Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is
designed to bring recent news about CVE, such as new versions, upcoming events, new Web
site features, etc. right to your email box. Common Vulnerabilities and Exposures (CVE)
is the standard for information security vulnerability names. CVE content results from
the collaborative efforts of the CVE Editorial Board, which is comprised of leading
representatives from the information security community. Details on subscribing (and
unsubscribing) to the email newsletter are at the end. Please feel free to pass this
newsletter on to interested colleagues.
Comments:
cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/October 7, 2014
-------------------------------------------------------
Contents:
1. CVE Celebrates 15 Years!
2. Several Organizations Announce Compliance with New CVE-ID Format in Advance of
Upcoming Deadline
3. Numerous News Media Articles Posted about Upcoming CVE-ID Syntax Compliance Deadline
4. MITRE Issues Press Release about Upcoming CVE-ID Syntax Compliance Deadline
5. Also in this Issue
6. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
CVE Celebrates 15 Years!
CVE began 15 years ago this month with 321 entries on the CVE List. Since then, CVE has
truly become the international standard for public software vulnerability identifiers
with more than 64,000+ unique entries listed on the CVE Web site. Information security
professionals and product vendors from around the world use CVE Identifiers (CVE-IDs) as
a standard method for identifying vulnerabilities; facilitating their work processes;
and cross-linking among products, services, and other repositories that use the
identifiers.
Initially intended as a source of mature information, the immediate success of CVE-IDs
in the community required that the initiative quickly expand to address new security
issues that were appearing almost daily. As a result, the CVE List grew quickly to 7,191
CVE-IDs after five years, 38,727 CVE-IDs at 10 years, and at 15 years now includes
64,492 CVE-IDs. CVE-IDs are now assigned not only by MITRE but also by CVE Numbering
Authorities (CNAs), which are major OS vendors, security researchers, and research
organizations that assign CVEs to newly discovered issues and include the CVE-IDs in the
first public disclosure of the vulnerabilities.
LATEST MILESTONES
And CVE continues to evolve. In December 2013, the CVE List began publishing CVE content
using the Common Vulnerability Reporting Framework (CVRF), an XML-based standard that
enables software vulnerability information to be shared in a machine-parsable format
between vulnerability information providers and consumers. CVE took this important step
because having vulnerability information in a single, standardized format speeds up
information exchange and digestion, while also enabling automation.
In January 2014, the syntax of CVE-IDs themselves was changed from the original format
of four digits at the end (e.g., CVE-2014-0160) to accommodate five, six, or more end
digits at the end so that CVE can track 10,000 or more vulnerabilities for a given
calendar year. The previous four-digit restriction only allowed up to 9,999
vulnerabilities per year, but the change allows CVE to keep pace with the growing number
of vulnerabilities being reported annually. The new CVE-ID syntax was determined in a
vote by the CVE Editorial Board.
And the milestone is rapidly approaching for when the first CVE-ID with 5 digits will be
issued. A CVE-ID number using the new syntax will be issued either before the end of
2014 and no later than Tuesday, January 13, 2015. Organizations that use CVE-IDs that
have not already done so need to take action now to ensure their products, tools,
websites, and processes continue to work properly once CVE-ID numbers with 5 digits are
issued. Read our press release.
IMPACT OF CVE ON THE INFORMATION SECURITY LANDSCAPE
The widespread impact of CVE in enterprise security is illustrated by the numerous
CVE-Compatible Products and Services in use throughout industry, government, and
academia for vulnerability management, vulnerability alerting, intrusion detection, and
patch management. The information security community endorsed the importance of
"CVE-Compatible" products from the moment CVE was launched in 1999. As quickly as
December 2000 there were 29 organizations participating with declarations of
compatibility for 43 products. Today, there are 153 organizations and 300 products and
services listed on the CVE site. Of these, 143 products and services from 77
organizations have completed the formal CVE Compatibility Process and are considered as
"Officially CVE-Compatible."
CVE-IDs have been included in security advisories from 81 organizations including major
OS vendors and others, ensuring the community benefits by having identifiers as soon as
a software issue is announced. CVE-IDs are also used to uniquely identify
vulnerabilities in public watch lists such as the OWASP Top 10 Web Application Security
Issues, in the report text and infographics of Symantec Corporation's "2014 Internet
Security Threat Report, Volume 19," and are rated by severity in the Common
Vulnerability Scoring System (CVSS). CVE-IDs are also frequently cited in trade
publications and general news media reports regarding software bugs. CVE-2014-6271 for
"Bash Shellshock," CVE-2014-6041 for the "Android browser privacy vulnerability," and
CVE-2014-0160 for "Heartbleed" are the most recent examples.
CVE has also inspired entirely new efforts. The U.S. National Vulnerability Database
(NVD) of CVE fix information operated by the National Institute of Standards and
Technology (NIST) is based upon, and synchronized with, the CVE List. In addition, the
Open Vulnerability and Assessment Language (OVAL) effort uses CVE-IDs for its
standardized OVAL Vulnerability Definitions that test systems for the presence of CVEs,
and the Common Weakness Enumeration (CWE) dictionary of software weakness types is based
in part on the CVE List. Examples of other efforts inspired by the success of CVE
include CVRF, CVSS, Common Configuration Enumeration (CCE), Common Platform Enumeration
(CPE), National Checklist Program Repository, and Common Attack Pattern Enumeration and
Classification (CAPEC).
The success of CVE and the other standards it inspired also eventually enabled the
creation of NIST's Security Content Automation Protocol (SCAP). SCAP employs existing
community standards, including CVE, to enable "automated vulnerability management,
measurement, and policy compliance evaluation (e.g., FISMA compliance)." In addition,
the U.S. Federal Desktop Core Configuration (FDCC) requires verification of compliance
with FDCC requirements using SCAP-validated scanning tools. CVE has also been a
requirement in U.S. Department of Defense contracts.
And the adoption of CVE is truly international. In 2009, the International
Telecommunication Union's (ITU-T) Cybersecurity Rapporteur Group, which is the
telecom/information system standards body within the treaty-based 150-year-old
intergovernmental organization, adopted CVE as a part of its "Global Cybersecurity
Information Exchange Framework (X.CYBIEF)." ITU-T created a "Recommendation ITU-T X.1520
Common Vulnerabilities and Exposures (CVE)" standard that is based on the current CVE
Compatibility Requirements document, and any future changes to the document will be
reflected in subsequent updates to X.CVE.
COMMUNITY PARTICIPATION
CVE is an international information security community effort. It is your past and
ongoing participation, endorsement, and support that have made CVE the community
standard for vulnerability identifiers. We thank all you who have in any way used
CVE-IDs in your products or research, promoted the use of CVE, assigned CVE-IDs as a
CNA, and/or adopted CVE-compatible products or services for your enterprise.
We also thank past and present members of the CVE Editorial Board for the contributions,
and we especially thank our sponsors throughout these 14 years, particularly our current
sponsor US-CERT in the office of Cybersecurity and Communications at the U.S. Department
of Homeland Security, for their past and current funding and support.
OUR ANNIVERSARY CELEBRATION
Please join us as our 15-year anniversary celebration continues throughout the coming
year on the CVE Web site and in our CVE-Announce e-newsletter.
As always, we welcome any comments or feedback about CVE at
cve@mitre.org.
LINKS:
CVE List -
https://cve.mitre.org/cve/
CVE-ID numbering format change -
https://cve.mitre.org/cve/identifiers/syntaxchange.html
News page article for all links -
https://cve.mitre.org/news/index.html#october012014_CVE_Celebrates_15_Years!
---------------------------------------------------------------
Several Organizations Announce Compliance with New CVE-ID Format in Advance of Upcoming
Deadline
Several leading software vendors and cybersecurity organizations have declared that they
are now consuming or producing CVE Identifier numbers - also called "CVE-IDs" - in the
new numbering format. By taking this important step, these organizations ensure that
their products, tools, and processes that use CVE will continue to work properly once
CVE-ID numbers are issued using the new syntax, which could happen before the end of
2014, and no later than Tuesday, January 13, 2015. Read the press release.
The syntax of CVE-ID numbers (e.g., "CVE-2014-0160", which has four digits at the end)
was changed in January 2014 so that CVE can track 10,000 or more vulnerabilities for a
given calendar year. The previous four-digit restriction only allowed up to 9,999
vulnerabilities per year, but a change was needed to keep pace with the growing number
of vulnerabilities being reported each year. It is possible that 10,000 CVE-IDs will be
necessary before the end of 2014. Now identifiers can accommodate five, six, or more
digits at the end.
COMPLIANT ORGANIZATIONS RECOGNIZED
If the format change is not implemented in a timely manner, it could significantly
impact users' vulnerability management practices. To encourage industry and other CVE
users to accommodate the new format, CVE is recognizing those organizations that have
declared that they are, or will be, compliant with the new CVE-ID numbering format on an
"Organizations Compliant with the New CVE-ID Syntax" page on the CVE Web site.
The early adopters of the new CVE-ID format list on this new page include: Adobe; CERIAS
at Purdue University; CERT Coordination Center (CERT/CC); CERT-IST; EMC Corporation;
High-Tech Bridge SA; IBM; ICS-CERT; Information-technology Promotion Agency, Japan
(IPA); Japan Computer Emergency Response Team Coordination Center (JPCERT/CC); LP3;
Microsoft Corporation; National Institute of Standards and Technology, National
Vulnerability Database (NVD); NSFOCUS; Oracle; Red Hat, Inc.; SecurityTracker; SUSE LLC;
and Symantec Corporation.
TECHNICAL GUIDANCE AND TEST DATA AVAILBLE
Organizations that do not update to the new CVE-ID format risk the imminent possibility
that their products and services could break or report inaccurate vulnerability
identifiers. To make it easy to update, the CVE Web site provides free technical
guidance and CVE test data for developers and consumers to use to verify that their
products and services will work correctly. In addition, for those who use National
Vulnerability Database (NVD) data, NIST provides test data in NVD format at
http://nvd.nist.gov/cve-id-syntax-change.
DEADLINE RAPIDLY APPROACHING
The clock is ticking. If CVE do not move to the new syntax before the end of 2014, we
will ensure that we issue at least one 5-digit CVE-ID by Tuesday, January 13, 2015. All
organizations that use CVE-IDs need to take action now and make the upgrade before this
rapidly-approaching deadline.
Please address any comments or concerns to
cve-id-change@mitre.org.
LINKS:
Organizations Compliant with the New CVE-ID Syntax page -
https://cve.mitre.org/cve/identifiers/compliant_organizations.html
CVE-ID numbering format change -
https://cve.mitre.org/cve/identifiers/syntaxchange.html
Technical guidance -
https://cve.mitre.org/cve/identifiers/tech-guidance.html
Test data -
https://cve.mitre.org/cve/identifiers/tech-guidance.html#test_data
News page article -
https://cve.mitre.org/news/index.html#september172014_Several_Organizations_Announce_Com
pliance_with_New_CVE_ID_Format_in_Advance_of_Upcoming_Deadline
---------------------------------------------------------------
Numerous News Media Articles Posted about Upcoming CVE-ID Syntax Compliance Deadline
CVE was the main topic of several news media articles resulting from our news release
entitled "Leading Software Vendors and Cybersecurity Organizations Among Early Adopters
of MITRE's New Vulnerability Naming Format" that was issued on September 16, 2014,
including the following:
* "Internet's security bug tracker faces its 'Y2K' moment" -
http://www.cnet.com/news/internets-security-bug-tracker-faces-its-y2k-moment/
* "New CVE Naming Convention Could Break Vulnerability Management" -
http://www.darkreading.com/vulnerabilities---threats/new-cve-naming-convention-could-bre
ak-vulnerability-management-/d/d-id/1315788
* "CVE Identifiers Make Room For a Few More Digits" -
http://threatpost.com/cve-identifiers-make-room-for-a-few-more-digits/108390
* "Mitre Warns of Issues With Software Flaw ID System if Count Top 10K" -
http://www.eweek.com/security/mitre-warns-of-issues-with-software-flaw-id-system-if-coun
t-top-10k.html
* "CVE-ID Vulnerability Numbering Format Change Could Challenge Vendors Who Don't Adopt"
-
http://www.securityweek.com/cve-id-vulnerability-numbering-format-change-could-challenge
-vendors-who-dont-adopt
* "CVE-nummer aangepast wegens toenemend aantal lekken" -
https://www.security.nl/posting/402745/CVE-nummer+aangepast+wegens+toenemend+aantal+lekk
en?channel=rss
* "CVE-systeem per 2015 aangepast aan enorme groei patches" -
http://www.automatiseringgids.nl/nieuws/2014/39/cve-systeem-per-2015-aangepast-aan-enorm
e-groei-patches
* "Leading Software Vendors and Cybersecurity Organizations Among Early Adopters of
MITRE's New Vulnerability Naming Format" -
http://it.tmcnet.com/news/2014/09/22/8028722.htm
* "Attention to the number of digits increase in number by the CVE vulnerability
increase" -
http://www.security-next.com/052257
* NSFOCUS, a participant in the CVE Compatibility Program, issued its own news release
stating that they are compliant with the new CVE-ID syntax:
http://www.c114.net/security/4355/a859199.html
* JP-CERT, a CVE Numbering Authority (CNA) and a participant in the CVE Compatibility
Program, issued its own news release stating that they are compliant with the new CVE-ID
syntax:
http://www.jpcert.or.jp/pr/2014/pr140006.html
LINK:
MITRE press release -
http://www.mitre.org/news/press-releases/leading-software-vendors-and-cybersecurity-orga
nizations-among-early-adopters-of
News page article -
https://cve.mitre.org/news/index.html#september252014_Numerous_News_Media_Articles_Poste
d_about_Upcoming_CVE_ID_Syntax_Compliance_Deadline
-------------------------------------------------------------
MITRE Issues Press Release about Upcoming CVE-ID Syntax Compliance Deadline
The MITRE Corporation issued a press release on September 17, 2014 entitled "Leading
Software Vendors and Cybersecurity Organizations Among Early Adopters of MITRE's New
Vulnerability Naming Format" listing several organizations that are already compliant
with the new CVE-ID syntax, and announcing that a CVE-ID number in the new syntax could
be issued before the end of 2014, and will be issued no later than Tuesday, January 13,
2015.
Products and services that use CVE-IDs and have not yet been updated to the new ID
Syntax could stop working properly.
Read the press release at
http://www.mitre.org/news/press-releases/leading-software-vendors-and-cybersecurity-orga
nizations-among-early-adopters-of.
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* New Net Technologies Makes Declaration of CVE Compatibility
* CVE Identifier "CVE-2014-6271" Cited in Numerous Security Advisories and News Media
References about "Bash Shellshock"
* CVE Identifier "CVE-2014-6041" Cited in Numerous Security Advisories and News Media
References about the Android Browser Privacy Vulnerability
* CVE Mentioned in Article about Vulnerability Exploited Against Oil and Gas Startup
through Watering Hole Attack
* CVE Mentioned in Article about Vehicle Traffic Sensor Vulnerabilities
* CVE Mentioned in Article about Vulnerabilities in Network-Attached Storage Devices on
PCWorld.com
Read these stories and more news at
http://cve.mitre.org/news
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Steve Boyle, Information Security Technical Center. Writer: Bob
Roberge. The MITRE Corporation (
www.mitre.org) maintains CVE and provides impartial
technical guidance to the CVE Editorial Board on all matters related to ongoing
development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the
following text to the BODY of the message "SIGNOFF CVE-Announce-list", then send the
message to:
listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".
Copyright 2014, The MITRE Corporation. CVE and the CVE logo are registered trademarks of
The MITRE Corporation.
For more information about CVE, visit the CVE Web site at
https://cve.mitre.org or send
an email to
cve@mitre.org.
Learn more about Making Security Measurable at
http://measurablesecurity.mitre.org and
Strengthening Cyber Defense at
http://www.mitre.org/work/cybersecurity/cyber_standards.html.
