Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is designed to bring recent news about CVE, such as new versions, upcoming conferences, new Web site features, etc. right to your email box. Common Vulnerabilities and Exposures (CVE) is the standard for information security vulnerability names. CVE content results from the collaborative efforts of the CVE Editorial Board, which is comprised of leading representatives from the information security community. Details on subscribing (and unsubscribing) to the email newsletter are at the end. Please feel free to pass this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/January 21, 2015
-------------------------------------------------------
Contents:
1. First CVE-IDs Issued in New Numbering Format Now Available
2. Technical Guidance & Test Data Available for Updating to the New CVE-ID Format
3. CVE Mentioned in Article about Branding Vulnerabilities with "Catchy Names and Logos" on ZDNet
4. CVE Mentioned in Article about Adopting Open Source on GCN.com
5. Also in this Issue
6. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
First CVE-IDs Issued in New Numbering Format Now Available
The first ever CVE-ID numbers issued in the new CVE-ID numbering format were posted to the CVE List on January 13, 2015 for vulnerabilities disclosed in 2014: CVE-2014-10001 with 5 digits and CVE-2014-100001 with 6 digits.
The format of CVE-ID numbers was changed a year ago this month in January 2014 so that the CVE project can track 10,000 or more vulnerabilities for a given calendar year. Previously, CVE-IDs were restricted to four digits at the end in the sequence number portion of the ID, for example "CVE-2014-0160", but this four-digit restriction only allowed up to 9,999 vulnerabilities per year. With the new format, CVE-ID numbers may have 4, 5, 6, 7, or more digits in the sequence number if needed in a calendar year. For example, the just released "CVE-2014-10001" with 5 digits in the sequence number and "CVE-2014-100001" with 6 digits in the sequence number, or CVE-2014-XXXXXXX with 7 digits in the sequence number, and so on.
Additional CVE-IDs in the new format with 5 and 6 digits in the sequence number were also issued — CVE-2014-10001 through CVE-2014-10039 with 5 digits, and CVE-2014-100001 through CVE-2014-100038 with 6 digits — to also identify vulnerabilities disclosed in 2014. Enter these CVE-ID numbers in the search field on the CVE List page to learn more about each issue.
Additional details are available in a post on the CVE Editor's Commentary blog on the CVE Website at https://cve.mitre.org/cve/edcommentary.html#january132015_CVE_IDs_Posted_Today_for_the_First_Time_Using_the_New_ID_Syntax.
Please report any problems, or anticipated problems, that you encounter with CVE-IDs issued in the new format to cve-id-change@mitre.org.
LINKS:
CVE-ID Format Change -
https://cve.mitre.org/cve/identifiers/syntaxchange.html
CVE-2014-10001 -
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-10001
CVE-2014-100001 -
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-100001
CVE List -
CVE Editor's Commentary blog -https://cve.mitre.org/cve/edcommentary.html#january132015_CVE_IDs_Posted_Today_for_the_First_Time_Using_the_New_ID_Syntax
CVE News page article -
---------------------------------------------------------------
Technical Guidance & Test Data Available for Updating to the New CVE-ID Format
The format for CVE-IDs changed at the beginning of 2014 and CVE-IDs which previously could only have four fixed digits at the end in the sequence number portion of the ID, e.g., "CVE-2014-0160", can now accommodate five, six, or more digits in the sequence number. Please note, CVE-ID numbers using the new syntax are now being issued, e.g., "CVE-2014-10001" with 5 digits and "CVE-2014-100001" with 6 digits. Organizations that have not updated to the new CVE-ID format risk the possibility that their products and services could break or report inaccurate vulnerability identifiers, which could significantly impact users' vulnerability management practices.
To make it easy to update, the CVE Web site provides free technical guidance and CVE test data for developers and consumers to use to verify that their products and services will work correctly. In addition, for those who use National Vulnerability Database (NVD) data, NIST provides test data in NVD format at http://nvd.nist.gov/cve-id-syntax-change.
Comments or concerns about this guidance, and/or the test data, is welcome at cve-id-change@mitre.org.
LINKS:
CVE-ID numbering format change -
https://cve.mitre.org/cve/identifiers/syntaxchange.html
Technical guidance -
https://cve.mitre.org/cve/identifiers/tech-guidance.html
Test data -
https://cve.mitre.org/cve/identifiers/tech-guidance.html#test_data
Help -
---------------------------------------------------------------
CVE Mentioned in Article about Branding Vulnerabilities with "Catchy Names and Logos" on ZDNet
CVE is mentioned in a November 25, 2014 article entitled "The branded bug: Meet the people who name vulnerabilities" on ZDNet.com. The main topic of the article is that "As 2014 comes to a close, bugs are increasingly disclosed with catchy names and logos. Heartbleed's branding changed the way we talk about security, but is making a bug 'cool' frivolous or essential?"
CVE is first mentioned in a section of the article entitled "Can attackers be thwarted with marketing?", as follows: "Heartbleed — birth name CVE-2014-0160 — became a household term overnight, even though average households still don't actually understand what it is. The media mostly didn't understand what Heartbleed was either, but its logo was featured on every major news site in the world, and the news spread quickly. Which was good, because for the organizations who needed to remediate Heartbleed, it was critical to move fast."
CVE is mentioned again when the author states: "The next "big bug" after Heartbleed was Shellshock — real name CVE-2014-6271 [and CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278]. Shellshock didn't have a company's pocketbook or marketing team behind it. So, despite the fact that many said Shellshock was worse than Heartbleed (rated high on severity but low on complexity, making it easy for attackers), creating a celebrity out of Shellshock faced an uphill climb."
Visit CVE-2014-0160 to learn about "Heartbleed" and CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278 to learn more about "Shellshock".
LINKS:
ZDNet article -
http://www.zdnet.com/the-branded-bug-meet-the-people-who-name-vulnerabilities-7000036140/
Heartbleed -
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
Shellshock -
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
CVE News page article -
---------------------------------------------------------------
CVE Mentioned in Article about Adopting Open Source on GCN.com
CVE is mentioned in a November 13, 2014 article entitled "6 tips for adopting open source," on GCN.com.
CVE is mentioned in section 4 of the article, "Master navigation of vendor vulnerability databases and tools to minimize vulnerability windows," in which the author states: "When a data center is vulnerable to security flaws, the window of attack needs to be patched immediately. The best way to do so is to choose software that is officially compatible with CVE, the set of standard identifiers for publicly known security vulnerabilities and exposures. When a vulnerability is recognized, it's assigned a CVE number. This gives multiple vendors a single identifier to determine their vulnerability in a consistent and measurable way. Many open source projects and communities don't consistently track against CVEs, but several companies who commercialize these projects do, so choose wisely. In addition to tracking the CVEs, admins can use OpenSCAP to do vulnerability scans. OpenSCAP can use Open Vulnerability and Assessment Language (OVAL) content to scan systems for known vulnerabilities where remediation is available. The trick is to ensure your chosen vendors provide OVAL content consistently, so again, choose wisely."
The article was also posted on November 24, 2014 with the same title, "6 tips for adopting open source," on OpenSource.com.
LINKS:
GCN/OpenSource article -
http://gcn.com/articles/2014/11/13/open-source-adoption-tips.aspx
http://opensource.com/government/14/11/6-tips-adopting-open-source
CVE List -
OpenSCAP -
OVAL -
CVE News page article -
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* CVE Mentioned in Article about Vulnerabilities in Software Libraries on TechWorld.com
* CVE Identifier "CVE-2014-9295" Cited in Numerous Security Advisories and News Media References about the Apple/Linux Network Time Protocol Vulnerability
* CVE Identifier "CVE-2014-9222" Cited in Numerous Security Advisories and News Media References about "Misfortune Cookie" Vulnerability
* CVE Identifier "CVE-2014-9390" Cited in an Article about a Git Source Code Management System Vulnerability on eWeek
Read these stories and more news at http://cve.mitre.org/news
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Steve Boyle, Cyber Security Technical Center. Writer: Bob Roberge. The MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical guidance to the CVE Editorial Board on all matters related to ongoing development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the message to: listserv@lists.mitre.org. To subscribe, send an email message to listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE CVE-Announce-List".
Copyright 2015, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications) at the U.S. Department of Homeland Security (www.dhs.gov).
For more information about CVE, visit the CVE Web site at https://cve.mitre.org or send an email to cve@mitre.org.
Learn more about Making Security Measurable at http://measurablesecurity.mitre.org and Strengthening Cyber Defense at http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-resources/standards.
