Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is designed to bring recent news about CVE, such as new website features, new CNAs, CVE in the news, etc. right to your email box. Common Vulnerabilities and Exposures (CVE) is the standard for cybersecurity vulnerability names. The CVE Board provides oversight and input into CVE's strategic direction, ensuring CVE meets the vulnerability identification needs of the technology community. CVE Numbering Authorities (CNAs) are major OS vendors, security researchers, and research organizations that assign CVE Identifiers (CVE IDs) to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE IDs in the first public disclosure of the vulnerabilities. Details on subscribing (and unsubscribing) to the email newsletter are at the end. Please feel free to pass this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/June 29, 2017
-------------------------------------------------------
Contents:
1. CVE Adds 3 New CVE Numbering Authorities (CNAs): Netflix, Trend Micro, and Zero Day Initiative
2. FOCUS ON: Marking a CVE ID "REJECT" Is Not Permanent; It Can Be Updated and Added to the CVE List
3. Follow us on LinkedIn and Twitter
4. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
CVE Adds 3 New CVE Numbering Authorities (CNAs): Netflix, Trend Micro, and Zero Day Initiative
The following two software vendors and one third-party coordinator are now CVE Numbering Authorities (CNAs): Netflix, Inc. for Netflix Mobile Streaming Application and Netflix Open Source projects only; Trend Micro, Inc. for Trend Micro issues only; and Zero Day Initiative, as a third-party coordinator, for products and projects covered by its bug bounty programs not already covered by another CNA.
CNAs are OS and product vendors, developers, security researchers, and research organizations that assign CVE IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE IDs in the first public disclosure of the vulnerabilities.
CNAs are the main method for requesting a CVE ID. The following 65 organizations currently participate as CNAs: Adobe; Apache; Apple; BlackBerry; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Dahua; Debian GNU/Linux; Dell EMC; Distributed Weakness Filing Project; Drupal.org; Eclipse Foundation; Elastic; F5; Flexera Software; Fortinet; FreeBSD; Google; HackerOne; HP; Hewlett Packard Enterprise; Huawei; IBM; ICS-CERT; Intel; IOActive; ISC; JPCERT/CC; Juniper; KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (primary CNA); Mozilla; Netflix; Netgear; Nvidia; Objective Development; OpenSSL; Oracle; Puppet; Qihoo 360; Qualcomm; Rapid 7; Red Hat; Schneider Electric; Siemens; Silicon Graphics; Symantec; Synology; Talos; TIBCO; Trend Micro; VMware; Yandex; and Zero Day Initiative.
For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID on the CVE website at https://cve.mitre.org/cve/request_id.html.
LINKS:
Netflix -
http://www.netflix.com/
Trend Micro -
https://www.trendmicro.com/
Zero Day Initiative -
http://www.zerodayinitiative.com/
CNAs -
https://cve.mitre.org/cve/cna.html
Request a CVE ID from a CNA -
https://cve.mitre.org/cve/request_id.html
Become a CNA -
https://cve.mitre.org/cve/cna.html#become_a_cna
CVE News page article -
https://cve.mitre.org/news/archives/2017/news.html#June292017_CVE_Adds_3_New_CVE_Numbering_Authorities_CNAs_Netflix_Trend_Micro_and_Zero_Day_Initiative
---------------------------------------------------------------
FOCUS ON: Marking a CVE ID "REJECT" Is Not Permanent; It Can Be Updated and Added to the CVE List
The CVE Team and CVE Board have recently revisited the use of CVE Identifier (CVE ID) states — REJECT, RESERVED, DISPUTED — and are planning to make some necessary changes to them in the coming months.
One of the changes recently discussed was in how the "REJECT" state is applied, and specifically whether a REJECT CVE ID can change states again at a later date.
* What REJECT Means for a CVE ID
As a recap, a CVE ID marked as REJECT is a CVE ID that is not accepted as a CVE ID. The reason a CVE ID is marked REJECT will most often be stated in the Description of the CVE ID. Possible examples include it being a duplicate CVE ID, it being withdrawn by the original requester, it being assigned incorrectly, or some other administrative reason.
As a rule, REJECT CVE IDs should be ignored. However, there may be cases where a CVE ID previously marked as REJECT might need to move back to RESERVED or a populated state (i.e., the details and References are published and included).
* A REJECT State Is Not Permanent
The CVE Team and CVE Board agree that the REJECT state should NOT be considered permanent, and that changes to this CVE ID state should be allowed in the future.
An example case could include a simple accidental REJECT, where a CVE ID was marked as REJECT by a CVE Numbering Authority (CNA) but the CVE ID was used publicly. In this case, it would create more confusion and additional work to REJECT the already used CVE ID, assign a new CVE ID, and also make sure that all public references are updated. The change discussed here would be to simply change the REJECT CVE ID and populate it with the details that were intended.
Both the CVE Team and CVE Board agree that some downstream consumers of CVE may be currently interpreting the REJECT state as permanent and that the CVE ID will never change in the future. It was also agreed that we should provide proper notice to the community that this change in use of the REJECT state should be provided.
* Moving Forward
This announcement serves as notice that beginning July 27, 2017, CVE IDs in the REJECT state can be changed to another state at any time as appropriate.
If you have any comments or concerns about this change, please send them to our CVE Request web form at https://cveform.mitre.org/ and select the Other request type.
LINKS:
CVE List -
https://cve.mitre.org/cve/cve.html
CVE Board -
https://cve.mitre.org/community/board/index.html
CVE Identifier (CVE ID) -
https://cve.mitre.org/about/faqs.html#what_is_cve_identifier
REJECT -
https://cve.mitre.org/about/faqs.html#reject_signify_in_cve_id
RESERVED -
https://cve.mitre.org/about/faqs.html#reserved_signify_in_cve_id
DISPUTED -
https://cve.mitre.org/about/faqs.html#disputed_signify_in_cve_id
CNAs -
https://cve.mitre.org/cve/cna.html
CVE Request web form -
https://cveform.mitre.org/
CVE News page article -
https://cve.mitre.org/news/archives/2017/news.html#June272017_FOCUS_ON:_Marking_a_CVE_ID_as_REJECT_Is_Not_Permanent_It_Can_Be_Updated_and_Added_to_the_CVE_List
---------------------------------------------------------------
Follow us on LinkedIn and Twitter
Please follow us on Twitter for the latest from CVE:
* Feed of the latest CVE IDs -
https://twitter.com/CVEnew/
* Feed of news and announcements about CVE -
https://twitter.com/CVEannounce/
Please also visit us on LinkedIn to more easily comment on our news articles and CVE Blog posts:
* CVE-CWE-CAPEC on LinkedIn -
https://www.linkedin.com/company/11033649
* CVE Blog -
https://cve.mitre.org/blog/
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Dan Adinolfi, Cyber Security Technical Center. Writer: Bob Roberge. The MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical guidance to the CVE Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the message to: listserv@lists.mitre.org. To subscribe, send an email message to listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE CVE-Announce-List".
Copyright 2017, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications) at the U.S. Department of Homeland Security (www.dhs.gov).
For more information about CVE, visit the CVE website at https://cve.mitre.org or send an email to cve@mitre.org.
No comments:
Post a Comment