software Configurations on that page)
Querying via the API;
GET https://services.nvd.nist.gov/rest/json/cves/2.0/?cveId=CVE-2022-27948
Here is what the API returns (note 3 nodes have been cut for brevity shown using ...
);
{
"resultsPerPage": 1,
"startIndex": 0,
"totalResults": 1,
"format": "NVD_CVE",
"version": "2.0",
"timestamp": "2023-01-10T07:37:08.677",
"vulnerabilities": [
{
"cve": {
"id": "CVE-2022-27948",
"sourceIdentifier": "cve@mitre.org",
"published": "2022-03-27T13:15:13.573",
"lastModified": "2022-04-06T03:39:12.913",
"vulnStatus": "Analyzed",
...
"configurations": [
{
"operator": "AND",
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:tesla:model_3_firmware:*:*:*:*:*:*:*:*",
"versionEndIncluding": "2022-03-26",
"matchCriteriaId": "86619D7A-ACB6-489C-9C29-37C6018E5B4B"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:tesla:model_s_firmware:*:*:*:*:*:*:*:*",
"versionEndIncluding": "2022-03-26",
"matchCriteriaId": "FD68704D-C711-491F-B278-B02C6866738C"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:tesla:model_x_firmware:*:*:*:*:*:*:*:*",
"versionEndIncluding": "2022-03-26",
"matchCriteriaId": "C3517683-8493-4D0D-9792-5C9034B1F0B3"
}
]
},
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": false,
"criteria": "cpe:2.3:h:tesla:model_3:-:*:*:*:*:*:*:*",
"matchCriteriaId": "825A79FD-C872-4564-9782-83BEEADDF5D9"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:tesla:model_s:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8D28E699-B843-4641-9BA6-406D88231E7C"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:tesla:model_x:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C550FF8A-58ED-4265-B33F-10AFDEA95519"
}
]
}
]
}
],
...
}
}
]
}
Note in this response, the top nodes
object has an operator
property (in the previous response, this was only at the cpeMatch
level).
"operator": "AND",
"nodes": [
This allows for more complex Running On/With combinations where each cpeMatch
within a node can be considered using this addition operator.
The top level operator in this example is AND
. In total there are two cpeMatch
es in this nodes
Each cpeMatch
itself has an OR
operator, and each of these cpeMatch
has three CPE URI’s within it. The first contains only Tesla operating system (o
) CPEs. The second contains only Tesla hardware (h
) CPEs.
Logically, it is saying any entry from the first cpeMatch
AND
any entry from the second cpeMatch
nested in the nodes
will create a match.
It’s also important to point out here that each matchCriteriaId
returns more versions of the product. For example,
{
"vulnerable": true,
"criteria": "cpe:2.3:o:tesla:model_3_firmware:*:*:*:*:*:*:*:*",
"versionEndIncluding": "2022-03-26",
"matchCriteriaId": "86619D7A-ACB6-489C-9C29-37C6018E5B4B"
},
GET https://services.nvd.nist.gov/rest/json/cvehistory/2.0/?matchCriteriaId=86619D7A-ACB6-489C-9C29-37C6018E5B4B
"matches": [
{
"cpeName": "cpe:2.3:o:tesla:model_3_firmware:-:*:*:*:*:*:*:*",
"cpeNameId": "979F9EB6-C9F6-49EE-9FED-2ED17E400E86"
},
{
"cpeName": "cpe:2.3:o:tesla:model_3_firmware:11.0:*:*:*:*:*:*:*",
"cpeNameId": "62DCA7AD-A796-486F-8FB6-DEACC078D402"
},
{
"cpeName": "cpe:2.3:o:tesla:model_3_firmware:2022-03-26:*:*:*:*:*:*:*",
"cpeNameId": "F010C8B7-83E9-45FB-A5D4-26EDF34EC312"
}
]
Here I can see this CPE URI in the node actually covers 3 CPE URI’s.
Looking at all six matchCriteriaId
s;
86619D7A-ACB6-489C-9C29-37C6018E5B4B
: 3 CPE URIs (shown above)
FD68704D-C711-491F-B278-B02C6866738C
: 2 CPE URIs
C3517683-8493-4D0D-9792-5C9034B1F0B3
: 3 CPE URIs
825A79FD-C872-4564-9782-83BEEADDF5D9
: 1 CPE URI
8D28E699-B843-4641-9BA6-406D88231E7C
: 1 CPE URI
C550FF8A-58ED-4265-B33F-10AFDEA95519
: 1 CPE URI
In this example you also need to consider the value of the vulnerable
property. You’ll see in the first node, but for all entries this is true. In the second, they’re all false.
This is essentially describing the combinations of products, and which of them are actually affected by a vulnerability when running in this way.
It’s easier to explain this by writing it all out, as there are a lot of combinations in this CVE.
- Tesla Model 3 Firmware (
86619D7A-ACB6-489C-9C29-37C6018E5B4B
– 3 CPEs) and Tesla Model 3 Hardware (825A79FD-C872-4564-9782-83BEEADDF5D9
– 1 CPE) (ONLY FIRMWARE VULNERABLE) OR
,
- Tesla Model 3 Firmware (
86619D7A-ACB6-489C-9C29-37C6018E5B4B
– 3 CPEs) and Tesla Model S Hardware (8D28E699-B843-4641-9BA6-406D88231E7C
– 1 CPE) (ONLY FIRMWARE VULNERABLE) OR
,
- Tesla Model 3 Firmware (
86619D7A-ACB6-489C-9C29-37C6018E5B4B
– 3 CPEs) and Tesla Model X Hardware (C550FF8A-58ED-4265-B33F-10AFDEA95519
– 1 CPE) (ONLY FIRMWARE VULNERABLE) OR
,
- Tesla Model S Firmware (
FD68704D-C711-491F-B278-B02C6866738C
– 2 CPEs) and Tesla Model 3 Hardware (825A79FD-C872-4564-9782-83BEEADDF5D9
– 1 CPE) (ONLY FIRMWARE VULNERABLE) OR
,
- Tesla Model S Firmware (
FD68704D-C711-491F-B278-B02C6866738C
– 2 CPEs) and Tesla Model S Hardware (8D28E699-B843-4641-9BA6-406D88231E7C
– 1 CPE) (ONLY FIRMWARE VULNERABLE) OR
,
- Tesla Model S Firmware (
FD68704D-C711-491F-B278-B02C6866738C
– 2 CPEs) and Tesla Model X Hardware (C550FF8A-58ED-4265-B33F-10AFDEA95519
– 1 CPE) (ONLY FIRMWARE VULNERABLE) OR
,
- Tesla Model X Firmware (
C3517683-8493-4D0D-9792-5C9034B1F0B3
– 3 CPEs) and Tesla Model 3 Hardware (825A79FD-C872-4564-9782-83BEEADDF5D9
– 1 CPE) (ONLY FIRMWARE VULNERABLE) OR
,
- Tesla Model X Firmware (
C3517683-8493-4D0D-9792-5C9034B1F0B3
– 3 CPEs) and Tesla Model S Hardware (8D28E699-B843-4641-9BA6-406D88231E7C
– 1 CPE) (ONLY FIRMWARE VULNERABLE) OR
,
- Tesla Model X Firmware (
C3517683-8493-4D0D-9792-5C9034B1F0B3
– 3 CPEs) and Tesla Model X Hardware (C550FF8A-58ED-4265-B33F-10AFDEA95519
– 1 CPE) (ONLY FIRMWARE VULNERABLE)
In total there are 24 possible product combinations that are vulnerable in this CVE (((3*1)+(3*1)+(3*1))+((2*1)+(2*1)+(2*1))+((3*1)+(3*1)+(3*1))
).
Note, this is not the most perfectly written nodes
cpeMatch
, though this is good to understand that not all CPE matches in a CVE will be as concise as they could be. In the real world, Tesla Model 3 firmware will always, as far as I’m aware, only be running Model 3 firmware. Therefore the matches comparing Model 3 OSs to Model X firmware, etc., are redundant.
3. Advanced
The operators and structure in the previous configuration types are no different in advanced configurations. It is the number of nodes
returned in the response that allows them to become more advanced.
To illustrate this, I will use CVE-2019-18939: NVD - CVE-2019-18939 (see Known Affected Software Configurations on that page)
Querying via the API;
GET https://services.nvd.nist.gov/rest/json/cves/2.0/?cveId=CVE-2019-18939
Here is what the API returns (note 3 nodes have been cut for brevity shown using ...
);
{
"resultsPerPage": 1,
"startIndex": 0,
"totalResults": 1,
"format": "NVD_CVE",
"version": "2.0",
"timestamp": "2023-01-10T08:23:24.183",
"vulnerabilities": [
{
"cve": {
"id": "CVE-2019-18939",
"sourceIdentifier": "cve@mitre.org",
"published": "2019-11-14T19:15:13.410",
"lastModified": "2021-07-21T11:39:23.747",
"vulnStatus": "Analyzed",
...
"configurations": [
{
"nodes": [
{
"operator": "AND",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:hm-print_project:hm-print:1.2a:*:*:*:*:*:*:*",
"matchCriteriaId": "286DA904-5631-4AAF-86DE-97C23982D2C5"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:eq-3:homematic_ccu2:-:*:*:*:*:*:*:*",
"matchCriteriaId": "9C2CF19C-7EDE-4E3C-A736-E6736FF03FDC"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:eq-3:homematic_ccu2_firmware:2.47.20:*:*:*:*:*:*:*",
"matchCriteriaId": "38BE17DA-7C5E-427E-B824-151EB27CFF26"
}
]
}
]
},
{
"nodes": [
{
"operator": "AND",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:hm-print_project:hm-print:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "F5D8290F-3541-4452-99CB-0766CDC59073"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:eq-3:homematic_ccu3:-:*:*:*:*:*:*:*",
"matchCriteriaId": "33113AD0-F378-49B2-BCFC-C57B52FD3A04"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:eq-3:homematic_ccu3_firmware:3.47.18:*:*:*:*:*:*:*",
"matchCriteriaId": "285F4E29-E299-4F83-9F7E-BB19933AD654"
}
]
}
]
},
{
"nodes": [
{
"operator": "AND",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:hm-print_project:hm-print:1.2a:*:*:*:*:*:*:*",
"matchCriteriaId": "286DA904-5631-4AAF-86DE-97C23982D2C5"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:eq-3:homematic_ccu3:-:*:*:*:*:*:*:*",
"matchCriteriaId": "33113AD0-F378-49B2-BCFC-C57B52FD3A04"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:eq-3:homematic_ccu3_firmware:3.47.18:*:*:*:*:*:*:*",
"matchCriteriaId": "285F4E29-E299-4F83-9F7E-BB19933AD654"
}
]
}
]
},
{
"nodes": [
{
"operator": "AND",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:hm-print_project:hm-print:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "F5D8290F-3541-4452-99CB-0766CDC59073"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:eq-3:homematic_ccu2:-:*:*:*:*:*:*:*",
"matchCriteriaId": "9C2CF19C-7EDE-4E3C-A736-E6736FF03FDC"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:eq-3:homematic_ccu2_firmware:2.47.20:*:*:*:*:*:*:*",
"matchCriteriaId": "38BE17DA-7C5E-427E-B824-151EB27CFF26"
}
]
}
]
}
],
...
}
}
]
}
The key difference here being there are now multiple nodes
objects (four nodes
in this example). In the two previous examples, there was one nodes
, with multiple cpeMatch
es nested.
As such, combinations of CPEs can be written in more ways (though they’re not necessarily more “advanced”).
The response above has four separate nodes
. Each is considered in isolation.
Each element inside a cpeMatch
node is considered with an AND
statement, as defined in the its operator
field values.
Looking at the CPEs inside each matchCriteriaId
returns a single CPE URI:
- Node 1
286DA904-5631-4AAF-86DE-97C23982D2C5
: 1 CPE
9C2CF19C-7EDE-4E3C-A736-E6736FF03FDC
: 1 CPE
38BE17DA-7C5E-427E-B824-151EB27CFF26
: 1 CPE
- Node 2
F5D8290F-3541-4452-99CB-0766CDC59073
: 1 CPE
33113AD0-F378-49B2-BCFC-C57B52FD3A04
: 1 CPE
285F4E29-E299-4F83-9F7E-BB19933AD654
: 1 CPE
- Node 3
286DA904-5631-4AAF-86DE-97C23982D2C5
: 1 CPE
33113AD0-F378-49B2-BCFC-C57B52FD3A04
: 1 CPE
285F4E29-E299-4F83-9F7E-BB19933AD654
: 1 CPE
- Node 4
F5D8290F-3541-4452-99CB-0766CDC59073
: 1 CPE
9C2CF19C-7EDE-4E3C-A736-E6736FF03FDC
: 1 CPE
38BE17DA-7C5E-427E-B824-151EB27CFF26
: 1 CPE
Note, the same CPEs appear in multiple nodes, hence there are only six unique matchCriteriaId
s above.
With this information, I know there are exactly 4 CPE combinations that lead to a match (one for each nodes
);
- eQ-3 Homematic CCU2 (hardware) (version unspecified
-
) AND
EQ-3 HomeMatic CCU2 version 2.47.20 (firmware) AND
HM Print Project HM Print version 1.2a (application) (FIRMWARE AND APPLICATION VULNERABLE), OR
,
- eQ-3 Homematic CCU3 (hardware) (version unspecified
-
) AND
EQ-3 HomeMatic CCU3 version 3.47.18 (firmware) AND
HM Print Project HM Print version 1.2 (application) (FIRMWARE AND APPLICATION VULNERABLE), OR
,
- eQ-3 Homematic CCU3 (hardware) (version unspecified
-
) AND
EQ-3 HomeMatic CCU3 version 3.47.18 (firmware) AND
HM Print Project HM Print version 1.2a (application) (FIRMWARE AND APPLICATION VULNERABLE), OR
,
- eQ-3 Homematic CCU2 (hardware) (version unspecified
-
) AND
EQ-3 HomeMatic CCU2 version 2.47.20 (firmware) AND
HM Print Project HM Print version 1.2 (application) (FIRMWARE AND APPLICATION VULNERABLE)