Skip to product information
1 of 8

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GB/T 30279-2020 English PDF (GBT30279-2020)

GB/T 30279-2020 English PDF (GBT30279-2020)

Regular price $350.00 USD
Regular price Sale price $350.00 USD
Sale Sold out
Shipping calculated at checkout.
Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click GB/T 30279-2020
Historical versions: GB/T 30279-2020
Preview True-PDF (Reload/Scroll if blank)

GB/T 30279-2020: Information security technology - Guidelines for categorization and classification of cybersecurity vulnerability
GB/T 30279-2020
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 30279-2013; GB/T 33561-2017
Information security technology - Guidelines for
categorization and classification of cybersecurity
vulnerability
ISSUED ON: NOVEMBER 19, 2020
IMPLEMENTED ON: JUNE 01, 2021
Issued by: State Administration for Market Regulation;
Standardization Administration of PRC.
Table of Contents
Foreword ... 3
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 Abbreviations ... 6
5 Categorization of network security vulnerabilities ... 6
5.1 Overview ... 6
5.2 Code problem ... 7
5.3 Configuration errors ... 10
5.4 Environmental problems ... 10
5.5 Others ... 11
6 Classification of network security vulnerabilities ... 11
6.1 Overview ... 11
6.2 Classification indicators of network security vulnerabilities ... 12
6.3 Classification method for network security vulnerabilities ... 17
Appendix A (Normative) Exploitability classification ... 21
Appendix B (Normative) Classification of influence degree ... 23
Appendix C (Normative) Classification of environmental factors ... 24
Appendix D (Normative) Technology classification of vulnerabilities ... 25
Appendix E (Normative) Comprehensive classification of vulnerabilities ... 26
Appendix F (Informative) Example of vulnerability classification ... 27
References ... 30
Information security technology - Guidelines for
categorization and classification of cybersecurity
vulnerability
1 Scope
This standard provides categorization methods and classification indicators for network
security vulnerabilities (hereinafter referred to as "vulnerabilities"); gives suggestions
for classification methods.
This standard applies to the categorization of vulnerability and evaluation of hazard
level, which are carried out by the network product and service providers, network
operators, vulnerability collection organizations, vulnerability emergency organizations,
in the process of relevant activities, such as vulnerability management, product
production, technology research and development, network operations, etc.
2 Normative references
The following documents are essential to the application of this document. For the dated
documents, only the versions with the dates indicated are applicable to this document;
for the undated documents, only the latest version (including all the amendments) is
applicable to this standard.
GB/T 20984 Information security technology - Risk assessment specification for
information security
GB/T 25069 Information security technology - Glossary
GB/T 28458 Information security technology - Cybersecurity vulnerability
identification and description specification
GB/T 30276 Information security technology - Specification for cybersecurity
vulnerability management
3 Terms and definitions
The terms and definitions, as defined in GB/T 25069, GB/T 20984, GB/T 28458, GB/T
30276, as well as the following terms and definitions, apply to this document.
3.1
implementation, during the code development process of network products and services.
5.2.2 Resource management errors
This type of vulnerability refers to a vulnerability, which is resulting from the
mismanagement of system resources (such as memory, disk space, files, CPU usage,
etc.).
5.2.3 Input validation errors
5.2.3.1 Overview
This type of vulnerability refers to a vulnerability, which is caused by the lack of proper
validation of the input data.
5.2.3.2 Buffer area errors
This type of vulnerability refers to the lack of correct boundary data validation, when
performing operations on memory, resulting in incorrect read and write operations to
other associated memory locations, such as buffer overflow, heap overflow, etc.
5.2.3.3 Injection
5.2.3.3.1 Overview
This type of vulnerability refers to the error in parsing or interpretation, which is caused
by the lack of correct validation of user input data, during the operation of constructing
commands, data structures, or records through user input, resulting in unfiltered or
incorrectly filtered out special elements.
5.2.3.3.2 Formatted string errors
This type of vulnerability refers to the vulnerability, which is caused by the lax filtering
of parameter type and quantity, when receiving an external formatted string as a
parameter.
5.2.3.3.3 Cross-site scripting
This type of vulnerability refers to a vulnerability in WEB applications, that provides
incorrect code execution to other clients, due to the lack of correct validation of client
data.
5.2.3.3.4 Command Injection
This kind of vulnerability means that in the process of constructing executable
commands, the wrong executable commands are generated, due to improper filtering of
special elements in them.
5.2.3.3.5 Code injection
This kind of vulnerability means that in the process of constructing code segments
through external input data, the special elements in them are not correctly filtered,
resulting in the generation of wrong code segments and modifying the expected
execution control flow of network products and services.
5.2.3.3.6 SQL injection
This type of vulnerability refers to the lack of validation of the external input data, that
constitutes the SQL statement, in database-based applications, resulting in the
generation and execution of wrong SQL statements.
5.2.3.4 Path traversal
This type of vulnerability refers to failure to properly filter resources or special elements
in file paths, resulting in access to locations outside of restricted directories.
5.2.3.5 Backlinks
This type of vulnerability means that when accessing a file using a file name, the wrong
file path is accessed, because the file name of a link or a shortcut representing an
unexpected resource is not properly filtered.
5.2.3.6 Cross-site request forgery
This kind of vulnerability refers to that -- in WEB applications, due to insufficient
validation of whether the request comes from a trusted user, the deceived client sends
an unexpected request to the server.
5.2.4 Numeric errors
This type of vulnerability refers to the integer overflow, sign error and other
vulnerabilities, which are caused by incorrect calculation or conversion of the generated
numbers.
5.2.5 Competition condition problems
This kind of vulnerability refers to the security problem, which is caused by another
piece of code that can concurrently modify the shared resource in the same time window,
when a piece of concurrent code needs to access the shared resource mutually exclusive
in the concurrent running environment.
5.2.6 Processing logic errors
Such vulnerabilities are caused by problems in processing logic implementation or
incomplete branch coverage during the design and implementation process.
5.4.2.1 Overview
This type of vulnerability refers to the vulnerability in which the information of the
affected components is obtained without authorization, due to configuration errors
during operation.
5.4.2.2 Log information disclosure
This type of vulnerability refers to information disclosure, which is caused by abnormal
output of log files.
5.4.2.3 Debug information disclosure
This type of vulnerability refers to information disclosure, which is caused by
debugging information output during operation.
5.4.2.4 Side channel information disclosure
This type of vulnerability refers to...
View full details