Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is
designed to bring recent news about CVE, such as new compatible products, new website
features, CVE in the news, etc. right to your email box. Common Vulnerabilities and
Exposures (CVE) is the standard for cyber security vulnerability names. CVE content is
approved by the CVE Editorial Board, which is comprised of leading representatives from
the information security community. CVE Numbering Authorities (CNAs) are major OS
vendors, security researchers, and research organizations that assign CVE Identifiers to
newly discovered issues without directly involving MITRE in the details of the specific
vulnerabilities, and include the CVE Identifiers in the first public disclosure of the
vulnerabilities. Details on subscribing (and unsubscribing) to the email newsletter are
at the end. Please feel free to pass this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/March 23, 2016
-------------------------------------------------------
Contents:
1. Status Update from the CVE Project
2. FOCUS ON: CVE Numbering Authorities (CNAs)
3. Also in this Issue
4. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
Status Update from the CVE Project
The recent explosion of Internet-enabled devices - known as the Internet of Things - as
well as the propagation of software-based functionality in systems has led to a huge
increase in the number of CVE requests we have been receiving on a daily basis. We did
not anticipate this rate of growth, and, as a result, were not as prepared for the
latest surge in requests over the past 12 months as we had hoped. The result has been
some of the delay in CVE assignments that the software security community has recently
witnessed.
We recognize the inconvenience that has resulted, and are working hard to come up with a
solution.
Last week, we proposed a possible option to our CVE Editorial Board, but some members
raised concerns about the approach, and we have withdrawn it from consideration. We are
working diligently to come up with a solution that will meet the needs of all the
various use cases of CVE.
Updates as they become available will be posted to https://cve.mitre.org/.
LINKS:
CVE List -
https://cve.mitre.org/cve/
CVE Editorial Board -
https://cve.mitre.org/community/board/
Questions -
cve@mitre.org
---------------------------------------------------------------
FOCUS ON: CVE Numbering Authorities (CNAs)
CVE Numbering Authorities, or CNAs, are the main method for requesting a CVE-ID number.
CNAs are major OS vendors, security researchers, and research organizations that assign
CVE-IDs to newly discovered issues without directly involving MITRE in the details of
the specific vulnerabilities, and include the CVE-ID numbers in the first public
disclosure of the vulnerabilities.
The following organizations currently participate as CNAs:
* Adobe (Adobe issues only)
* Apple (Apple issues only)
* Attachmate (Attachmate/Novell/SUSE/NetIQ issues only)
* BlackBerry (BlackBerry issues only)
* CERT/CC
* Cisco Systems, Inc. (Cisco issues only)
* Debian GNU/Linux (Linux issues only)
* EMC (EMC issues only)
* FreeBSD (primarily FreeBSD issues only)
* Google (Chrome, Chrome OS, and Android Open Source Project issues only)
* HP (HP issues only)
* IBM Corporation (IBM issues only)
* ICS-CERT
* JPCERT/CC
* Microsoft (Microsoft issues only)
* MITRE (primary CNA)
* Mozilla (Mozilla issues only)
* Oracle (Oracle issues only)
* Red Hat (Linux issues only)
* Silicon Graphics (SGI issues only)
* Symantec (Symantec issues only)
* Ubuntu Linux (Linux issues only)
A message about turnaround times for requesting CVE-ID numbers from MITRE is included
above as the Feature Story of this newsletter. For more information about requesting
CVE-ID numbers from CNAs, visit the CVE Numbering Authorities page on the CVE website at
https://cve.mitre.org/cve/cna.html.
LINKS:
CNAs -
https://cve.mitre.org/cve/cna.html
CVE-ID numbers -
https://cve.mitre.org/cve/identifiers/index.html#defined
CVE List -
https://cve.mitre.org/cve/
Questions -
cve@mitre.org
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* CVE Mentioned in Article about Three Critical Vulnerabilities in Symantec Endpoint
Protection on InfoWorld
* CVE Mentioned in Article about a Linux Kernel Vulnerability in Android on eWeek
Read these stories and more news at https://cve.mitre.org/news.
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Steve Boyle, Cyber Security Technical Center. Writer: Bob Roberge. The
MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical
guidance to the CVE Editorial Board and CVE Numbering Authorities on all matters related
to ongoing development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the
following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the
message to: listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".
Copyright 2016, The MITRE Corporation. CVE and the CVE logo are registered trademarks of
The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of
Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications)
at the U.S. Department of Homeland Security (www.dhs.gov).
For more information about CVE, visit the CVE website at https://cve.mitre.org or send
an email to cve@mitre.org.
Wednesday, March 23, 2016
Tuesday, March 15, 2016
CVE Announce - March 15, 2016 (opt-in newsletter from the CVE Web site)
Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is
designed to bring recent news about CVE, such as new compatible products, new website
features, CVE in the news, etc. right to your email box. Common Vulnerabilities and
Exposures (CVE) is the standard for cyber security vulnerability names. CVE content is
approved by the CVE Editorial Board, which is comprised of leading representatives from
the information security community. CVE Numbering Authorities (CNAs) are major OS
vendors, security researchers, and research organizations that assign CVE Identifiers to
newly discovered issues without directly involving MITRE in the details of the specific
vulnerabilities, and include the CVE Identifiers in the first public disclosure of the
vulnerabilities. Details on subscribing (and unsubscribing) to the email newsletter are
at the end. Please feel free to pass this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/March 15, 2016
-------------------------------------------------------
Contents:
1. Important Message from the CVE Project
2. CVE Mentioned in Article about Tripwire's "2016 Patch Management Study" on Dark
Reading
3. CVE Mentioned in Article about the DROWN Vulnerability on Softpedia
4. Also in this Issue
5. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
Important Message from the CVE Project
CVE has been experiencing an unprecedented demand for vulnerability IDs. We look forward
to working with the CVE Editorial Board and the broader vulnerability management
community to significantly improve stakeholder communication, and improve and scale CVE
operations to reduce ID assignment response times and increase product coverage. Details
as they become available will be posted to http://cve.mitre.org/.
LINKS:
CVE List - https://cve.mitre.org/cve/
CVE Editorial Board - https://cve.mitre.org/community/board/
Questions - cve@mitre.org
---------------------------------------------------------------
CVE Mentioned in Article about Tripwire's "2016 Patch Management Study" on Dark Reading
CVE is mentioned in a March 8, 2016 article entitled "Patch Management Still Plagues
Enterprise" on Dark Reading. The main topic of the article is that "In spite of years of
data showing effective patch management to be some of the lowest-hanging fruit in
improving IT risk management, half of enterprises today still aren't getting it right.
So says a new survey out today [by Tripwire, Inc.], which queried over 480 IT
professionals on their patch management practices."
CVE is mentioned in a quote by Tim Erlin, Director, Product Management, Security and IT
Risk Strategist at Tripwire, who states: "The fact is that we, as an industry,
consistently conflate vulnerabilities with patches. They are not the same thing! The
fact is, we identify known vulnerabilities with CVE IDs, and vendors release increments
of code that address some of those CVE IDs. It's not a one-to-one relationship, except
when it is, and bundles are common, except from vendors who don't roll up patches.
Sometimes patches don't fix all the vulnerabilities, and sometimes they fix multiple
vulnerabilities on some platforms but not others. Sometimes a patch is an upgrade,
sometimes it's not, and sometimes you can apply an individual patch or an upgrade to fix
disparate but overlapping sets of vulnerabilities."
The "Tripwire 2016 Patch Management Study" findings are free to read at
http://www.tripwire.com/company/research/tripwire-2016-patch-management-study/.
LINKS:
Dark Reading article -
http://www.darkreading.com/endpoint/patch-management-still-plagues-enterprise/d/d-id/132
4615
CVE-IDs -
https://cve.mitre.org/cve
News page article -
https://cve.mitre.org/news/index.html#march102016_CVE_Mentioned_in_Article_about_Tripwir
e%27s_2016_Patch_Management_Study_on_Dark_Reading
---------------------------------------------------------------
CVE is mentioned in a March 1, 2016 article entitled "A Third of All HTTPS Websites Are
Vulnerable to the DROWN Attack" on Softpedia.
CVE is mentioned when the author states: "The OpenSSL project has released versions
1.0.2g and 1.0.1s to address a high severity security issue known as the DROWN attack
(CVE-2016-0800) which allows attackers to break HTTPS and steal encrypted information.
DROWN stands for "Decrypting RSA using Obsolete and Weakened eNcryption" and . At its
core, the principle behind the DROWN attack relies on the presence of both the SSLv2 and
TLS protocols on target machines. DROWN is a cross-protocol attack, meaning it will use
weaknesses in the SSLv2 implementation against TLS."
Visit the CVE Identifier page for CVE-2015-0800 at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0800 to learn more about this
issue.
LINKS:
Softpedia article -
http://news.softpedia.com/news/a-third-of-all-https-websites-are-vulnerable-to-the-drown
-attack-501202.shtml
CVE-IDs -
https://cve.mitre.org/cve
News page article -
https://cve.mitre.org/news/index.html#march22016_CVE_Mentioned_in_Article_about_the_DROW
N_Vulnerability_on_Softpedia
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* CVE Mentioned in Article about Three Critical Chrome Vulnerabilities on ThreatPost
* CVE Mentioned in Article about Multiple Android Vulnerabilities on InfoWorld
* CVE Mentioned in Article about Microsoft's Patch Tuesday Fixes for March on ThreatPost
* CVE Mentioned in Article about Vulnerabilities in Adobe Acrobat and Reader on
ThreatPost
Read these stories and more news at https://cve.mitre.org/news.
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Steve Boyle, Cyber Security Technical Center. Writer: Bob Roberge. The
MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical
guidance to the CVE Editorial Board and CVE Numbering Authorities on all matters related
to ongoing development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the
following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the
message to: listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".
Copyright 2016, The MITRE Corporation. CVE and the CVE logo are registered trademarks of
The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of
Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications)
at the U.S. Department of Homeland Security (www.dhs.gov).
For more information about CVE, visit the CVE Web site at https://cve.mitre.org or send
an email to cve@mitre.org.
designed to bring recent news about CVE, such as new compatible products, new website
features, CVE in the news, etc. right to your email box. Common Vulnerabilities and
Exposures (CVE) is the standard for cyber security vulnerability names. CVE content is
approved by the CVE Editorial Board, which is comprised of leading representatives from
the information security community. CVE Numbering Authorities (CNAs) are major OS
vendors, security researchers, and research organizations that assign CVE Identifiers to
newly discovered issues without directly involving MITRE in the details of the specific
vulnerabilities, and include the CVE Identifiers in the first public disclosure of the
vulnerabilities. Details on subscribing (and unsubscribing) to the email newsletter are
at the end. Please feel free to pass this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/March 15, 2016
-------------------------------------------------------
Contents:
1. Important Message from the CVE Project
2. CVE Mentioned in Article about Tripwire's "2016 Patch Management Study" on Dark
Reading
3. CVE Mentioned in Article about the DROWN Vulnerability on Softpedia
4. Also in this Issue
5. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
Important Message from the CVE Project
CVE has been experiencing an unprecedented demand for vulnerability IDs. We look forward
to working with the CVE Editorial Board and the broader vulnerability management
community to significantly improve stakeholder communication, and improve and scale CVE
operations to reduce ID assignment response times and increase product coverage. Details
as they become available will be posted to http://cve.mitre.org/.
LINKS:
CVE List - https://cve.mitre.org/cve/
CVE Editorial Board - https://cve.mitre.org/community/board/
Questions - cve@mitre.org
---------------------------------------------------------------
CVE Mentioned in Article about Tripwire's "2016 Patch Management Study" on Dark Reading
CVE is mentioned in a March 8, 2016 article entitled "Patch Management Still Plagues
Enterprise" on Dark Reading. The main topic of the article is that "In spite of years of
data showing effective patch management to be some of the lowest-hanging fruit in
improving IT risk management, half of enterprises today still aren't getting it right.
So says a new survey out today [by Tripwire, Inc.], which queried over 480 IT
professionals on their patch management practices."
CVE is mentioned in a quote by Tim Erlin, Director, Product Management, Security and IT
Risk Strategist at Tripwire, who states: "The fact is that we, as an industry,
consistently conflate vulnerabilities with patches. They are not the same thing! The
fact is, we identify known vulnerabilities with CVE IDs, and vendors release increments
of code that address some of those CVE IDs. It's not a one-to-one relationship, except
when it is, and bundles are common, except from vendors who don't roll up patches.
Sometimes patches don't fix all the vulnerabilities, and sometimes they fix multiple
vulnerabilities on some platforms but not others. Sometimes a patch is an upgrade,
sometimes it's not, and sometimes you can apply an individual patch or an upgrade to fix
disparate but overlapping sets of vulnerabilities."
The "Tripwire 2016 Patch Management Study" findings are free to read at
http://www.tripwire.com/company/research/tripwire-2016-patch-management-study/.
LINKS:
Dark Reading article -
http://www.darkreading.com/endpoint/patch-management-still-plagues-enterprise/d/d-id/132
4615
CVE-IDs -
https://cve.mitre.org/cve
News page article -
https://cve.mitre.org/news/index.html#march102016_CVE_Mentioned_in_Article_about_Tripwir
e%27s_2016_Patch_Management_Study_on_Dark_Reading
---------------------------------------------------------------
CVE is mentioned in a March 1, 2016 article entitled "A Third of All HTTPS Websites Are
Vulnerable to the DROWN Attack" on Softpedia.
CVE is mentioned when the author states: "The OpenSSL project has released versions
1.0.2g and 1.0.1s to address a high severity security issue known as the DROWN attack
(CVE-2016-0800) which allows attackers to break HTTPS and steal encrypted information.
DROWN stands for "Decrypting RSA using Obsolete and Weakened eNcryption" and . At its
core, the principle behind the DROWN attack relies on the presence of both the SSLv2 and
TLS protocols on target machines. DROWN is a cross-protocol attack, meaning it will use
weaknesses in the SSLv2 implementation against TLS."
Visit the CVE Identifier page for CVE-2015-0800 at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0800 to learn more about this
issue.
LINKS:
Softpedia article -
http://news.softpedia.com/news/a-third-of-all-https-websites-are-vulnerable-to-the-drown
-attack-501202.shtml
CVE-IDs -
https://cve.mitre.org/cve
News page article -
https://cve.mitre.org/news/index.html#march22016_CVE_Mentioned_in_Article_about_the_DROW
N_Vulnerability_on_Softpedia
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* CVE Mentioned in Article about Three Critical Chrome Vulnerabilities on ThreatPost
* CVE Mentioned in Article about Multiple Android Vulnerabilities on InfoWorld
* CVE Mentioned in Article about Microsoft's Patch Tuesday Fixes for March on ThreatPost
* CVE Mentioned in Article about Vulnerabilities in Adobe Acrobat and Reader on
ThreatPost
Read these stories and more news at https://cve.mitre.org/news.
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Steve Boyle, Cyber Security Technical Center. Writer: Bob Roberge. The
MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical
guidance to the CVE Editorial Board and CVE Numbering Authorities on all matters related
to ongoing development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the
following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the
message to: listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".
Copyright 2016, The MITRE Corporation. CVE and the CVE logo are registered trademarks of
The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of
Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications)
at the U.S. Department of Homeland Security (www.dhs.gov).
For more information about CVE, visit the CVE Web site at https://cve.mitre.org or send
an email to cve@mitre.org.
Subscribe to:
Comments (Atom)
