Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is
designed to bring recent news about CVE, such as new compatible products, new website
features, CVE in the news, etc. right to your email box. Common Vulnerabilities and
Exposures (CVE) is the standard for cyber security vulnerability names. CVE content is
approved by the CVE Editorial Board, which is comprised of leading representatives from
the information security community. CVE Numbering Authorities (CNAs) are major OS
vendors, security researchers, and research organizations that assign CVE Identifiers to
newly discovered issues without directly involving MITRE in the details of the specific
vulnerabilities, and include the CVE Identifiers in the first public disclosure of the
vulnerabilities. Details on subscribing (and unsubscribing) to the email newsletter are
at the end. Please feel free to pass this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/June 30, 2016
-------------------------------------------------------
Contents:
1. Two New Organizations Added as CVE Numbering Authorities (CNAs): Hewlett Packard
Enterprise and HP Inc.
2. Minutes from CVE Editorial Board Teleconference Meeting on June 1 Now Available
3. CVE Mentioned in Article about the Android "Godless" Malware on Top Tech News
4. Also in this Issue
5. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
Two New Organizations Added as CVE Numbering Authorities (CNAs): Hewlett Packard
Enterprise and HP Inc.
Hewlett Packard Enterprise (HPE) and HP Inc. are now CNAs. HPE is a CNA for HPE issues
only, and HP Inc. is a CNA for HP Inc. issues only. In 2015, Hewlett-Packard Company,
which was formerly a single CNA, split into two separate organizations - Hewlett Packard
Enterprise and HP Inc. - both of which are now participating as CNAs for their own
issues.
CNAs are major OS vendors, security researchers, and research organizations that assign
CVE-IDs to newly discovered issues without directly involving MITRE in the details of
the specific vulnerabilities, and include the CVE-ID numbers in the first public
disclosure of the vulnerabilities.
CNAs are the main method for requesting a CVE-ID number. The following 25 organizations
currently participate as CNAs: Adobe; Apple; Attachmate; BlackBerry; CERT/CC; Cisco;
Debian GNU/Linux; Distributed Weakness Filing Project; EMC; FreeBSD; Google; HP; HPE;
IBM; ICS-CERT; JPCERT/CC; Juniper; Microsoft; MITRE (primary CNA); Mozilla; Oracle; Red
Hat; Silicon Graphics; Symantec; and Ubuntu Linux.
For more information about requesting CVE-ID numbers from CNAs, visit the CVE Numbering
Authorities page on the CVE website at https://cve.mitre.org/cve/cna.html.
LINKS:
HPE -
https://www.hpe.com/
HP Inc. -
http://www.hp.com/
CNAs -
https://cve.mitre.org/cve/cna.html
CVE-ID numbers -
https://cve.mitre.org/cve/identifiers/index.html#defined
CVE List -
https://cve.mitre.org/cve/
CVE News page articles -
https://cve.mitre.org/news/index.html#june292016_Hewlett_Packard_Enterprise_Added_as_CVE
_Numbering_Authority_CNA
https://cve.mitre.org/news/index.html#june292016_HP_Inc._Added_as_CVE_Numbering_Authorit
y_CNA
---------------------------------------------------------------
Minutes from CVE Editorial Board Teleconference Meeting on June 2 Now Available
The CVE Editorial Board held a teleconference meeting on June 2, 2016. Read the meeting
minutes at https://cve.mitre.org/data/board/archives/2016-06/msg00024.html.
OTHER LINKS:
CVE Editorial Board -
https://cve.mitre.org/community/board/
CVE News page article -
https://cve.mitre.org/news/index.html#june292016_Minutes_from_CVE_Editorial_Board_Teleco
nference_Meeting_on_June_2_Now_Available
---------------------------------------------------------------
CVE Mentioned in Article about the Android "Godless" Malware on Top Tech News
CVE is mentioned in a June 22, 2016 article entitled "New 'Godless' Malware Targets
Android Mobile Devices" on Top Tech News. The main topic of the article is discovery of
the "Godless" family of malware targeting Android mobile devices that uses multiple
exploits to root users' devices and can root 90% of Android phones.
CVE is mentioned in a section of the article entitled "Bypassing Security Checks," when
the author states: "Godless is similar to an exploit kit . [with a framework that] has
various exploits in its arsenal that it can use to root a number of different
Android-based devices. The two most prominent vulnerabilities targeted by the rooting
kit are CVE-2015-3636 (used by the PingPongRoot exploit) and CVE-2014-3153 (used by the
Towelroot exploit). By gaining root privilege, Godless can connect to a
command-and-control (C&C) server capable of delivering remote instructions that force
the device to download and install additional apps without the user's knowledge. At
best, a user receives unwanted apps on the phones. At worst, the same technique can be
used to install a backdoor or spy on the user."
In addition, Google is a CVE Numbering Authority (CNA), assigning CVE-IDs for Chrome,
Chrome OS, and Android Open Source Project issues. CNAs are major OS vendors, security
researchers, and research organizations that assign CVE-IDs to newly discovered issues
without directly involving MITRE in the details of the specific vulnerabilities, and
include the CVE-ID numbers in the first public disclosure of the vulnerabilities.
Visit the CVE Identifier page for CVE-2015-3636 at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3636, and the CVE Identifier
page for CVE-2014-3153 at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3153,
to learn more about these issues.
LINKS:
Top Tech News article -
http://www.toptechnews.com/article/index.php?story_id=1210046ADYM0
CVE-IDs -
https://cve.mitre.org/cve
CNAs -
https://cve.mitre.org/cve/cna.html
CVE News page article -
https://cve.mitre.org/news/index.html#june292016_CVE_Mentioned_in_Article_about_the_Andr
oid_Godless_Malware_on_Top_Tech_News
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* CVE Mentioned in Article about Microsoft's Patch Tuesday Fixes for June on SC Magazine
* CVE Mentioned in Article about a Zero-Day Adobe Flash Vulnerability on SC Magazine
* CVE Mentioned in Article about a Vulnerability in Patient Medical Data Tracking
Software on The Register
Read these stories and more news at https://cve.mitre.org/news.
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Joe Sain, Cyber Security Technical Center. Writer: Bob Roberge. The
MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical
guidance to the CVE Editorial Board and CVE Numbering Authorities on all matters related
to ongoing development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the
following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the
message to: listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".
Copyright 2016, The MITRE Corporation. CVE and the CVE logo are registered trademarks of
The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of
Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications)
at the U.S. Department of Homeland Security (www.dhs.gov).
For more information about CVE, visit the CVE website at https://cve.mitre.org or send
an email to cve@mitre.org.
Thursday, June 30, 2016
Subscribe to:
Comments (Atom)
