Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is designed to bring recent news about CVE, such as new compatible products, new website features, CVE in the news, etc. right to your email box. Common Vulnerabilities and Exposures (CVE) is the standard for cyber security vulnerability names. CVE content is approved by the CVE Editorial Board, which is comprised of leading representatives from the information security community. CVE Numbering Authorities (CNAs) are major OS vendors, security researchers, and research organizations that assign CVE Identifiers to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE Identifiers in the first public disclosure of the vulnerabilities. Details on subscribing (and unsubscribing) to the email newsletter are at the end. Please feel free to pass this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/April 21, 2015
-------------------------------------------------------
Contents:
1. Products from 2 Organizations Now Registered as Officially "CVE-Compatible"
2. CVE Identifiers Used throughout Google's "Android Security 2014 Year in Review" Report
3. CVE Identifiers Used throughout HP's "HP Cyber Risk Report 2015"
4. Also in this Issue
5. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
Products from 2 Organizations Now Registered as Officially "CVE-Compatible"
Two additional information security products have achieved the final stage of MITRE's formal CVE Compatibility Process and are now officially "CVE-Compatible." The products are now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 147 products to-date have been recognized as officially compatible.
The following products are now registered as officially "CVE-Compatible":
* ToolsWatch - vFeed API and Vulnerability Database Community
* Beijing Netpower Technologies Inc. - Netpower Network Intrusion Detection System
In addition, iScan Online, Inc. declared that its vulnerability detection and financial risk analytics product, Data Breach Risk Intelligence Platform, is CVE-Compatible, and Interition Ltd. declared that its software code knowledge base, Sparqlycode, is CVE-Compatible.
For additional information and to review all products and services listed, visit the CVE Compatibility Section on the CVE Web site.
LINKS:
vFeed API and Vulnerability Database Community –
https://cve.mitre.org/compatible/questionnaires/166.html
Netpower Network Intrusion Detection System –
https://cve.mitre.org/compatible/questionnaires/165.html
ToolsWatch –
https://www.toolswatch.org/
Beijing Netpower Technologies –
http://www.netpower.com.cn/
iScan Online, Inc. –
https://www.iscanonline.com/
Interition Ltd. –
http://www.interition.net/
CVE Compatibility Process –
https://cve.mitre.org/compatible/process.html
CVE Compatibility Requirements –
https://cve.mitre.org/compatible/requirements.html
Participating Organizations –
https://cve.mitre.org/compatible/organizations.html
Make a Declaration –
https://cve.mitre.org/compatible/make_a_declaration.html
---------------------------------------------------------------
CVE Identifiers Used throughout Google's "Android Security 2014 Year in Review" Report
CVE-IDs are mentioned throughout Google, Inc.'s "Google Report Android Security 2014 Year in Review" to uniquely identify many of the vulnerabilities referenced in the report text. According to Google's "Android Security State of the Union 2014" blog post on April 2, 2015, the report "analyzes billions (!) of data points gathered every day during 2014 and provides comprehensive and in-depth insight into security of the Android ecosystem. We hope this will help us share our approaches and data-driven decisions with the security community in order to keep users safer and avoid risk."
Google is a CVE Numbering Authority (CNA), assigning CVE-IDs for Chrome, Chrome OS, and Android Open Source Project issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.
The free report is available for download at http://googleonlinesecurity.blogspot.com/2015/04/android-security-state-of-union-2014.html.
LINKS:
Google blog post –
http://googleonlinesecurity.blogspot.com/2015/04/android-security-state-of-union-2014.html
Google report –
http://googleonlinesecurity.blogspot.com/2015/04/android-security-state-of-union-2014.html
CNAs –
https://cve.mitre.org/cve/cna.html
CVE-IDs –
https://cve.mitre.org/cve
---------------------------------------------------------------
CVE Identifiers Used throughout HP's "HP Cyber Risk Report 2015"
CVE-IDs are cited throughout Hewlett-Packard Development Company, L.P.'s "HP Cyber Risk Report 2015" to uniquely identify many of the vulnerabilities referenced in the report text and charts. In addition, CVE-IDs are a main topic in the "Vulnerabilities and exploits" section of the report, regarding the following discussions: "Top CVE-2014 numbers collected in 2014," "Top CVE-2014 for malware attacks," and "Top CVE numbers seen in 2014."
According to HP's "Security Threat Landscape Still Plagued by Known Issues, says HP" press release issued on February 23, 2015, the report provides "in-depth threat research and analysis around the most pressing security issues plaguing the enterprise during the previous year and indicating likely trends for 2015. Authored by HP Security Research, the report examines the data indicating the most prevalent vulnerabilities that leave organizations open to security risks. This year's report reveals that well-known issues and misconfigurations contributed to the most formidable threats in 2014."
HP is a CVE Numbering Authority (CNA), assigning CVE-IDs for HP issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.
The free report is available for download at http://www8.hp.com/us/en/software-solutions/cyber-risk-report-security-vulnerability/index.html?jumpid=reg_r1002_usen_c-001_title_r0001. You must fill-out a form to download the report.
LINKS:
HP press release –
http://www8.hp.com/us/en/hp-news/press-release.html?id=1915228&pageTitle=Security-Threat-Landscape-Still-Plagued-by-Known-Issues,-says-HP#.VTXE8ZO9EnJ
HP report –
http://www8.hp.com/us/en/software-solutions/cyber-risk-report-security-vulnerability/index.html?jumpid=reg_r1002_usen_c-001_title_r0001
CNAs –
https://cve.mitre.org/cve/cna.html
CVE-IDs –
https://cve.mitre.org/cve
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* CVE Mentioned in Article about a "Critical Backdoor Flaw in OS X 10.10.3" on eWeek
* CVE Mentioned in Article about Stuxnet on eWeek
* CVE Identifier "CVE-2015-0932" Cited in Numerous Security Advisories and News Media References about a Zero-Day Hotel Wi-Fi Network Vulnerability
* CVE Mentioned in Article about a Vulnerability in a Wind Turbine on The Register
* CVE Identifier "CVE-2011-2461" Cited in Numerous Security Advisories and News Media References about a Still Exploitable 4-Year-Old Adobe Flex Vulnerability
* CVE Identifiers "CVE-2015-0204" and "CVE-2015-0291" Cited in Numerous Security Advisories and News Media References about the FREAK Vulnerability
* CVE Included in Google's Recently Updated Vulnerability Disclosure Policy
Read these stories and more news at https://cve.mitre.org/news.
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Steve Boyle, Cyber Security Technical Center. Writer: Bob Roberge. The MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical guidance to the CVE Editorial Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the message to: listserv@lists.mitre.org. To subscribe, send an email message to listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE CVE-Announce-List".
Copyright 2015, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications) at the U.S. Department of Homeland Security (www.dhs.gov).
For more information about CVE, visit the CVE Web site at https://cve.mitre.org or send an email to cve@mitre.org.
