Friday, August 11, 2017

CVE Announce - August 11, 2017 (opt-in newsletter from the CVE website)

Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is designed to bring recent news about CVE, such as new website features, new CNAs, CVE in the news, etc. right to your email box. Common Vulnerabilities and Exposures (CVE) is the standard for cybersecurity vulnerability names. The CVE Board provides oversight and input into CVE's strategic direction, ensuring CVE meets the vulnerability identification needs of the technology community. CVE Numbering Authorities (CNAs) are major OS vendors, security researchers, and research organizations that assign CVE Identifiers (CVE IDs) to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE IDs in the first public disclosure of the vulnerabilities. Details on subscribing (and unsubscribing) to the email newsletter are at the end. Please feel free to pass this newsletter on to interested colleagues.

 

Comments: cve@mitre.org

 

-------------------------------------------------------

CVE-Announce e-newsletter/August 11, 2017

-------------------------------------------------------

 

Contents:

 

1. Airbus and Kaspersky Labs Added as CVE Numbering Authorities (CNAs)

2. Autodesk Added as CVE Numbering Authority (CNA)

3. Follow us on LinkedIn and Twitter

4. Details/Credits + Subscribing and Unsubscribing

 

 

FEATURE STORY:

 

Airbus and Kaspersky Labs Added as CVE Numbering Authorities (CNAs)

 

Airbus and Kaspersky Labs are now CVE Numbering Authorities (CNAs). The scope for Airbus is all Airbus products as well as vulnerabilities in third-party software discovered by Airbus that are not covered by another CNA and for Kaspersky Labs it is their B2C products (Kaspersky Free, Kaspersky Privacy Cleaner, Kaspersky Secure Connection, Kaspersky Password Manager, Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Security, Kaspersky Password Manager, Kaspersky Safe Kids, Kaspersky Virus Scanner, Kaspersky Virus Scanner Pro, Kaspersky Security Scan, Kaspersky Software Updater, Kaspersky System Checker, Kaspersky AdCleaner, Kaspersky QR Scanner, Kaspersky Safe Browser, Kaspersky Threat Scan, Kaspersky Virus Removal Tool, and Kaspersky Rescue Disk) and B2B products (Kaspersky Small Office Security, Kaspersky Endpoint Security Cloud, Kaspersky Endpoint Security for Business Select, Kaspersky Endpoint Security for Business Advanced, Kaspersky Endpoint Security for Business Total, Kaspersky Security for Mail Server, Kaspersky Security for File Server, Kaspersky Security for Mobile, Kaspersky Security for Internet Gateway, Kaspersky Security for Virtualization, Kaspersky Security for Collaboration, Kaspersky Systems Management, Kaspersky Security for Storage, Kaspersky DDoS Protection, Kaspersky Embedded Systems Security, Kaspersky Anti-Targeted Attack Platform, Kaspersky Security Intelligence Services, Kaspersky Fraud Prevention, and Kaspersky Industrial CyberSecurity) as well as vulnerabilities discovered in third-party software not covered by another CNA.

 

CNAs are OS and product vendors, developers, security researchers, and research organizations that assign CVE IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE IDs in the first public disclosure of the vulnerabilities.

 

CNAs are the main method for requesting a CVE ID. The following 72 organizations currently participate as CNAs: Adobe; Airbus, Alibaba; Apache; Apple; Atlassian; Autodesk; BlackBerry; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Dahua; Debian GNU/Linux; Dell EMC; Distributed Weakness Filing Project; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Flexera Software; Fortinet; FreeBSD; Google; HackerOne; HP; Hewlett Packard Enterprise; Huawei; IBM; ICS-CERT; Intel; IOActive; ISC; JPCERT/CC; Juniper; Kaspersky Labs; KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (primary CNA); Mozilla; Netflix; Netgear; Nvidia; Objective Development; OpenSSL; Oracle; Puppet; Qihoo 360; Qualcomm; Rapid 7; Red Hat; Schneider Electric; Siemens; Silicon Graphics; Symantec; Synology; Talos; Tenable; TIBCO; Trend Micro; VMware; Yandex; Zero Day Initiative, and ZTE.

 

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID on the CVE website at https://cve.mitre.org/cve/request_id.html.

 

LINKS:

 

Airbus -

http://www.airbus.com/

 

Kaspersky Labs -

http://www.kaspersky.com/

 

CNAs -

https://cve.mitre.org/cve/cna.html

 

Request a CVE ID from a CNA -

https://cve.mitre.org/cve/request_id.html

 

Become a CNA -

https://cve.mitre.org/cve/cna.html#become_a_cna

 

CVE News page article -

http://cve.mitre.org/news/archives/2017/news.html#August102017_Airbus_and_Kaspersky_Added_as_CVE_Numbering_Authority_CNA

 

--------------------------------------------------------------

Autodesk Added as CVE Numbering Authority (CNA)

 

Autodesk is now a CVE Numbering Authority (CNA) for all currently supported Autodesk Applications and Cloud Services.

 

CNAs are OS and product vendors, developers, security researchers, and research organizations that assign CVE IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE IDs in the first public disclosure of the vulnerabilities.

 

CNAs are the main method for requesting a CVE ID. The following 70 organizations currently participate as CNAs: Adobe; Alibaba; Apache; Apple; Atlassian; Autodesk; BlackBerry; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Dahua; Debian GNU/Linux; Dell EMC; Distributed Weakness Filing Project; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Flexera Software; Fortinet; FreeBSD; Google; HackerOne; HP; Hewlett Packard Enterprise; Huawei; IBM; ICS-CERT; Intel; IOActive; ISC; JPCERT/CC; Juniper; KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (primary CNA); Mozilla; Netflix; Netgear; Nvidia; Objective Development; OpenSSL; Oracle; Puppet; Qihoo 360; Qualcomm; Rapid 7; Red Hat; Schneider Electric; Siemens; Silicon Graphics; Symantec; Synology; Talos; Tenable; TIBCO; Trend Micro; VMware; Yandex; Zero Day Initiative, and ZTE.

 

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID on the CVE website at https://cve.mitre.org/cve/request_id.html.

 

LINKS:

 

Autodesk -

https://www.autodesk.com/

 

CNAs -

https://cve.mitre.org/cve/cna.html

 

Request a CVE ID from a CNA -

https://cve.mitre.org/cve/request_id.html

 

Become a CNA -

https://cve.mitre.org/cve/cna.html#become_a_cna

 

CVE News page article -

http://cve.mitre.org/news/archives/2017/news.html#August092017_Autodesk_Added_as_CVE_Numbering_Authority_CNA

 

---------------------------------------------------------------

Follow us on LinkedIn and Twitter

 

Please follow us on Twitter for the latest from CVE:

 

* Feed of the latest CVE IDs -

https://twitter.com/CVEnew/

 

* Feed of news and announcements about CVE -

https://twitter.com/CVEannounce/

 

Please also visit us on LinkedIn to more easily comment on our news articles and CVE Blog posts:

 

* CVE-CWE-CAPEC on LinkedIn -

https://www.linkedin.com/company/11033649

 

* CVE Blog -

https://cve.mitre.org/blog/

 

---------------------------------------------------------------

Details/Credits + Subscribing and Unsubscribing

 

Managing Editor: Dan Adinolfi, Cyber Security Technical Center. Writer: Bob Roberge. The MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical guidance to the CVE Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.

 

To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the message to: listserv@lists.mitre.org. To subscribe, send an email message to listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE CVE-Announce-List".

 

Copyright 2017, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications) at the U.S. Department of Homeland Security (www.dhs.gov).

 

For more information about CVE, visit the CVE website at https://cve.mitre.org or send an email to cve@mitre.org.

 

Posted by at No comments:

Friday, August 4, 2017

CVE Announce - August 4, 2017 (opt-in newsletter from the CVE website)

Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is designed to bring recent news about CVE, such as new website features, new CNAs, CVE in the news, etc. right to your email box. Common Vulnerabilities and Exposures (CVE) is the standard for cybersecurity vulnerability names. The CVE Board provides oversight and input into CVE's strategic direction, ensuring CVE meets the vulnerability identification needs of the technology community. CVE Numbering Authorities (CNAs) are major OS vendors, security researchers, and research organizations that assign CVE Identifiers (CVE IDs) to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE IDs in the first public disclosure of the vulnerabilities. Details on subscribing (and unsubscribing) to the email newsletter are at the end. Please feel free to pass this newsletter on to interested colleagues.

 

Comments: cve@mitre.org

 

-------------------------------------------------------

CVE-Announce e-newsletter/August 4, 2017

-------------------------------------------------------

 

Contents:

 

1. Alibaba Added as CVE Numbering Authority (CNA)

2. CVE BLOG: "Become a CNA"

3. Slides from "CVE IDs and How to Get Them" Talk at DEF CON 25 Now Available

4. Minutes from CVE Board Teleconference Meetings on May 24 and July 26 Now Available

5. Follow us on LinkedIn and Twitter

6. Details/Credits + Subscribing and Unsubscribing

 

 

FEATURE STORY:

 

Alibaba Added as CVE Numbering Authority (CNA)

 

Alibaba, Inc. is now a CVE Numbering Authority (CNA) for projects listed on its Alibaba GitHub website (https://github.com/alibaba) only.

 

CNAs are OS and product vendors, developers, security researchers, and research organizations that assign CVE IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE IDs in the first public disclosure of the vulnerabilities.

 

CNAs are the main method for requesting a CVE ID. The following 69 organizations currently participate as CNAs: Adobe; Alibaba; Apache; Apple; BlackBerry; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Dahua; Debian GNU/Linux; Dell EMC; Distributed Weakness Filing Project; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Flexera Software; Fortinet; FreeBSD; Google; HackerOne; HP; Hewlett Packard Enterprise; Huawei; IBM; ICS-CERT; Intel; IOActive; ISC; JPCERT/CC; Juniper; KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (primary CNA); Mozilla; Netflix; Netgear; Nvidia; Objective Development; OpenSSL; Oracle; Puppet; Qihoo 360; Qualcomm; Rapid 7; Red Hat; Schneider Electric; Siemens; Silicon Graphics; Symantec; Synology; Talos; Tenable: TIBCO; Trend Micro; VMware; Yandex; Zero Day Initiative, and ZTE.

 

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID on the CVE website at https://cve.mitre.org/cve/request_id.html.

 

LINKS:

 

Alibaba -

http://www.alibaba.com/

 

CNAs -

https://cve.mitre.org/cve/cna.html

 

Request a CVE ID from a CNA -

https://cve.mitre.org/cve/request_id.html

 

Become a CNA -

https://cve.mitre.org/cve/cna.html#become_a_cna

 

CVE News page article -

https://cve.mitre.org/news/archives/2017/news.html#August022017_Alibaba_Added_as_CVE_Numbering_Authority_CNA

 

--------------------------------------------------------------

CVE BLOG: "Become a CNA"

 

CVE Numbering Authorities, or "CNAs," are how the CVE List is built. Every CVE ID added to the list is assigned by a CNA.

 

The majority of CNAs are currently software vendors that assign CVE IDs to issues in their own products, but many vulnerability researchers and third-party coordinators also participate by assigning CVE IDs to issues in third-party products per their specified scopes of coverage. In all cases, by issuing CVE IDs themselves without directly involving MITRE in the details of the specific vulnerabilities, CNAs are able to ensure CVE IDs are available for inclusion in the first-time public announcement of a new vulnerability, which greatly benefits the overall cyber security community as organizations share information about the vulnerabilities and remediate them.

Actively Expanding the Number of CNAs

 

As of today, there are 69 total CNAs participating in the CVE program: 57 software vendors, 7 third-party coordinators, 4 vulnerability researchers, and MITRE as the Primary CNA.

 

And the CVE program has been actively growing the list of participating CNAs, which now includes organizations from around the world with 14 countries represented as of August 2, 2017: Australia - 1; Austria - 1; Canada - 3; China - 6; France - 1; Germany - 1; Israel - 1; Japan - 3; Netherlands - 1; Russia - 1; South Korea - 1; Taiwan - 1; UK - 1; and USA - 47.

 

You too can become a CNA

 

Please consider joining us as a CNA. Participation is voluntary, and the benefits of participation include the ability to publicly disclose a vulnerability with an already assigned CVE ID, the ability to control the disclosure of vulnerability information without pre-publishing, and notification of vulnerabilities in products within a CNA's scope by researchers who request a CVE ID from them.

 

If your organization would like to become a CNA, please follow these three steps:

 

1. Review the "CVE Numbering Authorities (CNA) Rules" document in its entirety at: https://cve.mitre.org/cve/cna/CNA_Rules_v1.1.pdf

2. Closely review the Become a CNA section of this website, which is excerpted from the "CNA Rules" document above at https://cve.mitre.org/cve/cna.html#become_a_cna

3. Contact us via our CVE Request web form by selecting "Other" from the dropdown menu at: https://cveform.mitre.org/

 

We look forward to hearing from you!

 

- The CVE Team

 

LINKS:

 

CVE Numbering Authorities -

https://cve.mitre.org/cve/cna.html

 

CNA Coverage -

https://cve.mitre.org/cve/request_id.html

 

Become a CNA -

https://cve.mitre.org/cve/cna.html#become_a_cna

 

CVE Blog post -

https://cve.mitre.org/blog/index.html#August022017_Become_a_CNA

 

---------------------------------------------------------------

Slides from "CVE IDs and How to Get Them" Talk at DEF CON 25 Now Available

 

Briefing slides are now available from the CVE talk entitled "CVE IDs and How to Get Them" by CVE Numbering Authority Program Lead Dan Adinolfi and CVE Team Member Anthony Singleton on July 28, 2017 at the "Wall of Sheep" at DEF CON 25 in Las Vegas, Nevada, USA.

 

Talk synopsis from the conference website: "The Common Vulnerabilities and Exposures (CVE) program uniquely identifies and names publicly-disclosed vulnerabilities in software and other codebases. Whether you are a vulnerability researcher, a vendor, or a project maintainer, it has never been easier to have CVE IDs assigned to vulnerabilities you are disclosing or coordinating around. This presentation will be an opportunity to find out how to participate as well as a chance to offer your thoughts, questions, or feedback about CVE. Attendees will learn what is considered a vulnerability for CVE, how to assign CVE IDs to vulnerabilities, how to describe those vulnerabilities within CVE ID entries, how to submit those assignments, and where to get more information about CVE assignment."

 

Visit the CVE Calendar at https://cve.mitre.org/news/archives/2017/calendar.html for information on this and other events.

 

LINKS:

 

Slides-

https://cve.mitre.org/CVEIDsAndHowToGetThem.pdf

 

DEF CON 25 -

https://www.defcon.org/html/defcon-25/dc-25-index.html

 

CVE Calendar -

https://cve.mitre.org/news/archives/2017/calendar.html

 

CVE News page article -

https://cve.mitre.org/news/archives/2017/news.html#August022017_Slides_from_CVE_IDs_and_How_to_Get_Them_Talk_at_DEF_CON_25_Now_Available

 

---------------------------------------------------------------

Minutes from CVE Board Teleconference Meetings on May 24 and July 26 Now Available

 

The CVE Board held teleconference meetings on May 24, 2017 and July 26, 2017. Read the May 24 meeting minutes at https://cve.mitre.org/data/board/archives/2017-08/msg00002.html, or the July 26 meeting minutes at https://cve.mitre.org/data/board/archives/2017-08/msg00000.html.

 

The CVE Board includes numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information. Through open and collaborative discussions, the Board provides critical input regarding the data sources, product coverage, coverage goals, operating structure, and strategic direction of the CVE program. All Board Meetings and Board Email List Discussions are archived for the community.

 

LINKS:

 

CVE Board -

https://cve.mitre.org/community/board/index.html

 

Board Archives -

https://cve.mitre.org/community/board/archive.html#meeting_summaries

https://cve.mitre.org/community/board/archive.html#board_mail_list_archive

 

CVE News page articles -

https://cve.mitre.org/news/archives/2017/news.html#August022017_Minutes_from_CVE_Board_Teleconference_Meeting_on_May_24_Now_Available

https://cve.mitre.org/news/archives/2017/news.html#August022017_Minutes_from_CVE_Board_Teleconference_Meeting_on_July_26_Now_Available

 

---------------------------------------------------------------

Follow us on LinkedIn and Twitter

 

Please follow us on Twitter for the latest from CVE:

 

* Feed of the latest CVE IDs -

https://twitter.com/CVEnew/

 

* Feed of news and announcements about CVE -

https://twitter.com/CVEannounce/

 

Please also visit us on LinkedIn to more easily comment on our news articles and CVE Blog posts:

 

* CVE-CWE-CAPEC on LinkedIn -

https://www.linkedin.com/company/11033649

 

* CVE Blog -

https://cve.mitre.org/blog/

 

---------------------------------------------------------------

Details/Credits + Subscribing and Unsubscribing

 

Managing Editor: Dan Adinolfi, Cyber Security Technical Center. Writer: Bob Roberge. The MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical guidance to the CVE Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.

 

To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the message to: listserv@lists.mitre.org. To subscribe, send an email message to listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE CVE-Announce-List".

 

Copyright 2017, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications) at the U.S. Department of Homeland Security (www.dhs.gov).

 

For more information about CVE, visit the CVE website at https://cve.mitre.org or send an email to cve@mitre.org.

 

Posted by at No comments:
Subscribe to: Comments (Atom)