Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is
designed to bring recent news about CVE, such as new versions, upcoming conferences, new
Web site features, etc. right to your email box. Common Vulnerabilities and Exposures
(CVE) is the standard for information security vulnerability names. CVE content results
from the collaborative efforts of the CVE Editorial Board, which is comprised of leading
representatives from the information security community. Details on subscribing (and
unsubscribing) to the email newsletter are at the end. Please feel free to pass this
newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/July 31, 2014
-------------------------------------------------------
Contents:
1. 1 Product from VirtuStream Now Registered as Officially "CVE-Compatible"
2. Reminder to Update Products, Services, and Processes to the New CVE-ID Numbering
Format
3. Register Now for "Security Automation Workshop 2014," August 26-28
4. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
1 Product from VirtuStream Now Registered as Officially "CVE-Compatible"
One additional information security product has achieved the final stage of MITRE's
formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is
now eligible to use the CVE-Compatible Product/Service logo, and a completed and
reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the
product as part of the organization's listing on the CVE-Compatible Products and
Services page on the CVE Web site. A total of 143 products to-date have been recognized
as officially compatible.
The following product is now registered as officially "CVE-Compatible":
Virtustream, Inc. - Analytics and Continuous Monitoring Engine (ACE)
Use of the official CVE-Compatible logo will allow system administrators and other
security professionals to look for the logo when adopting vulnerability management
products and services for their enterprises and the compatibility process questionnaire
will help end-users compare how different products and services satisfy the CVE
compatibility requirements, and therefore which specific implementations are best for
their networks and systems.
For additional information about CVE compatibility and to review all products and
services listed, visit the CVE Compatibility Process and CVE-Compatible Products and
Services.
LINKS:
Analytics and Continuous Monitoring Engine (ACE) -
https://cve.mitre.org/compatible/questionnaires/162.html
Virtustream, Inc. - http://www.virtustreamsecurity.com/
CVE-Compatible Products and Services - https://cve.mitre.org/compatible/
Process - https://cve.mitre.org/compatible/process.html
Make a Declaration - https://cve.mitre.org/compatible/make_a_declaration.html
News page article -
https://cve.mitre.org/news/index.html#july292014_1_Product_from_VirtuStream_Now_Register
ed_as_Officially_CVE_Compatible
---------------------------------------------------------------
Reminder to Update Products, Services, and Processes to the New CVE-ID Numbering Format
The format for CVE Identifiers (CVE-IDs) has changed. Because of this change, all
products, services, and/or processes that use CVE-IDs need to be updated.
Previously, CVE-IDs could only have 4 digits at the end such as "CVE-2014-0160", but
that syntax limited the number of IDs that could be issued in a calendar year to 9,999.
Now, unlimited CVE-IDs can be issued in a given year because with the new format they
can have 4 digits at the end or more such as "CVE-2014-99999" with 5 digits at the end,
"CVE-2014-456123" with 6 digits at the end, and so on as needed. The number of
vulnerabilities being reported each year is growing rapidly, so the change was very much
needed.
Technical guidance and test data is available on the CVE Web site for developers and
consumers to help you update your tools, web sites, and other capabilities to accept the
new CVE-ID numbering format. Questions or concerns may be sent to
cve-id-change@mitre.org.
LINKS:
New CVE-ID Format page - https://cve.mitre.org/cve/identifiers/syntaxchange.html
Technical guidance and test data -
https://cve.mitre.org/cve/identifiers/tech-guidance.html
News page article -
https://cve.mitre.org/news/index.html#july292014_Reminder_to_Update_Products,_Services,_
and_Processes_to_the_New_CVE-ID_Numbering_Format
---------------------------------------------------------------
Register Now for "Security Automation Workshop 2014," August 26-28
"Security Automation Workshop 2014," hosted at MITRE Corporation in McLean, Virginia,
USA on August 26-28, 2014, will bring government and industry together in order to
develop a consensus way forward for the endpoint posture assessment standards being
developed in the Internet Engineering Task Force (IETF) Security Automation Continuous
Monitoring (SACM) Working Group.
This three-day event is geared towards security automation tool vendors, end users, and
other related stakeholders. The agenda includes sessions that illustrate operational
gaps and issues, as well as challenges with the current security automation efforts.
Documents associated with the IETF SACM group will be discussed as well as other related
standards work. In addition to U.S. Government-led sessions, other select industry and
end users will be asked to share their experiences and challenges with the group. The
intent is to have open and productive discussions about how to collect, evaluate, and
report standardized data that is needed to identify software vulnerabilities, detect
software tampering, and defects in software configurations to support a number of
operational and security processes.
As this event is designed to foster collaborative conversation between government and
industry, the targeted audience is those key stakeholders within vendors, end user
groups, and select government agencies that bring deep existing domain knowledge to the
discussions. This is not intended to serve as an introduction for those that wish to
learn about this landscape, and as such those that require introductory information are
asked to pursue that in a different venue. Attendees for the event should be prepared to
share their experiences and ideas for the future state of security automation and should
be directly involved with the related topics.
Visit the "Security Automation Workshop 2014" page for an agenda, other event details,
and registration information.
LINKS:
Event registration - https://register.mitre.org/saworkshop/
Agenda - https://register.mitre.org/saworkshop/agenda.pdf
IETF SACM - https://datatracker.ietf.org/wg/sacm/documents/
News page article -
https://cve.mitre.org/news/index.html#july292014_Security_Automation_Workshop_2014_Augus
t_26-28
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Steve Boyle, Information Security Technical Center. Writer: Bob
Roberge. The MITRE Corporation (www.mitre.org) maintains CVE and provides impartial
technical guidance to the CVE Editorial Board on all matters related to ongoing
development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the
following text to the BODY of the message "SIGNOFF CVE-Announce-list", then send the
message to: listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".
Copyright 2014, The MITRE Corporation. CVE and the CVE logo are registered trademarks of
The MITRE Corporation.
For more information about CVE, visit the CVE Web site at https://cve.mitre.org or send
an email to cve@mitre.org.
Learn more about Making Security Measurable at http://measurablesecurity.mitre.org and
Strengthening Cyber Defense at
http://www.mitre.org/work/cybersecurity/cyber_standards.html.
Thursday, July 31, 2014
Thursday, July 3, 2014
CVE Announce - July 3, 2014 (opt-in newsletter from the CVE Web site)
Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is
designed to bring recent news about CVE, such as new versions, upcoming conferences, new
Web site features, etc. right to your email box. Common Vulnerabilities and Exposures
(CVE) is the standard for information security vulnerability names. CVE content results
from the collaborative efforts of the CVE Editorial Board, which is comprised of leading
representatives from the information security community. Details on subscribing (and
unsubscribing) to the email newsletter are at the end. Please feel free to pass this
newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/July 3, 2014
-------------------------------------------------------
Contents:
1. CVE Identifiers Used throughout Symantec's "2014 Internet Security Threat Report"
2. CVE Identifier "CVE-2014-0224" Cited in Numerous Security Advisories and News Media
References about the Most Critical OpenSSL Vulnerability since Heartbleed
3. Also in this Issue
4. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
CVE Identifiers Used throughout Symantec's "2014 Internet Security Threat Report"
CVE Identifiers are used throughout Symantec Corporation's "2014 Internet Security
Threat Report, Volume 19," which was released in April 2014, to uniquely identify many
of the vulnerabilities referenced in the report text and infographics.
Symantec is a member of the CVE Editorial Board, and its DeepSight Alert Services and
SecurityFocus Vulnerability Database are recognized as "Officially CVE-Compatible" in
the CVE-Compatible Products and Services section.
The free report is available for download at
http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_
21291018.en-us.pdf.
LINKS:
Symantec - http://www.symantec.com/
CVE Editorial Board - https://cve.mitre.org/community/board/index.html#current_members
CVE-Compatible Products and Services - https://cve.mitre.org/compatible/
News page article -
https://cve.mitre.org/news/index.html#june112014_CVE_Identifiers_Used_throughout_Symante
cs_2014_Internet_Security_Threat_Report
---------------------------------------------------------------
CVE Identifier "CVE-2014-0224" Cited in Numerous Security Advisories and News Media
References about the Most Critical OpenSSL Vulnerability since Heartbleed
CVE-2014-0224 was cited in numerous major advisories, posts, and articles related to the
most recent critical OpenSSL vulnerability since Heartbleed-an SSL man-in-the-middle
(MITM) vulnerability-including the following examples:
http://www.zdnet.com/openssl-fixes-another-severe-vulnerability-7000030253/
http://www.scmagazine.com/seven-vulnerabilities-addressed-in-openssl-update-one-enables-
mitm-attack/article/351323/
http://www.darkreading.com/vulnerabilities---threats/new-openssl-flaw-exposes-ssl-to-man
-in-the-middle-attack/d/d-id/1269452
http://www.networkworld.com/article/2360229/microsoft-subnet/critical-flaw-in-encryption
-has-been-in-openssl-code-for-over-15-years.html
http://www.eweek.com/security/openssl-finds-and-fixes-7-new-security-flaws.html
http://www.theregister.co.uk/2014/06/05/openssl_bug_batch/
http://www.cio-today.com/article/index.php?story_id=021000Q2VJNI
http://www.net-security.org/secworld.php?id=16966
http://www.pcworld.com/article/2360560/new-openssl-vulnerability-puts-encrypted-communic
ations-at-risk-of-spying.html
http://arstechnica.com/security/2014/06/still-reeling-from-heartbleed-openssl-suffers-fr
om-crypto-bypass-flaw/
http://www.pcpro.co.uk/news/389161/new-vulnerability-discovered-in-openssl
http://www.techweekeurope.co.uk/news/openssl-patch-heartbleed-146886
http://www.eweek.com/security/new-openssl-flaws-arent-a-heartbleed-repeat.html
http://www.itworldcanada.com/post/the-bleed-goes-on-new-openssl-flaws-found
http://threatpost.com/new-openssl-mitm-flaw-affects-all-clients-some-server-versions/106
470
http://nakedsecurity.sophos.com/2014/06/06/latest-openssl-flaws-can-lead-to-information-
leakage-code-execution-and-dos/
http://thevarguy.com/network-security-and-data-protection-software-solutions/060614/open
ssl-bitten-another-security-bug
http://www.itproportal.com/2014/06/06/new-openssl-bugs-uncovered-in-the-wake-of-heartble
ed/
http://www.computerweekly.com/news/2240222088/Heartbleed-leads-to-discover-of-more-OpenS
SL-flaws
http://www.v3.co.uk/v3-uk/news/2348696/openssl-man-in-the-middle-flaw-found-after-16-yea
rs
http://www.internetnews.com/security/openssl-patches-mitm-flaws.html
Other news articles may be found by searching on "CVE-2014-0224" using your preferred
search engine. Also, please see the CVE Identifier page
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224 for a list of advisories
used as references.
LINKS:
CVE-2014-0224 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
News page article -
https://cve.mitre.org/news/index.html#june112014_CVE_Identifier_CVE-2014-0224_Cited_in_N
umerous_Security_Advisories_and_News_Media_References_about_the_Most_Critical_OpenSSL_Vu
lnerability_since_Heartbleed
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* CVE, CWE, and CAPEC Are Main Topics of Article about the "Heartbleed" Bug on MITRE's
Cybersecurity Blog
Read these stories and more news at https://cve.mitre.org/news
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Steve Boyle, Information Security Technical Center. Writer: Bob
Roberge. The MITRE Corporation (www.mitre.org) maintains CVE and provides impartial
technical guidance to the CVE Editorial Board on all matters related to ongoing
development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the
following text to the BODY of the message "SIGNOFF CVE-Announce-list", then send the
message to: listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".
Copyright 2014, The MITRE Corporation. CVE and the CVE logo are registered trademarks of
The MITRE Corporation.
For more information about CVE, visit the CVE Web site at https://cve.mitre.org or send
an email to cve@mitre.org.
Learn more about Making Security Measurable at http://measurablesecurity.mitre.org and
Strengthening Cyber Defense at
http://www.mitre.org/work/cybersecurity/cyber_standards.html.
designed to bring recent news about CVE, such as new versions, upcoming conferences, new
Web site features, etc. right to your email box. Common Vulnerabilities and Exposures
(CVE) is the standard for information security vulnerability names. CVE content results
from the collaborative efforts of the CVE Editorial Board, which is comprised of leading
representatives from the information security community. Details on subscribing (and
unsubscribing) to the email newsletter are at the end. Please feel free to pass this
newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/July 3, 2014
-------------------------------------------------------
Contents:
1. CVE Identifiers Used throughout Symantec's "2014 Internet Security Threat Report"
2. CVE Identifier "CVE-2014-0224" Cited in Numerous Security Advisories and News Media
References about the Most Critical OpenSSL Vulnerability since Heartbleed
3. Also in this Issue
4. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
CVE Identifiers Used throughout Symantec's "2014 Internet Security Threat Report"
CVE Identifiers are used throughout Symantec Corporation's "2014 Internet Security
Threat Report, Volume 19," which was released in April 2014, to uniquely identify many
of the vulnerabilities referenced in the report text and infographics.
Symantec is a member of the CVE Editorial Board, and its DeepSight Alert Services and
SecurityFocus Vulnerability Database are recognized as "Officially CVE-Compatible" in
the CVE-Compatible Products and Services section.
The free report is available for download at
http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_
21291018.en-us.pdf.
LINKS:
Symantec - http://www.symantec.com/
CVE Editorial Board - https://cve.mitre.org/community/board/index.html#current_members
CVE-Compatible Products and Services - https://cve.mitre.org/compatible/
News page article -
https://cve.mitre.org/news/index.html#june112014_CVE_Identifiers_Used_throughout_Symante
cs_2014_Internet_Security_Threat_Report
---------------------------------------------------------------
CVE Identifier "CVE-2014-0224" Cited in Numerous Security Advisories and News Media
References about the Most Critical OpenSSL Vulnerability since Heartbleed
CVE-2014-0224 was cited in numerous major advisories, posts, and articles related to the
most recent critical OpenSSL vulnerability since Heartbleed-an SSL man-in-the-middle
(MITM) vulnerability-including the following examples:
http://www.zdnet.com/openssl-fixes-another-severe-vulnerability-7000030253/
http://www.scmagazine.com/seven-vulnerabilities-addressed-in-openssl-update-one-enables-
mitm-attack/article/351323/
http://www.darkreading.com/vulnerabilities---threats/new-openssl-flaw-exposes-ssl-to-man
-in-the-middle-attack/d/d-id/1269452
http://www.networkworld.com/article/2360229/microsoft-subnet/critical-flaw-in-encryption
-has-been-in-openssl-code-for-over-15-years.html
http://www.eweek.com/security/openssl-finds-and-fixes-7-new-security-flaws.html
http://www.theregister.co.uk/2014/06/05/openssl_bug_batch/
http://www.cio-today.com/article/index.php?story_id=021000Q2VJNI
http://www.net-security.org/secworld.php?id=16966
http://www.pcworld.com/article/2360560/new-openssl-vulnerability-puts-encrypted-communic
ations-at-risk-of-spying.html
http://arstechnica.com/security/2014/06/still-reeling-from-heartbleed-openssl-suffers-fr
om-crypto-bypass-flaw/
http://www.pcpro.co.uk/news/389161/new-vulnerability-discovered-in-openssl
http://www.techweekeurope.co.uk/news/openssl-patch-heartbleed-146886
http://www.eweek.com/security/new-openssl-flaws-arent-a-heartbleed-repeat.html
http://www.itworldcanada.com/post/the-bleed-goes-on-new-openssl-flaws-found
http://threatpost.com/new-openssl-mitm-flaw-affects-all-clients-some-server-versions/106
470
http://nakedsecurity.sophos.com/2014/06/06/latest-openssl-flaws-can-lead-to-information-
leakage-code-execution-and-dos/
http://thevarguy.com/network-security-and-data-protection-software-solutions/060614/open
ssl-bitten-another-security-bug
http://www.itproportal.com/2014/06/06/new-openssl-bugs-uncovered-in-the-wake-of-heartble
ed/
http://www.computerweekly.com/news/2240222088/Heartbleed-leads-to-discover-of-more-OpenS
SL-flaws
http://www.v3.co.uk/v3-uk/news/2348696/openssl-man-in-the-middle-flaw-found-after-16-yea
rs
http://www.internetnews.com/security/openssl-patches-mitm-flaws.html
Other news articles may be found by searching on "CVE-2014-0224" using your preferred
search engine. Also, please see the CVE Identifier page
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224 for a list of advisories
used as references.
LINKS:
CVE-2014-0224 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
News page article -
https://cve.mitre.org/news/index.html#june112014_CVE_Identifier_CVE-2014-0224_Cited_in_N
umerous_Security_Advisories_and_News_Media_References_about_the_Most_Critical_OpenSSL_Vu
lnerability_since_Heartbleed
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* CVE, CWE, and CAPEC Are Main Topics of Article about the "Heartbleed" Bug on MITRE's
Cybersecurity Blog
Read these stories and more news at https://cve.mitre.org/news
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Steve Boyle, Information Security Technical Center. Writer: Bob
Roberge. The MITRE Corporation (www.mitre.org) maintains CVE and provides impartial
technical guidance to the CVE Editorial Board on all matters related to ongoing
development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the
following text to the BODY of the message "SIGNOFF CVE-Announce-list", then send the
message to: listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".
Copyright 2014, The MITRE Corporation. CVE and the CVE logo are registered trademarks of
The MITRE Corporation.
For more information about CVE, visit the CVE Web site at https://cve.mitre.org or send
an email to cve@mitre.org.
Learn more about Making Security Measurable at http://measurablesecurity.mitre.org and
Strengthening Cyber Defense at
http://www.mitre.org/work/cybersecurity/cyber_standards.html.
Subscribe to:
Comments (Atom)
