Very recently the Node.js project filed a few CVE IDs for end of life products. For vulnerability nerds this is exciting because historically EOL things didn’t get CVE IDs just for being EOL. And as one would expect, there are plenty of folks who think this is the best idea ever, and a bunch worried this will be the event that destroys modern civilized society.

Today there’s not really a good place to track what is or isn’t end of life software. There are some datasets being worked on but they’re very new, and it’s “yet another dataset” we will all have to figure out. CVE could be a place to track details like this, but it’s not a simple conversation.

We should start out by saying this is against the CVE rules. This is important because it can frame some of the discussion we see. It’s also interesting because a lot of dangerous things like malware, viruses, and backdoors are also against the CVE rules.

The biggest fear seems to be the potential volume of IDs that could be unleashed to the world. How many things go EOL every year? It’s a lot of software, especially a lot of open source. We don’t really know how big this list could be. Probably hundreds, maybe thousands. Not counting all the existing end of life software that exists.

This is a pretty hard discussion to untangle. The thing I keep noticing is that depending what industry someone is part of really seems to determine how they view this. So let’s look at it as if we’re walking around a vulnerability conference.

The CVE project

On the main stage is the CVE project. These are the folks behind it all. They control the CVE ecosystem with an iron fist. They get to make the rules, they don’t have to (and don’t) listen to anyone else. They assume they know more about CVEs than everyone because they are on the big stage. They know at a conference the people on the big stage are the smartest, not because they have the most money, but because they are the smartest, obviously. They also don’t have any pants on. This is because pants hadn’t been invented when the project was formed, they don’t see a need for pants. This seemingly odd detail will become important later.

They mostly run around in circles on stage giving each other high fives. Sometimes they stop and sneer out into the crowd, but it’s pretty far away, so those people are less important, no need to pay attention.

They all wonder if Node.js is from Microsoft or Oracle. Maybe Sun, are they still around? They’re not sure which of the giant companies invented Node.js, after all, those companies build all of the software everyone uses. What was the thing about end of life? Who knows, it’s time for more high fives!!!

You head towards the stage and try to ask them where are their pants and the Node.js EOL IDs, but there is a razor wire fence around their stage and every time you try to shout a question they throw a rock at your head. It’s clear this isn’t a good use of your time.

You move on

Vulnerability data

Next to the stage are the vulnerability data groups. They “enrich” the CVE data. By enrich we mean just make them more accurate, and more accurate means “still mostly wrong”. They have pants, but they wear them on their heads. They assure you everything is very fine and normal, normal people wear pants, they are also wearing pants, everything is normal because everyone has pants.

This group doesn’t like EOL CVE IDs because they already can’t handle the volume of existing data. Adding something new will crush their already overworked teams. Some of them secretly know this is a good idea, but won’t say it out loud.

Operating systems

Next are the operating system folks. Half of them are sleeping at their booths because they’ve been at this show for decades and they know none of this will change anything. Their booth is overflowing with old food containers, you think you see a wrapper from the early 90’s on the floor. They have pants on, but it’s JNCO jeans.

The other half are the cool new distroless container kids. They are shouting you are legally required to talk to them. While you were glancing at the old food wrappers they run in your direction. They start explaining they can solve all your problems by removing everything from a container. They have pants, but they are very very small, too small, disturbingly small, and you’ve already seen everything. They run up to you and start yelling at you about their tiny pants.

They shout: “our pants are the smallest here, I dare you to find smaller pants”

You: “yeah, I can’t unsee your small pants, thanks”

Them: “While we were discussing pants just now we put our phone number in your phone, so we can be friends!”

You: “How did you get my phone out of my pocket? … Where did my pants go???”

These operating systems folks aren’t exactly sure what an EOL CVE will mean. Probably more work. They secretly hope it means people will finally upgrade those containers that are old enough to drink now. But they know nothing will change really, it never does, not for them.

Vulnerability scanners

The vulnerability scanner folks are near the door. Instead of old fast food wrappers, these folks have a disturbing number of empty whiskey bottles and energy drink cans strewn about. When you ask them about EOL CVEs they just look at you and mumble something about Log4Shell and how nothing is real.

Some of them seem to think this is a great idea, some think it’s a terrible idea. Either way they have to deal with all this data, in CVE or not. They’re all sitting at tables and it’s not obvious if they have pants on. You’re too afraid to ask.

Compliance analysts

A very vocal group is all the folks who have to deal with keeping their organization’s compliance. There are loads of compliance standards that say you need to fix, remediate, or justify every single vulnerability in your environment. This is a huge task and adding more IDs is the nightmare they’ve been warning us all about. The workload increases exponentially as more IDs get added.

Now, it’s easy to argue that running end of life software is a bad idea, and they would agree with that. But their job is to justify vulnerability findings, more findings, right or wrong, means more work. End of life is somebody elses problem.

Most of them know this entire process is broken and wrong, but those people on stage keep assuring everyone it’s fine and we should just keep doing it the way we’ve always done it.

This group is at the mercy of everyone else, the vulnerability scanners create their work, the compliance standards tell them what to do about it. They just want to go home and put on some comfy pants and drink a reasonable amount of whiskey, but nobody will let them until all the vulnerabilities are dealt with.

Open source

The open source folks are at the back, as they always are. Some of them have started to give away pants because they got sick of nobody having any decent pants on. Even though the pants are free, none of the vulnerability people want them. They’re obviously the nicest pants at the show. Microsoft and OpenAI both have a cart they are filling with the free pants and hope nobody will notice.

Every time the open source crew suggests maybe we could all work on making some new pants together, all the other groups laugh at them and explain there’s no way a group of random people can work on something as complicated as vulnerabilities. It’s just not realistic, how could we trust that data?

The conversation goes something like this

CVE: “How could we trust the data a bunch of random people put together?”

Open Source: “We created Linux, that’s way more complicated than your data”

CVE: “But can we trust this Linux thing?”

OS: “You’re running Linux right now”

CVE: “I’m hearing that we can’t trust community data”

OS: “your data is terrible, nobody can trust it now”

CVE: “This open source thing sounds like a fad that will die out in a few years”

Will anything change?

The real question for all of this is will anything actually change because of a few EOL CVE IDs? We won’t know for a while. Maybe they’re terrible ideas and nobody will use them. Maybe it’s a great idea and in a year we’ll forget all about this conversation. It’s most likely we’ll all just go back to pretending everything is fine and ignore these 3 Node.js EOL CVE IDs. Only time will tell.

The thing I would suggest in all of this, is look for why someone is complaining about a change. A lot of the complaining and friction isn’t due to an idea being good or bad, it’s because these people are incredibly overworked and stressed out. Something that could make more work for them won’t be met with open arms, even if that idea could make the world a better place.

If talking about vulnerabilities is something you’re interested in, there’s a Discord server called Extended Vulnerability Community (EVC) you are welcome to join. It’s very informal and a place to discuss topics like this.