Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is
designed to bring recent news about CVE, such as new website features, new CNAs, CVE in
the news, etc. right to your email box. Common Vulnerabilities and Exposures (CVE) is
the standard for cybersecurity vulnerability names. The CVE Board provides oversight and
input into CVE's strategic direction, ensuring CVE meets the vulnerability
identification needs of the technology community. CVE Numbering Authorities (CNAs) are
major OS vendors, security researchers, and research organizations that assign CVE
Identifiers (CVE IDs) to newly discovered issues without directly involving MITRE in the
details of the specific vulnerabilities, and include the CVE IDs in the first public
disclosure of the vulnerabilities. Details on subscribing (and unsubscribing) to the
email newsletter are at the end. Please feel free to pass this newsletter on to
interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/May 11, 2017
-------------------------------------------------------
Contents:
1. IMPORTANT: CVE Will Reject a Group of Unused CVE IDs on May 11
2. CVE Blog: "Why is a CVE entry marked as "RESERVED" when a CVE ID is being publicly
used?"
3. New CVE Board Member from Lenovo
4. Follow us on LinkedIn and Twitter
5. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
IMPORTANT: CVE Will Reject a Group of Unused CVE IDs on May 11
To help reduce the number of reserved but unused CVE Identifiers (CVE IDs) in the CVE
List, the CVE Team will reject CVE IDs that CVE Number Authorities (CNAs) have indicated
as being unused from their prior CVE ID allocations.
The CVE IDs affected include those from years 1999 through 2016. CVE List consumers will
see 3,306 reserved CVE IDs become rejected in an update on May 11, 2017.
WHAT TO EXPECT
Once these CVE IDs are rejected, the Description portion of each CVE ID will be updated
with the text below, with [Year] replacing the four-digit year:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or
individual who requested this candidate did not associate it with any vulnerability
during [Year]. Notes: none.
For additional information about CVE IDs marked as RESERVED and REJECT, please see "Why
is a CVE entry marked as "RESERVED" when a CVE ID is being publicly used?" and "What
does it mean when a CVE Identifier is marked "REJECT"?".
MOVING FORWARD
Each year, CNAs are given blocks of CVE IDs that are marked as RESERVED in the CVE List
until they are assigned to a vulnerability and published. CNAs often do not use all the
CVE IDs they are allocated, which means many reserved CVE IDs that will never be
assigned to a vulnerability. As a result, the unused CVE IDs need to be moved from
RESERVED to REJECT status to avoid confusion and make it clear to CVE List consumers
that the unused CVE IDs do not represent unannounced vulnerabilities.
Moving forward, the CVE Team will now ask CNAs for their lists of unused CVE IDs from
their allocations at the start of each new calendar year, and those unused CVE IDs will
be updated to REJECT status at that time.
If you have any comments or concerns about this process, please contact us using the CVE
Request web form at https://cveform.mitre.org/.
LINKS:
CVE Identifier -
https://cve.mitre.org/about/faqs.html#what_is_cve_identifier
CVE List -
https://cve.mitre.org/cve/cve.html
CNAs -
https://cve.mitre.org/cve/cna.html
Description in a CVE ID -
https://cve.mitre.org/about/faqs.html#cve_id_descriptions_created
CVE ID marked RESERVED -
https://cve.mitre.org/about/faqs.html#why_CVE_ID_marked_RESERVED_when_being_publicly_use
d
CVE ID marked REJECT -
https://cve.mitre.org/about/faqs.html#reject_signify_in_cve_id
CVE News page article -
https://cve.mitre.org/news/archives/2017/news.html#May102017_IMPORTANT_CVE_Will_Reject_a
_Group_of_Unused_CVE_IDs_on_May_11
---------------------------------------------------------------
New CVE Blog Post: "Why is a CVE entry marked as "RESERVED" when a CVE ID is being
publicly used?"
A CVE Identifier (CVE ID) is marked as "RESERVED" when it has been reserved for use by a
CVE Numbering Authority (CNA) or security researcher, but the details of it are not yet
included in the CVE entry. Often, this is because the original requester of the CVE ID
assignment has not sent an update to MITRE with the information needed to populate the
CVE entry.
If you are aware of a CVE ID that is being used publicly but is not yet included in the
CVE List, you can request that the CVE ID be updated through the CVE Request web form.
MITRE will coordinate with the original requester to have the missing public information
added to the entry.
CVE IDs are made public on countless forums, mailing lists, and other publications. CVE
ID entries cannot be published without public references and other descriptive
information. Searching the Internet for any public reference to a reserved CVE ID is a
non-trivial problem to solve, and MITRE must rely on the community to assist with
updating CVE information as it becomes public. MITRE is looking for new ways to automate
and expand discovery processes, but the scale and breadth of the searchable space is
growing exponentially. We hope that stakeholders will assist with this process by
notifying MITRE when they see a discrepancy, and MITRE will work to quickly and
accurately update outdated entries that are reported to them.
Do you have a suggestion for how MITRE could more effectively find public references
scattered around the (ever-growing) Internet? You can share your ideas through the CVE
Request web form or by emailing us at cve@mitre.org.
We look forward to hearing from you!
LINKS:
CVE Blog post -
https://cve.mitre.org/blog/index.html#may102017_Why_is_a_CVE_entry_marked_as_RESERVED_wh
en_a_CVE_ID_is_being_publicly_used
CVE Identifier -
https://cve.mitre.org/about/faqs.html#what_is_cve_identifier
CNAs -
https://cve.mitre.org/cve/cna.html
CVE ID marked RESERVED -
https://cve.mitre.org/about/faqs.html#why_CVE_ID_marked_RESERVED_when_being_publicly_use
d
CVE Request web form -
https://cveform.mitre.org/
---------------------------------------------------------------
New CVE Board Member from Lenovo
Beverly Finch of Lenovo Group Ltd. has joined the CVE Board.
Read the full announcement and welcome message in the CVE Board email discussion list
archive at https://cve.mitre.org/data/board/archives/2017-05/msg00036.html.
LINKS:
Lenovo -
http://www.lenovo.com/
CVE Board -
https://cve.mitre.org/community/board/index.html
CVE News page article -
https://cve.mitre.org/news/archives/2017/news.html#may112017_New_CVE_Board_Member_from_L
enovo
---------------------------------------------------------------
Follow us on LinkedIn and Twitter
Please follow us on Twitter for the latest from CVE:
* Feed of the latest CVE IDs -
https://twitter.com/CVEnew/
* Feed of news and announcements about CVE -
https://twitter.com/CVEannounce/
Please also visit us on LinkedIn to more easily comment on our news articles and CVE
Blog posts:
* CVE-CWE-CAPEC on LinkedIn -
https://www.linkedin.com/company/11033649
* CVE Blog -
https://cve.mitre.org/blog/
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Dan Adinolfi, Cyber Security Technical Center. Writer: Bob Roberge. The
MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical
guidance to the CVE Board and CVE Numbering Authorities on all matters related to
ongoing development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the
following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the
message to: listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".
Copyright 2017, The MITRE Corporation. CVE and the CVE logo are registered trademarks of
The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of
Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications)
at the U.S. Department of Homeland Security (www.dhs.gov).
For more information about CVE, visit the CVE website at https://cve.mitre.org or send
an email to cve@mitre.org.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment