This is the Trace Id: d8e3b8ed3ceea99681ab4817153b8cf1
Skip to main content Report Security Vulnerability Report Abuse Report Infringement Submission FAQs Reporting Vulnerability Security Update Guide Exploitability index Developer API documentation Frequently Asked Questions Technical Security Notifications Glossary Microsoft Bug Bounty Programs Microsoft Active Protections Program BlueHat Security Conference Researcher Recognition Program Windows Security Servicing Criteria Researcher Resource Center Mission Cyber Defense Operations Center Coordinated Vulnerability Disclosure Social Microsoft Security Response Center Security Research & Defense BlueHat Conference Blog Security Researcher Acknowledgments Online Services Researcher Acknowledgments AI Safety Acknowledgements Security Researcher Leaderboard

Publishing CBL-Mariner CVEs on the Security Update Guide CVRF API

MSRC
/ By jadebrah /

Microsoft is pleased to announce that beginning January 11, 2023, we will publish CBL-Mariner CVEs in the Security Update Guide (SUG) Common Vulnerability Reporting Framework (CVRF) API. CBL-Mariner is a Linux distribution built by Microsoft to power Azure’s cloud and edge products and services and is currently in preview as an AKS Container Host. Sharing CVEs regarding vulnerabilities that have been addressed CBL-Mariner upstream open-source projects will help security teams find the most up to date information to discover, assess, and patch systems quickly and consistently across cloud and edge scenarios.

The addition of CBL-Mariner CVEs to the CVRF API represents a sizable increase in monthly volume of published CVEs. For customers ingesting CVEs through the API who do not wish to receive CBL-Mariner related CVEs, we recommend you create an automation to filter out CBL-Mariner-related CVEs. You can identify Mariner CVEs by checking if the CVE contains a tag with value “Managed by Mariner”.

Here is a link to example PowerShell scripts for help navigating data on the CVRF API. The snippet below (not shown on the GitHub page linked) demonstrates how to use a PowerShell script to find the tag of the first CVE (unspecified) in a monthly release:

Code snippet demonstrates how to use a PowerShell script to find the tag of the first CVE (unspecified) in a monthly release

CBL-Mariner is built from a number of upstream open-source projects, so the majority of CBL-Mariner CVEs are authored and published by other organizations, also known as CVE Numbering Authority (CNA). The CVRF API will include the owning CNA as part of the CVE record, referenced by Type=8. Security researchers are encouraged to work directly with the respective upstream open-source projects to report issues or findings.

As we continue to improve the features and data available in the SUG we remain focused on providing our customers with the best experience possible. If you have any questions or suggestions for additional improvements, please feel free to contact us at MSRC Support Form.

Lisa Olson and Japhet Debrah
Microsoft Security Response Center

Surface Pro Surface Laptop Surface Laptop Studio 2 Copilot for organizations Copilot for personal use AI in Windows Explore Microsoft products Windows 11 apps Account profile Download Center Microsoft Store support Returns Order tracking Certified Refurbished Microsoft Store Promise Flexible Payments Microsoft in education Devices for education Microsoft Teams for Education Microsoft 365 Education How to buy for your school Educator training and development Deals for students and parents AI for education
Microsoft AI Microsoft Security Dynamics 365 Microsoft 365 Microsoft Power Platform Microsoft Teams Microsoft 365 Copilot Small Business Azure Microsoft Developer Microsoft Learn Support for AI marketplace apps Microsoft Tech Community Microsoft Marketplace Marketplace Rewards Visual Studio Careers About Microsoft Company news Privacy at Microsoft Investors Diversity and inclusion Accessibility Sustainability
English (United States)
Your Privacy Choices Opt-Out Icon Your Privacy Choices
Consumer Health Privacy Sitemap Contact Microsoft Privacy Manage cookies Terms of use Trademarks Safety & eco Recycling About our ads