Patch Announcement: 2015

Thursday, December 10, 2015

CVE Announce - December 11, 2015 (opt-in newsletter from the CVE Web site)

Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is designed to bring recent news about CVE, such as new compatible products, new website features, CVE in the news, etc. right to your email box. Common Vulnerabilities and Exposures (CVE) is the standard for cyber security vulnerability names. CVE content is approved by the CVE Editorial Board, which is comprised of leading representatives from the information security community. CVE Numbering Authorities (CNAs) are major OS vendors, security researchers, and research organizations that assign CVE Identifiers to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE Identifiers in the first public disclosure of the vulnerabilities. Details on subscribing (and unsubscribing) to the email newsletter are at the end. Please feel free to pass this newsletter on to interested colleagues.

Comments: cve@mitre.org

-------------------------------------------------------

CVE-Announce e-newsletter/December 11, 2015

-------------------------------------------------------

Contents:

1. CVE Included in ITU's "Security in Telecommunications and Information Technology 2015"

2. CVE Mentioned in Article about Apple's December Security Fixes for OS X and iOS on eWeek

3. CVE Mentioned in Article about Microsoft's Patch Tuesday Fixes for December on Threatpost

4. Also in this Issue

5. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

CVE Included in ITU's "Security in Telecommunications and Information Technology 2015"

CVE is included in a September 2015 technical report entitled "Security in Telecommunications and Information Technology 2015" on the International Telecommunication Union (ITU) website. The main topic of the report is an "overview of issues and the deployment of existing ITU-T Recommendations for secure telecommunications."

CVE is mentioned in "Chapter 11 - Cybersecurity and incident response," as the main topic of section "11.1.2 Exchange of vulnerability information," as follows: "Recommendation ITU-T X.1520 on the common vulnerabilities and exposures (CVE) provides a structured means to exchange information on security vulnerabilities and exposures and provides a common identifier for publicly-known problems. This Recommendation defines the use of CVE to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this common identifier. This Recommendation is designed to allow vulnerability databases and other capabilities to be used together, and to facilitate the comparison of security tools and services. CVE contains only the standard identifier number with status indicator, a brief description, and references to related vulnerability reports and advisories. (It does not contain information such as risk, impact, fix information, or detailed technical information).The primary focus of CVE is to identify known vulnerabilities and exposures that are detected by security tools along with any new problems that are detected."

In addition, Common Vulnerability Scoring System (CVSS) is the main topic of section 11.1.3 Vulnerability scoring," and DHS's Common Weakness Enumeration (CWE) is the main topic of section "11.1.4 Exchange of weakness information," Common Weakness Scoring System (CWSS) is the main topic of section "11.1.5 Weakness scoring," and Common Attack Pattern Enumeration and Classification (CAPEC) is the main topic of section "11.1.5 Exchange of attack pattern information," and Malware Attribute Enumeration and Characterization (MAEC) is the main topic of section "11.1.7 Exchange of malware characteristics information."

LINKS:

Report –

http://www.itu.int/dms_pub/itu-t/opb/tut/T-TUT-SEC-2015-PDF-E.pdf

"Recommendation ITU-T X.1520 Common Vulnerabilities and Exposures (CVE)" -

http://www.itu.int/rec/T-REC-X.1520/en

CVE-

https://cve.mitre.org/

CVSS-

https://www.first.org/cvss

CWE-

https://cwe.mitre.org/

CWSS-

https://cwe.mitre.org/cwss/

CAPEC-

https://capec.mitre.org/

News page article -

https://cve.mitre.org/news/index.html#december102015_CVE_Included_in_ITU's_Security_in_Telecommunications_and_Information_Technology_2015

---------------------------------------------------------------

CVE Mentioned in Article about Apple's December Security Fixes for OS X and iOS on eWeek

CVE is mentioned in a December 9, 2015 article entitled "Apple Updates OS X, iOS With Numerous Security Fixes" on eWeek. The main topic of the article is "security updates for [Apple's] desktop Mac OS X 10.11 and mobile iOS 9 operating systems … including networking, graphics and wireless operations."

The CVE-IDs cited in this article include the following: CVE-2015-7110, CVE-2015-7078, CVE-2015-7106, CVE-2015-7077, CVE-2015-7112, CVE-2015-7068, CVE-2015-7083, CVE-2015-7084, CVE-2015-7047, CVE-2015-7112, CVE-2015-7068, CVE-2015-7094, CVE-2015-7073, CVE-2015-7015, CVE-2015-7037, and CVE-2015-7080.

In addition, Apple is a CVE Numbering Authority (CNA), assigning CVE-IDs for Apple issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

LINKS:

Article –

http://www.eweek.com/security/apple-updates-os-x-ios-with-numerous-security-fixes.html

CVE-IDs -

https://cve.mitre.org/cve/cna.html

CVE Numbering Authorities -

https://cve.mitre.org/cve/cna.html

News page article -

https://cve.mitre.org/news/index.html#december102015_CVE_Mentioned_in_Article_about_Apple's_December_Security_Fixes_for_OS_X_and_iOS_on_eWeek

---------------------------------------------------------------

CVE Mentioned in Article about Microsoft's Patch Tuesday Fixes for December on Threatpost

CVE is mentioned in a December 8, 2015 article entitled "Microsoft Patches 71 Flaws, Two Under Attack; Warns of Leaked XBox Live Cert" on Threatpost. The main topic of the article are the fixes included in Microsoft's Patch Tuesday for December.

CVE is first mentioned in the article with regard to the two vulnerabilities currently under attack, as follows: "… Microsoft released a dozen bulletins today, eight of which it rates as Critical—in particular, the two vulnerabilities currently under attack. The Office vulnerability, CVE-2015-6124, is one of six patched in MS15-131, and is described only as a memory-corruption vulnerability, one of five such flaws patched in the bulletin." "The other vulnerability under attack, CVE-2015-6175, is a kernel memory elevation of privilege in Windows; it's one of four such flaws patched in MS15-135. An attacker would need local access and privileges to a vulnerable Windows client or server, and a successful exploit would allow an attacker to install malware or manipulate data on the compromised computer."

In addition, Microsoft is a CVE Numbering Authority (CNA), assigning CVE-IDs for Microsoft issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2015-6124 (https://cve.mitre.org/cvename.cgi?name=CVE-2015-6124) and CVE-2015-6175 (https://cve.mitre.org/cvename.cgi?name=CVE-2015-6175) to learn more about these issues.

LINKS:

Article –

https://threatpost.com/microsoft-patches-71-flaws-two-under-attack-warns-of-leaked-xbox-live-cert/115601/#sthash.9yFJFG9q.dpuf

CVE-IDs -

https://cve.mitre.org/cve/cna.html

CVE Numbering Authorities -

https://cve.mitre.org/cve/cna.html

News page article -

https://cve.mitre.org/news/index.html#december102015_CVE_Mentioned_in_Article_about_Microsoft's_Patch_Tuesday_Fixes_for_December_on_Threatpost

---------------------------------------------------------------

ALSO IN THIS ISSUE:

* CVE Mentioned in Article about Two Critical JavaScript Vulnerabilities on InfoWorld

* CVE Mentioned in Article about Effect of Android's Stagefright Vulnerability in Q3-2015 on DataQuest

* CVE Mentioned in Press Release about Container Security for Enterprise Computing

Read these stories and more news at https://cve.mitre.org/news.

---------------------------------------------------------------

Details/Credits + Subscribing and Unsubscribing

Managing Editor: Steve Boyle, Cyber Security Technical Center. Writer: Bob Roberge. The MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical guidance to the CVE Editorial Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.

To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the message to: listserv@lists.mitre.org. To subscribe, send an email message to listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE CVE-Announce-List".

Copyright 2015, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications) at the U.S. Department of Homeland Security (www.dhs.gov).

For more information about CVE, visit the CVE Web site at https://cve.mitre.org or send an email to cve@mitre.org.

Monday, November 16, 2015

CVE Announce SPECIAL ISSUE - November 16, 2015 (opt-in newsletter from the CVE Web site)

Welcome to a special issue of the CVE-Announce e-newsletter. Common Vulnerabilities and Exposures (CVE) is the standard for cyber security vulnerability names. CVE content is approved by the CVE Editorial Board, which is comprised of leading representatives from the information security community. CVE Numbering Authorities (CNAs) are major OS vendors, security researchers, and research organizations that assign CVE Identifiers to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE Identifiers in the first public disclosure of the vulnerabilities. Details on subscribing (and unsubscribing) to the email newsletter are at the end. Please feel free to pass this newsletter on to interested colleagues.

Comments: cve@mitre.org

-------------------------------------------------------

CVE-Announce e-newsletter /November 16, 2015

-------------------------------------------------------

Contents:

1. After 16+ Years, CVE Co-Founder Steve Christey Coley Departs the CVE Project

2. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

After 16+ Years, CVE Co-Founder Steve Christey Coley Departs the CVE Project

Steve Christey Coley, the co-founder of CVE who served as the project's technical lead, CVE Editorial Board moderator, and Editor of the CVE List since the project was launched publicly in 1999, resigned from the CVE project on October 26th.

Steve, who will be staying at MITRE, will now focus primarily on being the technical lead for the Common Weakness Enumeration (CWE) project and addressing the vulnerability management needs of the healthcare industry, while also keeping the CVE concept in mind. As Steve mentions in his departure message to the CVE Editorial Board: "My current work in CWE and healthcare … is likely to expand into other industry verticals with emerging cybersecurity challenges. I also plan to investigate what "CVE" would mean in other industry verticals and emerging technical domains, and/or in other global regions. I'll even be drawing from my experience in my old AI days of the early 90's."

Steve also intends to stay very involved in the vulnerability world by continuing to "advocate for and support the development of the next generation of vulnerability researchers; to build that ever-elusive theoretical framework for precisely understanding vulnerabilities, weaknesses, and their root causes; and to help "InfoSec" mature as an industry, including embracing people with non-traditional or non-technical roles that are critical to the industry's maturation. I will also seek to encourage diversity (in all its forms) within this industry; I believe that InfoSec has great potential for positive change, because we've all been outsiders in one way or another."

ORIGIN STORY

It all started back in 1998 when a MITRE Lead Information Security Engineer named Steve Christey Coley was trying to choose a commercial vulnerability assessment tool to help protect MITRE's own networks, and was dealing first-hand with the problem of multiple vulnerabilities that were the same issue but had different names, were described in different ways, and that tested at different levels of abstraction. In an attempt to decipher this confusion, Steve did a labor-intensive mapping across the commercial tools that he was considering at that time and learned that there were many discrepancies in coverage claims; some tools provided less coverage than claimed, while others provided more.

At the same time, MITRE's David Mann was trying to develop a database of system characteristics for the corporation that could be used to answer questions about how vulnerable MITRE was to problems described by security advisories.

Steve and Dave combined their efforts and developed a proposal for a simple common naming scheme that could be used by the community to correlate vulnerability information. They presented their approach, "Towards a Common Enumeration of Vulnerabilities," at a Purdue University vulnerability database workshop in January of 1999. That approach eventually grew into the CVE we know today 16+ years later.

A SPECIAL THANK YOU TO THE TEAM AND COMMUNITY FROM STEVE

In his departure message, Steve emphasized that CVE has always very much been a collaborative effort, and gave special thanks to fellow CVE co-founder David Mann for his "passion, principles, and far-forward, out-of-the-box thinking" and to Margie Zuk, "the third member of the original CVE triad, whose contributions to CVE have gone woefully unrecognized; whose unique combination of unmitigated optimism, realistic pessimism, and patience kept the project moving forward through some tough times … and whose original admonition to "keep the faith" back in spring 1999 has served me countless ways over the years."

Steve also thanked the entire CVE community: "On a broader scale, my humblest thanks and appreciation go to the hundreds of people in the entire CVE community, with whom I've had the pleasure of working: the ever-changing members of the CVE content team, each of whom has brought their own perspective and skills, and left their own mark; numerous MITRE employees, from senior management who supported the idea and took a risk in CVE's founding years, to the specialists from other disciplines who contributed their expertise to improve our processes, to the admin support who helped everything run smoothly; the members of the CVE Editorial Board, who taught me to think more comprehensively about the many different perspectives surrounding vulnerability management, and whose endorsement of CVE gave it the legitimacy to effect positive change in the industry; independent and hobbyist researchers, whose contributions to the industry's body of knowledge and my own intellectual growth have been consistently underestimated; and countless other people I've talked to by email, at conferences, or on social media."

WISHING STEVE WELL

Current CVE Project Lead Steve Boyle posted a "Very Special Thank You to Steve Christey Coley" message to the CVE Editorial Board email discussion list on October 28th, saying: "Steve has been a mentor and teacher to many people, both inside and outside of MITRE. He is, and has been for many years, a highly engaged, respected and respectful member of the community. We extend our deepest thanks to Steve and wish him all the best in his new endeavors. Congratulations, people who are about to begin working with Steve, you do not yet know how lucky you are."

We echo that sentiment here: Thank you Steve for all you have done and best of luck in your new endeavors!

LINKS:

Steve Christey Coley's Goodbye Message -

https://cve.mitre.org/data/board/archives/2015-10/msg00022.html

CWE -

https://cwe.mitre.org/

CVE -

https://cve.mitre.org/

CVE Editorial Board –

https://cve.mitre.org/community/board/index.html

"Towards a Common Enumeration of Vulnerabilities" white paper -

https://cve.mitre.org/docs/docs-2000/cerias.html

Steve Boyle's Thank You Message about Steve -

http://common-vulnerabilities-and-exposures-cve-editorial-board.1128451.n5.nabble.com/A-special-quot-Thank-You-quot-to-Steve-Christey-Coley-td11.html

News page article with photos -

https://cve.mitre.org/news/index.html#november122015_After_16+_Years_CVE_Co_Founder_Steve_Christey_Coley_Departs_the_CVE_Project

---------------------------------------------------------------

Details/Credits + Subscribing and Unsubscribing

For more information about CVE, visit the CVE Web site at https://cve.mitre.org or send an email to cve@mitre.org.

Sunday, November 8, 2015

CVE Announce - November 9, 2015 (opt-in newsletter from the CVE Web site)

Comments: cve@mitre.org

-------------------------------------------------------

CVE-Announce e-newsletter/November 9, 2015

-------------------------------------------------------

Contents:

1. CVE Included in Cisco's Recently Updated Vulnerability Disclosure Process

2. New CVE Editorial Board Member for Red Hat

3. Also in this Issue

4. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

CVE Included in Cisco's Recently Updated Vulnerability Disclosure Process

CVE is included in Cisco Systems, Inc.'s refined security disclosure process, as described in an October 5, 2015 blog post entitled "Streamlining the Response to Security Vulnerabilities" on its security blog. CVE is mentioned as benefit 4 of 5 as what's new in the process, as follows: "Every vulnerability assigned a Common Vulnerability and Exposures (CVE). Aids in identification and search."

Release of the updated policy also resulted in CVE being cited in numerous major news media references and posts, including the following examples:

* http://www.eweek.com/security/cisco-redefines-how-it-manages-communicates-security-issues.html

* http://www.theregister.co.uk/2015/10/06/cisco_reforms_its_security_disclosure_process/

* http://www.scmagazineuk.com/cisco-develops-new-and-improved-security-disclosure-process/article/443429/

* http://www.programmableweb.com/news/%E2%80%8Bcisco-to-use-api-to-distribute-detailed-security-vulnerability-advisories/2015/10/08

* http://blogs.cisco.com/security/psirt-u

* http://dutchitchannel.nl/537988/cisco-vernieuwt-beleid-rond-vulnerabilities-in-producten.html

Cisco is a CVE Numbering Authority (CNA), assigning CVE-IDs for Cisco issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

LINKS:

Cisco announcement –

http://blogs.cisco.com/security/streamlining-the-response-to-security-vulnerabilities

CVE Numbering Authorities -

https://cve.mitre.org/cve/cna.html

News page article -

https://cve.mitre.org/news/index.html#october132015_CVE_Included_in_Ciscos_Recently_Updated_Vulnerability_Disclosure_Process

---------------------------------------------------------------

New CVE Editorial Board Member for Red Hat

Kurt Seifried of Red Hat, Inc. has joined the CVE Editorial Board. Mark Cox of Red Hat also remains as a Board member.

Read the full announcement and welcome message in the CVE Editorial Board email discussion list archive at:

http://common-vulnerabilities-and-exposures-cve-editorial-board.1128451.n5.nabble.com/Please-welcome-Kurt-Seifried-to-the-CVE-Editorial-Board-td18.html.

LINKS:

CVE Editorial Board –

https://cve.mitre.org/community/board/index.html

Red Hat -

http://www.redhat.com/

News page article -

https://cve.mitre.org/news/index.html#november32015_New_CVE_Editorial_Board_Member_for_Red_Hat

---------------------------------------------------------------

ALSO IN THIS ISSUE:

* CVE Mentioned in Article about Joomla Vulnerabilities Affecting Millions of Websites on Ars Technica

* CVE Identifier "CVE-2015-7645" Cited in Numerous Security Advisories and News Media References about a Zero-Day Adobe Flash Vulnerability

* Two CVE Identifiers Cited in Numerous Security Advisories and News Media References about the Android "Stagefright 2.0" Vulnerability

Read these stories and more news at https://cve.mitre.org/news.

---------------------------------------------------------------

Details/Credits + Subscribing and Unsubscribing

For more information about CVE, visit the CVE Web site at https://cve.mitre.org or send an email to cve@mitre.org.

Tuesday, October 6, 2015

CVE Announce - October 7, 2015 (opt-in newsletter from the CVE Web site)

Comments: cve@mitre.org

-------------------------------------------------------

CVE-Announce e-newsletter/October 7, 2015

-------------------------------------------------------

Contents:

1. Upcoming Changes to CVE

2. 1 Product from Hillstone Networks Now Registered as Officially "CVE-Compatible"

3. Also in this Issue

4. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

Upcoming Changes to CVE

We would like to take this opportunity to notify the CVE Editorial Board and the community of changes that are coming for CVE.

We recognize that there is deep frustration with some aspects of CVE, and that there are areas in need of updating after 16 years of continuous operation. We have been working on a number of things to improve our internal processes and workflow and will start to make visible changes to CVE in the coming weeks and months.

The operation and use of CVE has significantly evolved in the last 16 years. While CVE has served the community very well, its current operating model is proving to be unable to keep up with the breadth and volume of CVE requests and subsequent production of final CVE entries.

Our intent is to be heavily engaged with the CVE community and users, now and even more so in the future, and to be completely transparent about what we are doing and why. If you believe at any time that we are not meeting those goals, we respectfully request your engagement and feedback telling us where we are falling short so that we can better understand the needs and requirements of the community.

CVE EDITORIAL BOARD

The CVE Editorial Board was created to define and shape CVE, even before CVE first went public. The Board's operating model and framework have evolved significantly in the years since as the community and requirements have evolved. Today, the community is more dynamic than it was even just a few years ago, and the Board model is in need of a refresh. To that end, Julie Connolly, a new member of the MITRE CVE Team, is taking on the role of liaison from MITRE to the Board.

Julie will be putting out an email that will outline what we believe are the objectives for a Board refresh, including responsibilities, membership, and a number of other aspects that have been discussed. Julie will provide more details in her email, and we hope the Board will be very engaged as we seek your suggestions, feedback, and comments to help us refresh, shape, and formalize a number of aspects of the CVE Editorial Board and its operation.

CVE NUMBERING AUTHORITIES (CNAs)

The CVE CNAs are another aspect of CVE that was instantiated years ago, and have proven valuable to the operation of CVE. As with the Board, the operation of and requirements on CNAs have evolved significantly and need to be updated. In particular, as the volume of requests for CVE-IDs continues to increase, the need for, definition of the role, and the successful operation of CNAs becomes even more critical to CVE and the community.

Tiffany Bergeron of the MITRE CVE Team is taking the lead for CNAs, and will be emailing this list to describe requirements and objectives for CNAs and to solicit suggestions, feedback and comments from the Board.

Tiffany will be engaging with the Board, and will email to describe the objectives and plans for updating multiple aspects of the CNA relationship and functioning. Our aim is to improve both sides of the operation and reliability of CNAs, to have CNAs evolve to take on a larger role in the creation of CVEs, and to ultimately expand the number of CNAs.

CVE ASSIGNMENT (CVE-ID REQUESTS)

No single aspect of CVE has been more problematic or engendered more frustration for both the community and for CVE than the process of requesting and assigning CVE-IDs for newly discovered vulnerabilities. We will begin to implement changes in the next few days that will result in reasonable response times and process improvements, and to put in place new feedback mechanisms for requesters. We will be providing documented guidelines for requesting CVE-IDs, including required elements and criteria. Because of the increasing volume of requests, we are planning to push more responsibility for well-constructed and informational requests back onto the requesters, rather than provide individual, educational responses as we sometimes have in the past. We will, of course, always be available to help researchers and disclosers understand what goes into a "good" CVE request, and we will be providing documentation to help both first-time and experienced requesters.

Steve Boyle is taking responsibility for this area and will be following up with changes and plans. We are actively seeking additional comments, suggestions, and feedback from the community to help us shape the process, feedback, and utility of CVE-ID requests.

MOVING FORWARD

MITRE has never, and will never, presume that "we know best" for CVE and its use within the community. The original operating principle of being guided by the Board remains as important as it ever has been in the history of CVE. For our part, we will be working to actively demonstrate more engagement and transparency with the Board and with the community.

If you are a Board member, please provide any responses to the CVE Editorial Board Email Discussion List. For others, please send your feedback to cve@mitre.org.

Thank you for your advice and engagement to date. We look forward to your comments and input as we move forward with the evolution of CVE.

Steve Boyle MITRE

CVE Project Leader

NOTE: The information above was previously posted to the CVE Editorial Board Email Discussion List on September 24, 2015.

LINKS:

CVE Editorial Board -

https://cve.mitre.org/community/board/index.html

CVE Numbering Authorities -

https://cve.mitre.org/cve/cna.html

CVE Assignment -

https://cve.mitre.org/cve/request_id.html

News page Article -

https://cve.mitre.org/news/index.html#october12015_Upcoming_Changes_to_CVE

---------------------------------------------------------------

1 Product from Hillstone Networks Now Registered as Officially "CVE-Compatible"

One additional information security product has achieved the final stage of MITRE's formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 148 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CVE-Compatible":

* Hillstone Networks - Next Generation Firewall

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit CVE Compatibility Process and CVE-Compatible Products and Services on the CVE Web site.

LINKS:

Next Generation Firewall -

https://cve.mitre.org/compatible/questionnaires/167.html

CVE Compatibility Process -

https://cve.mitre.org/compatible/process.html

CVE-Compatible Products and Services -

https://cve.mitre.org/compatible/compatible.html

CVE Compatibility Requirements -

https://cve.mitre.org/compatible/requirements.html

Make a Declaration -

https://cve.mitre.org/compatible/make_a_declaration.html

News page article -

https://cve.mitre.org/news/index.html#october12015_1_Product_from_Hillstone_Networks_Now_Registered_as_Officially_CVE_Compatible

---------------------------------------------------------------

ALSO IN THIS ISSUE:

* CVE Mentioned in Article about Vulnerabilities Fixed by Apple's iOS 9 on eWeek

* CVE-IDs Used throughout Qualys' July 2015 "Top 10 Vulnerabilities" List

* CVE Mentioned in Article about Vulnerabilities in Baby Monitors on SC Magazine

Read these stories and more news at https://cve.mitre.org/news.

---------------------------------------------------------------

Details/Credits + Subscribing and Unsubscribing

For more information about CVE, visit the CVE Web site at https://cve.mitre.org or send an email to cve@mitre.org.

Monday, June 29, 2015

CVE Announce - June 29, 2015 (opt-in newsletter from the CVE Web site)

Comments: cve@mitre.org

-------------------------------------------------------

CVE-Announce e-newsletter/June 29, 2015

-------------------------------------------------------

Contents:

1. CVE List Surpasses 70,000 CVE-IDs

2. CVE Identifiers Used throughout Trustwave's "2015 Trustwave Global Security Report"

3. Also in this Issue

4. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

CVE List Surpasses 70,000 CVE-IDs

On June 24, 2015 the CVE website surpassed the 70,000 CVE Identifiers (CVE-IDs) milestone with 70,036 unique cyber security issues with publicly known names posted on the CVE List.

CVE, which began in 1999 with just 321 common names on the CVE List, is considered the international standard for public software vulnerability names. Cyber security professionals and product vendors from around the world use CVE-IDs as a standard method for identifying vulnerabilities; facilitating their work processes; and cross-linking among products, services, and other repositories that use the identifiers.

Each of the 70,000+ identifiers on the CVE List includes the following: CVE Identifier number, brief description of the security vulnerability, and pertinent references such as vulnerability reports and advisories.

Visit the CVE List page at https://cve.mitre.org/cve to download the complete list in various formats or to look-up an individual identifier. Fix information, enhanced searching, and a Common Vulnerability Scoring System (CVSS) calculator for scoring the severity of CVE-IDs are available from U.S. National Vulnerability Database (NVD) at https://nvd.nist.gov/home.cfm.

LINKS:

CVE List -

https://cve.mitre.org/cve

NVD -

https://nvd.nist.gov/home.cfm

News page Article -

https://cve.mitre.org/news/index.html#june262015_CVE_List_Surpasses_70,000_CVE_IDs

---------------------------------------------------------------

CVE Identifiers Used throughout Trustwave's "2015 Trustwave Global Security Report"

CVE-IDs are cited throughout Trustwave's "2015 Trustwave Global Security Report" to uniquely identify the vulnerabilities referenced in the report text and several of the charts.

CVE was also specifically mentioned in a section of the report that discussed "Celebrity Vulnerabilities' such as "Heartbleed," "Shellshock," "Poodle," and others. The report states: "For the purpose of this discussion, we define "celebrity" vulnerabilities as those such as Heartbleed that receive memorable names, and sometimes logos, from their discoverers. For years, researchers have assigned quirky names to the malware they discover - for example, the Melissa virus. Catch names and logos can help spread the word more quickly, and in 2014 this trend extended beyond malware to vulnerabilities. Prior, the security community generally referenced flaws with the Common vulnerabilities and Exposures (CVE) numbering standard (e.g., CVE-2014-0160). In 2014, a number of celebrity vulnerabilities made headlines. Higher-profile promotion of security weaknesses no doubt led to quicker patching among businesses."

The free report is available for download at https://www2.trustwave.com/GSR2015.html?utm_source=webbanner&utm_medium=web&utm_campaign=GSR. You must fill-out a form to download the report.

LINKS:

Report -

https://www2.trustwave.com/GSR2015.html?utm_source=webbanner&utm_medium=web&utm_campaign=GSR

CVE-IDs -

https://cve.mitre.org/cve

News page Article -

https://cve.mitre.org/news/index.html#june182015_CVE_Identifiers_Used_throughout_Trustwavess_2015_Trustwave_Global_Security_Report

---------------------------------------------------------------

ALSO IN THIS ISSUE:

* "CVE-2015-2865" Cited in Numerous Security Advisories and News Media References about the Samsung Galaxy Keyboard Vulnerability

Read these stories and more news at https://cve.mitre.org/news.

---------------------------------------------------------------

Details/Credits + Subscribing and Unsubscribing

For more information about CVE, visit the CVE Web site at https://cve.mitre.org or send an email to cve@mitre.org.

Monday, June 8, 2015

CVE Announce - June 8, 2015 (opt-in newsletter from the CVE Web site)

Comments: cve@mitre.org

-------------------------------------------------------

CVE-Announce e-newsletter/June 8, 2015

-------------------------------------------------------

Contents:

1. CVE-IDs Used throughout Qualys' Top 10 External and Top 10 Internal Vulnerabilities Lists

2. CVE Mentioned in Article about Approaches to Vulnerability Naming on Christian Science Monitor

3. CVE Mentioned in Article about a Vulnerability Affecting "Millions" of Routers and Internet of Things (IoT) Devices on ZDNet

4. CVE Mentioned in Article about "Logjam" Vulnerability on SecurityWeek

5. CVE-IDs Used throughout Websense's "Threat Report 2015"

6. CVE Mentioned in "How to Get the CVSS Right" Article on Dell's Tech Page One Blog

7. Also in this Issue

8. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

CVE-IDs Used throughout Qualys' Top 10 External and Top 10 Internal Vulnerabilities Lists

CVE-IDs are used throughout Qualys, Inc.'s February 2015 "Top 10 Vulnerabilities" lists to uniquely identify the vulnerabilities referenced on its top 10 external and top 10 internal vulnerabilities lists. The two lists are "dynamic lists of the most prevalent and critical security vulnerabilities in the real world."

According to the Qualys website, the two lists are "Based on the Laws of Vulnerabilities, this information is computed anonymously from over 1 billion IP audits per year. The Top 10 External Vulnerabilities are the most prevalent and critical vulnerabilities which have been identified on Internet facing systems. The Top 10 Internal Vulnerabilities show this information for systems and networks inside the firewall."

Review Qualys's Top 10 External Vulnerabilities and Top 10 Internal Vulnerabilities lists at: https://www.qualys.com/research/top10/.

LINKS:

Top 10 lists -

https://www.qualys.com/research/top10/

CVE-IDs –

https://cve.mitre.org/cve

News page article -

https://cve.mitre.org/news/index.html#june032015_CVE_IDs_Used_throughout_Qualys_Top_10_External_and_Top_10_Internal_Vulnerabilities_Lists

---------------------------------------------------------------

CVE Mentioned in Article about Approaches to Vulnerability Naming on Christian Science Monitor

CVE is mentioned in a May 22, 2015 article entitled "What the security industry can learn from the World Health Organization" on Christian Science Monitor. The main topic of the article is about how the "discovery of computer bugs can be marketing boons for cybersecurity firms. But one critic says the industry should take a page from the health profession and select names for flaws that aren't designed to stoke fear or generate buzz."

The author then discusses how some of the recent named bugs have been more about marketing and less about how serious they are, such as "VENOM," (i.e., CVE-2015-3456) which National Vulnerability Database ranks "…between medium and high risk – a 7.5 out of 10. But this year alone, it has listed nearly 800 bugs as high risk, and there is no shortage of 10s. Many of those involve extraordinarily popular software programs such major operating systems and Web browsers."

The article also includes a quote from Chris Eng, vice president of research at Veracode, who says: "What ends up happening is named vulnerabilities get more attention regardless of how much they deserve it. The intuition is, if it's branded, it's more dangerous."

The author continues: "Mr. Eng suggests that, in an ideal world, the industry could go back to the old days, and refer to vulnerabilities by their Common Vulnerabilities and Exposures numbers. "They're only eight numbers," he says. "They aren't that hard to remember. And the first four are the year."

Visit CVE-2015-3456 at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456 to learn more about "VENOM."

LINKS:

Article -

http://www.csmonitor.com/World/Passcode/2015/0522/What-the-security-industry-can-learn-from-the-World-Health-Organization

CVE-IDs –

https://cve.mitre.org/cve

CVE-ID Syntax Change –

https://cve.mitre.org/cve/identifiers/syntaxchange.html

News page Article -

https://cve.mitre.org/news/index.html#may282015_CVE_Mentioned_in_Article_about_Approaches_to_Vulnerability_Naming_on_Christian_Science_Monitor

---------------------------------------------------------------

CVE Mentioned in Article about a Vulnerability Affecting "Millions" of Routers and Internet of Things (IoT) Devices on ZDNet

CVE is mentioned in a May 20, 2015 article entitled "NetUSB flaw leaves 'millions' of routers, IoT devices vulnerable to hacking" on ZDNet. The main topic of the article is that "Potentially millions of routers and Internet-of-Things devices have been placed at risk of hijacking due to a stack buffer overflow security flaw."

CVE is mentioned when the author states: "…the vulnerability,CVE-2015-3036, allows for an unauthenticated attacker on a local network to trigger a kernel stack buffer overflow which causes denial-of-service or permits remote code execution. In addition, some router configurations may allow remote attacks."

The author also explains how millions of routers and Internet of Things (IoT) devices could be affected: "KCode-developed NetUSB, used in a plethora of popular routers available commercially, is used to provide USB over IP functionality. USB devices including printers and flash drivers, plugged into a Linux-based system, can be granted network access over TCP port 20005 through the technology. Routers, access points and dedicated USB over IP boxes often use this proprietary software."

Visit CVE-2015-3036 at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3036 to learn more about the issue cited above.

LINKS:

ZDNet article -

http://www.zdnet.com/article/netusb-flaw-leaves-millions-of-routers-iot-devices-vulnerable-to-hacking/

CVE-IDs –

https://cve.mitre.org/cve

News page article -

https://cve.mitre.org/news/index.html#may282015_CVE_Mentioned_in_Article_about_a_Vulnerability_Affecting_Millions_of_Routers_and_IoT_Devices_on_ZDNet

---------------------------------------------------------------

CVE Mentioned in Article about "Logjam" Vulnerability on SecurityWeek

CVE was mentioned in a May 21, 2015 article entitled "Hundreds of Cloud Services Potentially Vulnerable to Logjam Attacks: Skyhigh" on SecurityWeek. The main topic of the article is the "Logjam vulnerability, which is similar to the FREAK bug, is caused due to the way the Diffie-Hellman (DHE) key exchange has been deployed. The flaw can be exploited by a man-in-the-middle (MitM) attacker to downgrade TLS connections to weak, export-grade crypto, and gain access to the data passing through the connection."

CVE is mentioned when the author states: "Logjam (CVE-2015-4000) affects all servers that support 512-bit export-grade cryptography and all modern web browsers, for which patches are being released. The vulnerability initially affected over 8 percent of the top 1 million HTTPS websites, and more than 3 percent of the browser trusted sites."

Visit CVE-2015-4000 at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000 to learn more about "Logjam.

LINKS:

SecurityWeek article -

http://www.securityweek.com/hundreds-cloud-services-potentially-vulnerable-logjam-attacks-skyhigh

CVE-IDs –

https://cve.mitre.org/cve

News page article -

https://cve.mitre.org/news/index.html#may282015_CVE_Mentioned_in_Article_about_Logjam_Vulnerability_on_SecurityWeek

---------------------------------------------------------------

CVE-IDs Used throughout Websense's "Threat Report 2015"

CVE-IDs are mentioned throughout Websense, Inc.'s "Threat Report 2015" to uniquely identify many of the vulnerabilities referenced in the report text.

According to Websense's "Websense 2015 Threat Report: Cybercrime Gets Easier, Attribution Gets Harder, Quality over Quantity and Old becomes the New" press release on April 8, 2015, the report "looks at how threat actors are gaining capabilities through the adoption of cutting-edge tools instead of technical expertise. Redirect chains, code recycling and a host of other techniques are allowing these actors to remain anonymous, making attribution time consuming, difficult and ultimately unreliable. Widespread use of older standards in lieu of newer and more secure options continues to leave systems vulnerable and exposed. A brittle infrastructure allows threats to expand into the network framework itself, including the code base of Bash, OpenSSL, and SSLv3."

According to the press release, "In 2014, 99.3 percent of malicious files used a Command & Control URL that has been previously used by one or more other malware samples. In addition, 98.2 percent of malware authors used C&C's found in five other types of malware."

The report also states that "Threat actors are blending old tactics, such as macros, in unwanted emails with new evasion techniques. Old threats are being "recycled" into new threats launched through email and web channels, challenging the most robust defensive postures. Email, the leading attack vector a decade ago, remains a very potent vehicle for threat delivery, despite the now dominant role of the web in cyberattacks. For example: In 2014, 81 percent of all email scanned by Websense was identified as malicious. This number is up 25 percent against the previous year. Websense also detected 28 percent of malicious email messages before an anti-virus signature became available."

The free report is available for download at http://www.websense.com/content/websense-2015-threat-report.aspx?intcmp=hp-promo-en-2015-threat-report.

LINKS:

Report -

http://www.websense.com/content/websense-2015-threat-report.aspx?intcmp=hp-promo-en-2015-threat-report

CVE-IDs –

https://cve.mitre.org/cve

News page article -

https://cve.mitre.org/news/index.html#may72015_CVE_Identifiers_Used_throughout_Websenses_Threat_Report_2015

---------------------------------------------------------------

CVE Mentioned in "How to Get the CVSS Right" Article on Dell's Tech Page One Blog

CVE and CVSS are the main topics of an April 17, 2015 article entitled "How to Get the CVSS Right" on Dell's Tech Page One Blog. The main topic of the article is how to use the "Common Vulnerability Scoring System (CVSS) … a free and open industry standard for assessing the severity of computer system security vulnerabilities. Currently in version 2, with an update in version 3 in development, CVSS attempts to establish a measure of how much concern a vulnerability warrants, compared to other vulnerabilities, so efforts can be prioritized. The scores are based on a series of measurements, called metrics. The scores range from 0 to 10. High vulnerabilities are those with a base score in the range 7.0-10.0, medium in 4.0-6.9 and 0-3.9 are low."

CVE is mentioned at the beginning of the article, when the author states: "For anyone dealing with software vulnerabilities, the CVE and CVSS are often their first stops in finding out the scope and details, and just about everything else they need to know about the specific vulnerability."

A CVSS calculator for scoring CVE-IDs is available on the U.S. National Vulnerability Database at https://nvd.nist.gov.

LINKS:

Article -

https://techpageone.dell.com/technology/how-to-get-the-cvss-right/

CVE-IDs –

https://cve.mitre.org/cve

CVSS calculator -

https://nvd.nist.gov

News page article -

https://cve.mitre.org/news/index.html#april232015_CVE_Mentioned_in_How_to_Get_the_CVSS_Right_Article_on_Dells_Tech_Page_One_Blog

---------------------------------------------------------------

ALSO IN THIS ISSUE:

* CVE Mentioned in Article about Vulnerabilities in Hospira Drug Pumps on SC Magazine

* CVE Mentioned in Article about WebKit Vulnerabilities in Safari Browser on ThreatPost

* CVE and CVSS Mentioned in SANS' "Cyber Threat Intelligence: Who's Using it and How?" Report

* "CVE-2015-1835" Cited in Numerous Security Advisories and News Media References about the Apache Cordova Android Vulnerability

* "CVE-2015-3456" Cited in Numerous Security Advisories and News Media References about the VENOM Vulnerability

* CVE Mentioned in Article about Attackers Exploiting Known but Unpatched Vulnerabilities on TechWeekEurope

* CVE Mentioned throughout Article about Verizon's "2015 Data Breach Investigations Report" on Computerworld

Read these stories and more news at https://cve.mitre.org/news.

---------------------------------------------------------------

Details/Credits + Subscribing and Unsubscribing

For more information about CVE, visit the CVE Web site at https://cve.mitre.org or send an email to cve@mitre.org.

Tuesday, April 21, 2015

CVE Announce - April 21, 2015 (opt-in newsletter from the CVE Web site)

Comments: cve@mitre.org

-------------------------------------------------------

CVE-Announce e-newsletter/April 21, 2015

-------------------------------------------------------

Contents:

1. Products from 2 Organizations Now Registered as Officially "CVE-Compatible"

2. CVE Identifiers Used throughout Google's "Android Security 2014 Year in Review" Report

3. CVE Identifiers Used throughout HP's "HP Cyber Risk Report 2015"

4. Also in this Issue

5. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

Products from 2 Organizations Now Registered as Officially "CVE-Compatible"

Two additional information security products have achieved the final stage of MITRE's formal CVE Compatibility Process and are now officially "CVE-Compatible." The products are now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 147 products to-date have been recognized as officially compatible.

The following products are now registered as officially "CVE-Compatible":

* ToolsWatch - vFeed API and Vulnerability Database Community

* Beijing Netpower Technologies Inc. - Netpower Network Intrusion Detection System

In addition, iScan Online, Inc. declared that its vulnerability detection and financial risk analytics product, Data Breach Risk Intelligence Platform, is CVE-Compatible, and Interition Ltd. declared that its software code knowledge base, Sparqlycode, is CVE-Compatible.

For additional information and to review all products and services listed, visit the CVE Compatibility Section on the CVE Web site.

LINKS:

vFeed API and Vulnerability Database Community –

https://cve.mitre.org/compatible/questionnaires/166.html

Netpower Network Intrusion Detection System –

https://cve.mitre.org/compatible/questionnaires/165.html

ToolsWatch –

https://www.toolswatch.org/

Beijing Netpower Technologies –

http://www.netpower.com.cn/

iScan Online, Inc. –

https://www.iscanonline.com/

Interition Ltd. –

http://www.interition.net/

CVE Compatibility Process –

https://cve.mitre.org/compatible/process.html

CVE Compatibility Requirements –

https://cve.mitre.org/compatible/requirements.html

Participating Organizations –

https://cve.mitre.org/compatible/organizations.html

Make a Declaration –

https://cve.mitre.org/compatible/make_a_declaration.html

---------------------------------------------------------------

CVE Identifiers Used throughout Google's "Android Security 2014 Year in Review" Report

CVE-IDs are mentioned throughout Google, Inc.'s "Google Report Android Security 2014 Year in Review" to uniquely identify many of the vulnerabilities referenced in the report text. According to Google's "Android Security State of the Union 2014" blog post on April 2, 2015, the report "analyzes billions (!) of data points gathered every day during 2014 and provides comprehensive and in-depth insight into security of the Android ecosystem. We hope this will help us share our approaches and data-driven decisions with the security community in order to keep users safer and avoid risk."

Google is a CVE Numbering Authority (CNA), assigning CVE-IDs for Chrome, Chrome OS, and Android Open Source Project issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

The free report is available for download at http://googleonlinesecurity.blogspot.com/2015/04/android-security-state-of-union-2014.html.

LINKS:

Google blog post –

http://googleonlinesecurity.blogspot.com/2015/04/android-security-state-of-union-2014.html

Google report –

http://googleonlinesecurity.blogspot.com/2015/04/android-security-state-of-union-2014.html

CNAs –

https://cve.mitre.org/cve/cna.html

CVE-IDs –

https://cve.mitre.org/cve

---------------------------------------------------------------

CVE Identifiers Used throughout HP's "HP Cyber Risk Report 2015"

CVE-IDs are cited throughout Hewlett-Packard Development Company, L.P.'s "HP Cyber Risk Report 2015" to uniquely identify many of the vulnerabilities referenced in the report text and charts. In addition, CVE-IDs are a main topic in the "Vulnerabilities and exploits" section of the report, regarding the following discussions: "Top CVE-2014 numbers collected in 2014," "Top CVE-2014 for malware attacks," and "Top CVE numbers seen in 2014."

According to HP's "Security Threat Landscape Still Plagued by Known Issues, says HP" press release issued on February 23, 2015, the report provides "in-depth threat research and analysis around the most pressing security issues plaguing the enterprise during the previous year and indicating likely trends for 2015. Authored by HP Security Research, the report examines the data indicating the most prevalent vulnerabilities that leave organizations open to security risks. This year's report reveals that well-known issues and misconfigurations contributed to the most formidable threats in 2014."

HP is a CVE Numbering Authority (CNA), assigning CVE-IDs for HP issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

The free report is available for download at http://www8.hp.com/us/en/software-solutions/cyber-risk-report-security-vulnerability/index.html?jumpid=reg_r1002_usen_c-001_title_r0001. You must fill-out a form to download the report.

LINKS:

HP press release –

http://www8.hp.com/us/en/hp-news/press-release.html?id=1915228&pageTitle=Security-Threat-Landscape-Still-Plagued-by-Known-Issues,-says-HP#.VTXE8ZO9EnJ

HP report –

http://www8.hp.com/us/en/software-solutions/cyber-risk-report-security-vulnerability/index.html?jumpid=reg_r1002_usen_c-001_title_r0001

CNAs –

https://cve.mitre.org/cve/cna.html

CVE-IDs –

https://cve.mitre.org/cve

---------------------------------------------------------------

ALSO IN THIS ISSUE:

* CVE Mentioned in Article about a "Critical Backdoor Flaw in OS X 10.10.3" on eWeek

* CVE Mentioned in Article about Stuxnet on eWeek

* CVE Identifier "CVE-2015-0932" Cited in Numerous Security Advisories and News Media References about a Zero-Day Hotel Wi-Fi Network Vulnerability

* CVE Mentioned in Article about a Vulnerability in a Wind Turbine on The Register

* CVE Identifier "CVE-2011-2461" Cited in Numerous Security Advisories and News Media References about a Still Exploitable 4-Year-Old Adobe Flex Vulnerability

* CVE Identifiers "CVE-2015-0204" and "CVE-2015-0291" Cited in Numerous Security Advisories and News Media References about the FREAK Vulnerability

* CVE Included in Google's Recently Updated Vulnerability Disclosure Policy

Read these stories and more news at https://cve.mitre.org/news.

---------------------------------------------------------------

Details/Credits + Subscribing and Unsubscribing

For more information about CVE, visit the CVE Web site at https://cve.mitre.org or send an email to cve@mitre.org.

Patch Announcement

Thursday, December 10, 2015

CVE Announce - December 11, 2015 (opt-in newsletter from the CVE Web site)

Monday, November 16, 2015

CVE Announce SPECIAL ISSUE - November 16, 2015 (opt-in newsletter from the CVE Web site)

Sunday, November 8, 2015

CVE Announce - November 9, 2015 (opt-in newsletter from the CVE Web site)

Tuesday, October 6, 2015

CVE Announce - October 7, 2015 (opt-in newsletter from the CVE Web site)

Monday, June 29, 2015

CVE Announce - June 29, 2015 (opt-in newsletter from the CVE Web site)

Monday, June 8, 2015

CVE Announce - June 8, 2015 (opt-in newsletter from the CVE Web site)

Tuesday, April 21, 2015

CVE Announce - April 21, 2015 (opt-in newsletter from the CVE Web site)

Blog Archive

About Me