Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is
designed to bring recent news about CVE, such as new versions, upcoming conferences,
new Web site features, etc. right to your email box. Common Vulnerabilities and
Exposures (CVE) is the standard for information security vulnerability names. CVE
content results from the collaborative efforts of the CVE Editorial Board, which is
comprised of leading representatives from the information security community. Details
on subscribing (and unsubscribing) to the email newsletter are at the end. Please feel
free to pass this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/May 21, 2014
-------------------------------------------------------
Contents:
1. CVE, CWE, and CAPEC Are Main Topics of Article about the "Heartbleed" Bug on
MITRE's Cybersecurity Blog
2. CVE Identifier "CVE-2014-0160" Cited in Numerous Security Advisories and News Media
References about the Heartbleed Vulnerability
3. CVE and CWE Cited in White Paper about the Heartbleed Vulnerability
4. CVE and CWE Mentioned in Article about Mitigating Risks of Counterfeit and Tainted
Components in March/April 2014 Issue of "Crosstalk"
5. CVE Compatibility Program Updates
6. Also in this Issue
7. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
CVE, CWE, and CAPEC Are Main Topics of Article about the "Heartbleed" Bug on MITRE's
Cybersecurity Blog
CVE, CWE, and CAPEC are the main topics of an article "Security Standards Help Stop
Heartbleed" by CAPEC Technical Lead Drew Buttner on MITRE's Cybersecurity blog on May
7, 2014. "Heartbleed," or CVE-2014-0160, is a serious vulnerability in "certain
versions of OpenSSL where it enables remote attackers to obtain sensitive information,
such as passwords and encryption keys. Many popular websites have been affected or are
at risk, which in turn, puts countless users and consumers at risk."
The article defines the Common Vulnerabilities and Exposures (CVE), Common Weakness
Enumeration (CWE), and Common Attack Pattern Enumeration and Classification (CAPEC)
efforts and explains the problem each solves.
In sections entitled "CVE and Heartbleed," "CWE and Heartbleed," and "CAPEC and
Heartbleed," the article describes how CVE helped when the issue became public by
assigning CVE-2014-0160 to what also was referred to as the Heartbleed bug, and how
CWE and CAPEC can help prevent future Heartbleeds.
The author then concludes the article as follows: "Security automation efforts such as
CVE, CWE, and CAPEC can help reduce the possibility of similar severe vulnerabilities
such as Heartbleed in the future. But it is incumbent upon developers and other
security professionals to actively leverage resources such as these to be better
prepared for the next Heartbleed."
Read the complete article at
http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/security-s
tandards-help-stop-heartbleed.
LINKS:
Blog article -
http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/security-s
tandards-help-stop-heartbleed
CVE-2014-0160 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
CWE - https://cwe.mitre.org/
CAPEC - https://capec.mitre.org/
New page article -
https://cve.mitre.org/news/index.html#may152014_CVE_CWE_and_CAPEC_Are_Main_Topics_of_A
rticle_about_the_Heartbleed_Bug_on_MITREs_Cybersecurity_Blog
---------------------------------------------------------------
CVE Identifier "CVE-2014-0160" Cited in Numerous Security Advisories and News Media
References about the Heartbleed Vulnerability
The CVE Identifier assigned to the "Heartbleed" vulnerability-CVE-2014-0160-was
released on April 7, 2014, the same day that the vulnerability was made public. The
existence of this identifier has enabled the worldwide community to converse and share
information about this vulnerability in a rapid an efficient manner.
CVE-2014-0160 was cited in nearly every major advisory, post, article, and response
related to Heartbleed, including the following examples:
https://www.openssl.org/news/secadv_20140407.txt
http://filippo.io/Heartbleed/
http://www.kb.cert.org/vuls/id/720951
http://blogs.cisco.com/security/openssl-heartbleed-vulnerability-cve-2014-0160-cisco-p
roducts-and-mitigations/
https://access.redhat.com/security/cve/CVE-2014-0160
http://googleonlinesecurity.blogspot.com/2014/04/google-services-updated-to-address.ht
ml
http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/
http://www.dell.com/learn/us/en/04/campaigns/heartbleed-remediation
https://continuousassurance.org/blog/2014/04/09/openssl-heartbleed-cve-2014-0160/
http://continuousassurance.org/swamp/SWAMP-Heartbleed-White-Paper-29Apr2014.pdf
http://www2.fidelissecurity.com/e/11392/4-heartbleed-cliff-notes--html/vtg8l/474370179
http://lxer.com/module/newswire/view/200736/
http://dfw.cbslocal.com/2014/04/08/internet-heartbleed-bug-exposing-passwords-to-hacke
rs/
http://www.livemint.com/Opinion/ZFtgPhvFMwvxJmFWaL1WDJ/How-to-stop-the-Webs-heart-from
-bleeding.html
http://www.theregister.co.uk/2014/04/09/heartbleed_vuln_analysis/
http://blogs.computerworld.com/encryption/23767/heartbleed-openssl-open-source-fail
http://www.pcworld.com/article/2142140/twitter-at-least-dodged-the-horrors-of-heartble
ed.html
http://www.sys-con.com/node/3053829
http://online.wsj.com/article/PR-CO-20140415-912417.html
http://www.digitaltrends.com/mobile/50-million-android-smartphones-vulnerable-heartble
ed-bug/
https://bdaily.co.uk/advice/28-04-2014/what-heartbleed-can-teach-businesses-about-info
rmation-security/
http://www.thanhniennews.com/youth-science/the-branding-of-a-bug-how-heartbleed-became
-a-household-name-25800.html
http://www.itjungle.com/tfh/tfh041414-story02.html
http://venturebeat.com/2014/04/16/serious-question-who-should-pay-for-heartbleed/
http://www.eweek.com/security/heartbeat-ssl-flaw-puts-linux-distros-at-risk.html/
Numerous other news articles may be found by searching on "Heartbleed" and/or
"CVE-2014-0160" using your preferred search engine. Also, please see the CVE
Identifier page https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 for a
list of advisories used as references.
LINKS:
CVE-2014-0160 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
News page article -
https://cve.mitre.org/news/index.html#may012014_CVE_Identifier_CVE-2014-0160_Cited_in%
20Numerous_Security_Advisories_and_News_Media_References_about_the_Heartbleed_Vulnerab
ility
---------------------------------------------------------------
CVE and CWE Cited in White Paper about the Heartbleed Vulnerability
CVE and Common Weakness Enumeration (CWE) are included as references in an April 29,
2014 white paper entitled "Why Do Software Assurance Tools Have Problems Finding Bugs
Like Heartbleed?" by James A. Kupsch and Barton P. Miller of the Software Assurance
Marketplace (SWAMP) at the University of Wisconsin. The following were cited as
references in the white paper, which also included the urls: CVE-2014-0160, CWE-130:
Improper Handling of Length Parameter Inconsistency, and CWE-125: Out-of-Bounds Read.
LINKS:
White paper -
https://continuousassurance.org/swamp/SWAMP-Heartbleed-White-Paper-22Apr2014-current.p
df
CVE-2014-0160 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
CWE-130 - https://cwe.mitre.org/data/definitions/130.html
CWE-125 - https://cwe.mitre.org/data/definitions/125.html
News page article -
https://cve.mitre.org/news/index.html#may012014_CVE_and_CWE_Cited_in_White_Paper_about
_the_Heartbleed_Vulnerability
---------------------------------------------------------------
CVE and CWE Mentioned in Article about Mitigating Risks of Counterfeit and Tainted
Components in March/April 2014 Issue of Crosstalk
CVE and Common Weakness Enumeration (CWE) are included in an article written by MITRE
Senior Principal Engineer Robert A. Martin entitled "Non-Malicious Taint: Bad Hygiene
is as Dangerous to the Mission as Malicious Intent" in March/April 2014 issue of
"Crosstalk: The Journal of Defense Software Engineering," the main topic of which is
"Mitigating Risks of Counterfeit and Tainted Components."
CVE and CWE are mentioned in a section entitled "Making Change through Business
Value," as follows: "For an example of a behavior change in an industry motivated by a
new perceived business value, consider that many of the vendors currently doing public
disclosures are doing so because they wanted to include CVE [14] Identifiers in their
advisories to their customers. However, they could not have CVE Identifiers assigned
to a vulnerability issue until there was publicly available information on the issue
for CVE to correlate. The vendors were motivated to include CVE Identifiers due to
requests from their large enterprise customers who wanted that information so they
could track their vulnerability patch/remediation efforts using commercially available
tools. CVE Identifiers were the way they planned to integrate those tools. Basically
the community created an ecosystem of value propositions that influenced the software
product vendors (as well as the vulnerability management vendors) to do things that
helped the community, as a whole, work more efficiently and effectively. Similarly,
large enterprises are leveraging CWE Identifiers to coordinate and correlate their
internal software quality/security reviews and other assurance efforts. From that
starting point, they have been asking the Pen Testing Services and Tools community to
include CWE identifiers in their findings. While CWE Identifiers in findings was
something that others had cited as good practice, it was not until the business value
to Pen Testing industry players made sense that they started adopting them and pushing
the state-of-the-art to better utilize them."
CWE is also mentioned in a section entitled "Assurance for the Most Dangerous
Non-Malicious Issues" that explains what CWE is and how the information "can assist
project staff in planning their assurance activities; it will better enable them to
combine the groupings of weaknesses that lead to specific technical impacts with the
listing of specific detection methods. This provides information about the presence of
specific weaknesses, enabling them to make sure the dangerous ones are addressed."
The entire issue is available for free in a variety of formats at
http://www.crosstalkonline.org/.
LINKS:
Crosstalk article -
http://www.crosstalkonline.org/storage/issue-archives/2014/201403/201403-0-Issue.pdf
CWE - https://cwe.mitre.org/
News page article -
https://cve.mitre.org/news/index.html#may012014_CVE_and_CWE_Mentioned_in_Article_about
_Mitigating_Risks_of_Counterfeit_and_Tainted_Components_in_March/April_2014_Issue_of_C
rosstalk
---------------------------------------------------------------
CVE Compatibility Program Updates
Two additional information security products have achieved the final stage of MITRE's
formal CVE Compatibility Process and are now officially "CVE-Compatible." The product
is now eligible to use the CVE-Compatible Product/Service logo, and a completed and
reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the
product as part of the organization's listing on the CVE-Compatible Products and
Services page on the CVE Web site. A total of 161 products to-date have been
recognized as officially compatible.
The following products are now registered as officially "CVE-Compatible":
* Altex-Soft - Altex-Soft Ovaldb
* NSFOCUS Information Technology Co., Ltd. - Next-Generation Firewall (NF)
In addition, Proximis declared that its Apache CouchDB JSON Database is
CVE-Compatible, and Codenomicon, Ltd. declared that its binary vulnerability scanner,
Codenomicon Appcheck, is CVE-Compatible.
For additional information and to review all products and services listed, visit the
CVE Compatibility Section on the CVE Web site.
LINKS:
Altex-Soft Ovaldb - https://cve.mitre.org/compatible/questionnaires/161.html
NSFOCUS Next-Generation Firewall (NF) -
https://cve.mitre.org/compatible/questionnaires/160.html
Proximis - http://www.proximis.com/
Codenomicon - http://www.codenomicon.com/
CVE Compatibility Process - https://cve.mitre.org/compatible/process.html
CVE Compatibility Requirements - https://cve.mitre.org/compatible/requirements.html
Participating Organizations - https://cve.mitre.org/compatible/organizations.html
Make a Declaration - https://cve.mitre.org/compatible/make_a_declaration.html
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* CVE Mentioned in Preface of March/April 2014 Issue of "Crosstalk: The Journal of
Defense Software Engineering"
* CVE-IDs Included in Annual "Secunia Vulnerability Review 2014"
* CVE Mentioned in Article about Vulnerability Statistics on "NetworkWorld.com"
* CVE Mentioned in Article about Vulnerability Statistics on "GCN.com"
Read these stories and more news at https://cve.mitre.org/news
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Steve Boyle, Information Security Technical Center. Writer: Bob
Roberge. The MITRE Corporation (www.mitre.org) maintains CVE and provides impartial
technical guidance to the CVE Editorial Board on all matters related to ongoing
development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy
the following text to the BODY of the message "SIGNOFF CVE-Announce-list", then send
the message to: listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of the message:
"SUBSCRIBE CVE-Announce-List".
Copyright 2014, The MITRE Corporation. CVE and the CVE logo are registered trademarks
of The MITRE Corporation.
For more information about CVE, visit the CVE Web site at https://cve.mitre.org or
send an email to cve@mitre.org.
Learn more about Making Security Measurable at http://measurablesecurity.mitre.org and
Strengthening Cyber Defense at
http://www.mitre.org/work/cybersecurity/cyber_standards.html.
Wednesday, May 21, 2014
Subscribe to:
Comments (Atom)
