Cisco Vulnerability Repository and Vulnerability Exploitability eXchange

CVR VEX FAQs

The Cisco Vulnerability Repository (CVR) is a tool designed to help customers determine which vulnerabilities impact their Cisco products. Customers can enter a Common Vulnerabilities and Exposures (CVE) ID to get vulnerability disposition data (affected, not affected, and under investigation) for a product. If the queried data is unavailable, customers can request that Cisco engineering teams conduct an investigation.

The Vulnerability Exploitability eXchange (VEX) is a type of document that provides vulnerability disposition data in a machine-readable format. VEX documents from Cisco comply with the Common Security Advisory Framework (CSAF) and provide the status (not affected, affected, fixed, and under investigation) of specific vulnerabilities in a particular product. Customers can request and download VEX documents through CVR.

CVR Instructions

To use the Cisco Vulnerability Repository (CVR), go to https://sec.cloudapps.cisco.com/security/center/cvr. There are two ways to find vulnerability disposition data and VEX information for a specific vulnerability and a specific product.

Option 1: Use the Narrow search by product fields

If you know the software release that you want to search, this is the quickest method for getting the vulnerability disposition information.

  • Enter a single CVE ID in the search field.
  • Click the arrow to the left of Narrow search by product. Choose the appropriate product, platform, and release from the lists. Note that this product filter requires a full product-platform-release combination. Product-level and platform-level filtering are not currently offered.
  • Click Search.

If there is no disposition data available for the vulnerability and software release that you chose, you will see a Request Assessment button. If you click that button, CVR will create an internal case to obtain the information.

If there is disposition data available, the tool will return the following information:

  • Basic scoring and descriptive details about the vulnerability based on the National Vulnerability Database (NVD)
  • An assessment and scoring from the Cisco Product Security Incident Response Team (PSIRT)
  • The vulnerability disposition of the release—affected, not affected, or under investigation
  • A link to download a VEX document for the specific vulnerability and software release

To download the VEX document, click the download icon to the right of Download in VEX format.

Option 2: Search for a CVE, then filter the results

If you do not know what software release you are searching for and/or you want to see the results for multiple products at the same time, use this option.

  • Enter a single CVE ID in the search field.
  • Click Search.

The tool returns the following:

  • Basic scoring and descriptive details about the vulnerability based on the National Vulnerability Database (NVD)
  • An assessment and scoring from the Cisco Product Security Incident Response Team (PSIRT)
  • A new section called Cisco Product Dispositions for CVE-XXXX-XXXXX, which lists any known product disposition information

To get vulnerability disposition data and VEX information for a specific product, do the following in the Cisco Product Dispositions for CVE-XXXX-XXXXX section:

  • The Disposition filter for the search results is automatically set to Affected. Check the other check boxes to see products that are confirmed not affected or that are under investigation. Use the fields to filter the results by product, disposition, or Cisco Bug ID.
  • For the products listed, see the platforms by clicking the + to the left of the product name. To see the releases, click the + to the left of the platform name.
  • On the right side of the row for each release, there is VEX and a download icon. Click the icon to download the VEX document that pertains to this product and the vulnerability you search for.

If there is no vulnerability disposition data for the specific product you have searched for, you can request a disposition investigation. Follow the instructions in Option 1 to choose the product, platform, and release, and click Search. Then click the Request Assessment button.

Frequently Asked Questions for VEX and CVR

Access to VEX Information

Your Products and VEX

Information Provided by VEX

Working with a VEX Document

Using CVR

Access to VEX Information

Q: What is VEX?

A: The Vulnerability Exploitability eXchange (VEX) allows software suppliers (including vendors like Cisco) or other parties to assert the status of specific vulnerabilities in a particular product.

Q: Who can request or view VEX information?

A: Any customer with a Cisco.com account can request or view VEX information.

Q: How do I obtain VEX information?

A: Customers may request VEX information and the status of a given vulnerability through the Cisco Vulnerability Repository (CVR) tool.

Q: What information do I need to request VEX information?

A: You will need to provide the Common Vulnerabilities and Exposures (CVE) ID of the vulnerability and specify the product name, platform, and software release.

Q: Is there a programmatic method for obtaining VEX information?

A: Currently, there is no API available for obtaining VEX information.

Q: What type of VEX requests can I make?

A: CVR provides VEX status information for one CVE for a single software release.

Q: For which software releases can I request a comprehensive VEX document?

A: Comprehensive VEX documents will be available only for software releases that meet ALL of the following conditions:

  • The release is a General Availability (GA) major or minor software release for the product. This explicitly excludes any non-major or minor releases (rebuilds, maintenance, etc.) and engineering special (ES), Early Field Trial (EFT), Alpha, Beta, pre-production, specially instrumented debugging and troubleshooting images, or any other software release not generally available to the majority of the Cisco customer base for installation on their devices.
  • The release was published after September 14, 2022.
  • The release is not a cloud service or product.

Q: Do I need an SBOM to request VEX information?

A: No. CVR uses the product, platform, and release information that you provide to determine the VEX information.

Q: How long will it take to receive VEX information?

A: If VEX information is available, you will see a Download VEX button, which will allow you to immediately download of VEX information. If the VEX information is not readily available, you will see a Request Assessment button. When you click that button, CVR will create an internal case to obtain the information. It may take a week or longer to obtain the necessary information, but once obtained, future requests will return VEX information immediately.

Your Products and VEX

Q: Can I get the VEX information for a vulnerability associated with a specific product?

A: Yes. In CVR, provide the CVE ID and the product, platform, and release that you are interested in.

Q: Can I get the VEX information for a vulnerability associated with multiple products?

A: No. For each search, CVR provides CVE status information for a single product, platform, and release. If you want to see the status of the vulnerability in multiple products, you must perform multiple searches.

Q: Can I get the VEX information for any Cisco software release?

A: VEX documents are available for General Availability (GA) major and minor software releases. This explicitly excludes software releases of any of the following types: engineering special (ES), Early Field Trial (EFT), Alpha, Beta, pre-production, specially instrumented debugging and troubleshooting images, or any other software release not generally available to the majority of the Cisco customer base for installation on their devices.

Q: Can I get the status of multiple vulnerabilities that affect a specific product?

A: No. For each search, CVR provides CVE status information for a single product, platform, and release. If you want to see the status of multiple vulnerabilities in a product, you must perform multiple searches.

Q: Is VEX supported for cloud-based services like Webex?

A: No. VEX is only supported and available for on-premises products.

Information Provided by VEX

Q: What are the possible vulnerability status values in the VEX information, and what do they mean?

A: The VEX standard includes the following status values:

  • fixed – A fix has been applied to the vulnerability that mitigates its impact.
  • known_affected - The product is affected by the vulnerability.
  • known_not_affected – The product is not affected by the vulnerability and no remediation is necessary.
  • under_investigation – It is unknown whether the product is affected by the vulnerability.

Q: The vulnerability status is known_not_affected. Why?

A: The VEX standard defines justifications that a vendor may supply when they determine a vulnerability does not affect a product. These include:

  • Component_not_present - The vulnerable component is not in the product.
  • Vulnerable_code_not_present - The code underlying the vulnerability is not present in the product.
  • Vulnerable_code_not_in_execute_path - The affected code is not reachable through the execution of the code, including non-anticipated states of the product.
  • Vulnerable_code_cannot_be_controlled_by_adversary - The vulnerable code is used in such a way that an attacker cannot mount any anticipated attack.
  • Inline_mitigations_already_exist - Built-in inline controls or mitigations prevent an adversary from leveraging the vulnerability.

Q: I got the VEX information for a CVE in a specific software release more than once, and the vulnerability status information changed. Why?

A: VEX information is point-in-time and becomes obsolete as more vulnerabilities are disclosed, fixed, and investigated.

Q: If I have a question about a vulnerability status included in a VEX file, who do I contact?

A: Send your question to vex-support@cisco.com.

Q: Why do I see the status for a CVE on CVR but not in the VEX file?

A: Share this feedback with vex-support@cisco.com so we can investigate.

Q: How do I get the status of a vulnerability that is not currently listed in the VEX file?

A: Enter the vulnerability’s CVE ID in the search box and identify the product, platform, and software release. Click Search. If no results are returned, click the Request Assessment button. Requests are currently limited to CVEs published in or after 2018.

Working with a VEX Document

Q: How do I view a VEX file?

A: The VEX file is a JSON-formatted file. Open it in any editor or viewer that supports the JSON format.

Q: How do I access a JSON file?

A: One method would be to download and install Visual Studio Code. Open the JSON file in VSC. Right-click and choose Format Document. All the information in the document remains local—that is, the data never leaves the user's computer, thus satisfying the usage terms.

Q: How do I convert a JSON file to other file types, such as HTML?

A: There are many tools that can help you navigate a JSON file and convert JSON data to an HTML table.

  • JSON Editor Online (https://jsoneditoronline.org/): A user-friendly online JSON editor that allows you to view, edit, and format JSON data in a tree view or code view.
  • JSON Viewer (https://codebeautify.org/jsonviewer): A simple and easy-to-use online tool that allows you to visualize JSON data in a tree view and provides options for beautifying and validating JSON data.
  • Convert JSON to HTML Table (https://www.convertjson.com/json-to-html-table.htm): Another tool that allows you to convert JSON data to an HTML table. You can paste or upload a JSON file, and it will create an HTML table that you can copy or download.
  • JSON Utils (https://jsonutils.com/): A collection of online JSON utilities, including a JSON viewer that presents JSON data in a collapsible tree view. The site also offers tools for JSON formatting, validation, and conversion.

Q: What if my tool does not interpret the VEX file correctly?

A: The issue may be with the VEX file or with the tool. Try viewing the file with a different tool.

We are interested in knowing if there is a problem with our VEX files and any tool issues. Please send an email to vex-support@cisco.com and include the name and version of the tool(s) as well as the VEX file you are trying to view.

Q: Who do I contact if I have general questions or want to provide feedback?

A: Questions and feedback can be submitted to vex-support@cisco.com.

Using CVR

Q: What is CVR?

A: The Cisco Product Security Incident Response Team (PSIRT) launched the Cisco Vulnerability Repository (CVR) tool in 2022 to help customers determine which vulnerabilities impact their Cisco products. Driven by customers’ need for concise vulnerability information to apply to their unique environments, CVR allows customers to search against CVEs to get vulnerability disposition data for their products. If the queried data is unavailable, customers can request an investigation.

Q: Who can request or view CVR information?

A: Any customer with a Cisco.com account can view or request CVR information.

Q: What vulnerability data does CVR contain?

A: At this time, CVR returns disposition data for third-party software (TPS) vulnerabilities, which are vulnerabilities that exist in other vendors’ code that may be reused in Cisco products. Results to queries that apply to Cisco-sourced CVEs will point users to the associated Cisco Security Advisories. CVR only applies to vulnerabilities from 2018 to the present and does not currently cover Cisco cloud products.

Q: What type of CVR requests can I make?

A: Currently, CVR is limited to returning dispositions for third-party software (TPS) vulnerabilities—that is, vulnerabilities that exist in other vendors’ components but could potentially impact on-premises Cisco products. Results of queries that apply to Cisco-sourced CVEs will point users to the associated Cisco Security Advisories. CVR only applies to vulnerabilities from 2018 to the present. CVR does not support cloud-based products. Submission of CVR Disposition Requests and creation of VEX documents are allowed up to the Last Day of Support milestone.

Q: What are the benefits of CVR?

A: Customers get answers to their questions about CVEs in our products more quickly.

Engineering needs to provide the disposition of a vulnerability for a version of a product only once. When CVR receives the disposition, it will be available for all customers.

Q: What do I do if the product, platform, or release that I’m interested in is not listed?

A: Email vex-support@cisco.com and request that the product, platform, and release that you are interested in be added to the tool. If the product is still supported, we will add it to CVR.

Q: How do you use CVR?

A: See the instructions at the top of this page.

Q: What type of information is visible on CVR?

A: The CVR tool allows customers to search the Cisco PSIRT’s vulnerability data by entering a CVE ID. The tool returns the following information:

  • Information that the Cisco PSIRT has on the vulnerability from outside sources, such as the U.S. government’s National Vulnerability Database (NVD), as well as the Cisco PSIRT’s own assessments and scoring
  • When applicable, disposition data on which Cisco products have been confirmed to be affected by the vulnerability or not affected by the vulnerability

Q: Where do I go for more information if a product I have questions about is not listed in the Security Advisory?

A: At this time, there is no way to submit a request against any product if an advisory has been published for that CVE ID. This feature is planned for a future release. If you have additional questions about a product that is not listed in a Security Advisory that CVR has routed you to, open a case with Cisco Technical Assistance Center (TAC).

Q: How do I verify the signature on a VEX document that I downloaded from CVR?

Verifying the VEX document will confirm that it came from Cisco, that it was signed by the Cisco PSIRT PGP key, and that it has not been modified or tampered with since it was signed.

To verify the VEX document, you must install a PGP client and use the following instructions. PGP clients for multiple Operating Systems can be found at https://www.openpgp.org/.

Instructions

  1. Download the Cisco Product Security Incident Response Team (PSIRT) current public PGP key from https://cscrdr.cloudapps.cisco.com/cscrdr/security/center/files/Cisco_PSIRT_PGP_Public_Key.asc.
  2. Import the Cisco PSIRT’s PGP public key into your local PGP keyring by using the gpg --import command. This action should be performed once and only repeated when the imported key expires and needs to be replaced with a new one.

    In the following output example, the line imported: 1 indicates that the key has been successfully imported into the local keyring.
    user@hostname % gpg --import Cisco_PSIRT_PGP_Public_Key.asc
    gpg: key 208486A79FC08B34: public key "Cisco Product Security Incident Response Team (Cisco PSIRT key 2024-2025) <psirt@cisco.com>" imported
    gpg: Total number processed: 1
    gpg:               imported: 1
    user@hostname %
  3. After unzipping the file downloaded from CVR, use the command gpg --verify <filename>.asc <filename>.json to verify that the Cisco PSIRT has signed the VEX document and that the document has not been modified or tampered with since it was signed.

Examples

Example: The VEX document has been signed with the Cisco PSIRT PGP key and has not been tampered with:

user@hostname % gpg --verify cisco-vex-43.211.6.0.4c_CVE-2023-48795.asc cisco-vex-43.211.6.0.4c_CVE-2023-48795.json
gpg: Signature made Mon Mar 11 11:30:35 2024 EDT
gpg:                using RSA key 4281DCA9124A8B07CECFEF79208486A79FC08B34
gpg: Good signature from "Cisco Product Security Incident Response Team (Cisco PSIRT key 2024-2025) <psirt@cisco.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4281 DCA9 124A 8B07 CECF EF79 2084 86A7 9FC0 8B34
user@hostname %

The message that starts with Good signature from "Cisco Product Security Incident Response Team indicates that the file was signed with a valid Cisco PSIRT PGP key and has not been modified or tampered with since it was generated.

Example: The VEX document has been signed with the Cisco PSIRT PGP key, but it has been tampered with:

user@hostname % gpg --verify cisco-vex-43.211.6.0.4c_CVE-2023-48795.asc cisco-vex-43.211.6.0.4c_CVE-2023-48795.json
gpg: Signature made Mon Mar 11 11:30:35 2024 EDT
gpg:                using RSA key 4281DCA9124A8B07CECFEF79208486A79FC08B34
gpg: BAD signature from "Cisco Product Security Incident Response Team (Cisco PSIRT key 2024-2025) <psirt@cisco.com>" [unknown]
user@hostname %

The message that starts with BAD signature from "Cisco Product Security Incident Response Team indicates that the file was signed with a valid Cisco PSIRT PGP key but was tampered with after it was signed.

Q: Who do I contact if I have questions about the vulnerability status in CVR?

A: Email cvr-support@cisco.com.

Q: I can’t access CVR. Why not?

A: CVR access is available to customers with a Cisco.com account.

Q: What if CVR tells me that "disposition data is unavailable"?

A: This message indicates that the vulnerability has not yet been assessed for the selected software and thus no VEX information is available. Click on the Request Assessment button to initiate an investigation.

Q: What if CVR tells me that the vulnerability is "under investigation"?

A: The status of the vulnerability is still under investigation for the selected product. When the investigation is complete, CVR will report the vulnerability disposition of the product, and the VEX information will indicate that the product is known to be affected or not affected.

Q: Who do I contact if I have general questions and/or want to provide feedback?

A: Questions and feedback can be submitted to cvr-support@cisco.com.