cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Firmware Vulnerability data files URLs don't function, new ones I think require product update

Jump to solution

Was noticing that no new recent vulnerabilities are showing up in NCM, so I went to check things out.

In my Firmware Vulnerability Settings page, I'm getting the following errors -

URL "http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-recent.xml" is currently inaccessible.

URL "http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml" is currently inaccessible.

If you go to those URL's it says that "Effective October 16, 2015 the XML data feeds will no longer be available for download in an uncompressed format.

You have reached this page because you have a process that links directly to a file that no longer exists.  Please modify your process to use the compressed format as described on the main NVD Datafeeds landing page."

If you go to the NVD Datafeeds landing page (NVD - Data Feeds), there are links to the compressed version of the two files above in either GZIP or ZIP format

http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz

http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.zip

http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Recent.xml.gz

http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Recent.xml.zip

Its fairly easy to unzip them and drop them in to the correct directory, which is shown in the Settings page, but I thought maybe a product update to fix this is in order?

1 Solution
Level 18

Yep, we know. Fix is on the way.

In the meantime, you have the workaround you described. We even have an official document for this.

Jiri

View solution in original post

35 Replies
Level 7

Problem still not corrected in NCM 2019.4 HF1.

Have your developers looked to NVD - Data Feeds ?

0 Kudos

trekkie007 I already opened a case with support and I was informed that the developers are working on it as a priority case . I was informed that this will be fixed most likely by next year mid .

Level 9

I have the exact same issue. Just updated to v7.5 and realized that NCM haven't updated the vulnerabilities since october 2015.

I did look up the URL's and it actually seems it's now the following ones:

https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Recent.xml.zip

https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.zip

If I direct my brower to these two URL's it downloads the ZIP-files without any problem. But NCM cannot.

I can see in my firewall that HTTPS is open and that my NCM server is actually trying to connect on port TCP 443 (to NIST on an IP in the range 129.6.0.0/16)... but still no new files in the folder. And, yes the folder path passes validation.

What could be the cause? Why cannot NCM fetch the files? Or is it something about it's not being able to unzip them and therefore it just drops the files?

0 Kudos

Please upgrade to NCM 7.5.1 where this issue should be resolved.

Thanks,

Jeff

That did it, now it works! Thanks!

0 Kudos
Level 8

Having the same issue on 7.5

0 Kudos
Level 11

Just upgraded to 7.5 and having this issue.

0 Kudos
Level 8

Same issue here, can we get some eyes on this?

0 Kudos
Level 9

I updated NCM to 7.4.1 and this still doesn't work.  My settings match the screen above but still get the error.

error.jpg

0 Kudos

I have the same issue. I can access the urls from the host. I could manually do the process as suggested though this seems like it defeats the purpose of an automated task.

0 Kudos

I also have this problem.  Seems to me that Solar Winds should put an update out that fixes this properly, rather than expecting us all to manually import.

0 Kudos

This fell off my radar, though I have to say that I would still really like this feature to actually work. I have plenty of other compliance tools (most of which are long lists from other people) but I would like to have the functionality as advertised. Okay this will probably die as a thread as well as a blip on my radar.

0 Kudos
Level 15

Awesome, great to hear

0 Kudos
Level 18

Yep, we know. Fix is on the way.

In the meantime, you have the workaround you described. We even have an official document for this.

Jiri

View solution in original post

I got this confermation from the NIST, on my question for how long this vulnerability XML download will be available for automated download (like in NCM)

Per the timeline provided in the XML feed retirement announcement we will be implementing Phase 3 of the XML retirement plan on Wednesday October 16th.

  •     This is 1 week later than originally planned.
  •     The feeds will no longer be accessible to any users or automated processes.
  •     Users will need to begin ingesting the JSON 1.1 Feeds for vulnerability information.

  We originally announced the retirement of the XML Vulnerability feeds at the beginning of this year so organizations would have time to adjust....

I hope we have a working solution for NCM to download these vulnerability XML files after 16 October 2019       Is there a plan-B ?

0 Kudos

we dont even see the compressed versions of the xml from Oct 16.

Whats the version of NCM for which there is plan to include JSON feeds ?

And does converting the JSON feeds to xml and uploading them work? Has anyone tried it

0 Kudos

No it seems the XML version is no longer supported by NIST and the new version is not supported by NCM. Not good!

(NVD - XML Vulnerability Feed Retirement Phase 3 )

Solarwinds, time to work!!

This feature request has been announcing this since April:

0 Kudos

Yes . You are totally right.  But I think solarwinds developers are already working on the fix in next NCM release. I just hope they backport to older supported releases also .

cvachovecj​ You stated a fix was on the way, I am running the most recent version of NCM and this issue persists.

0 Kudos

serramg​ What version of NCM are you currently running?

0 Kudos