Revised Final Interpretation for RI # 31 - Obvious vulnerabilties

Date: 10/25/2002
Subject: Obvious vulnerabilties
Revision: 1
Reason for revision: Interpretation should be captured in the document so information is not lost
CC Part #1 Reference: 
CC Part #2 Reference: 
CC Part #3 Reference: CC Part 3, Section 14.4 (AVA_VLA)
CEM Reference: CEM, Section 6.9.2 (AVA_VLA.1)
CEM, Section 7.10.3 (AVA_VLA.1)
CEM, Section 8.10.3 (AVA_VLA.2)


AVA_VLA.1 requires the developer to identify and test for obvious vulnerabilities, and for evaluators to verify the adequacy of the set of identified vulnerabilities and perform penetration testing to ensure that all obvious vulnerabilities have been addressed. The CC defines 'obvious vulnerabilities'. However, information in the public domain is highly dynamic. Thus, it is conceivable (even likely) for new vulnerabilities to appear between the time that the TOE is frozen and the time that evaluators complete the Evaluation Technical Report. This leads to two obvious questions:

1) At what point in the evaluation should monitoring of the public domain for new 'obvious vulnerabilities' cease?

2) What obligation does the vendor have to address vulnerabilities, not addressed by the ST or the TOE?



Concerning question 1, the point at which monitoring should cease is a national scheme issue and therefore outside the scope of a Common Criteria Interpretation. It may be the case that this issue will be dealt with more directly in the context of mutual recognition.

Concerning question 2, all vulnerabilities found in the time frame defined by the scheme (see answer to question 1) that affect the TOE's ability to meet the stated requirements or counter the stated threats must be addressed either directly by TOE or through appropriate statements in the intended environment. Any other vulnerabilities are outside the scope of the evaluation and need not be addressed.

Specific Changes

In the CEM, the following paragraph is inserted after paragraphs 899, 1255, and 1722.

Information in the public domain is highly dynamic. Therefore, it is possible that new vulnerabilities are reported in the public domain between the time the developer performs the vulnerability analysis and the time that the evaluation is completed. The point at which monitoring of the public domain information ceases is an evaluation authority issue; therefore guidance and agreement should be sought from the evaluation authority.