CVE Announce e-newsletter — December 19, 2018
Welcome to the latest issue of the CVE Announce e-newsletter. This newsletter is intended to keep you up-to-date on recent news about CVE, such as advancements in the program, new CNAs, CVE in the news, and more. Common Vulnerabilities and Exposures (CVE®) is the standard for cybersecurity vulnerability identifiers. The CVE Board provides oversight and input into CVE’s strategic direction, ensuring CVE meets the vulnerability identification needs of the global technology community. CVE Numbering Authorities (CNAs) consist of vendors, open source projects, vulnerability researchers, industry and national CERTs, and bug bounty programs authorized to assign CVE Identifiers (CVE IDs) to newly discovered issues and include the CVE IDs in the first public disclosure of the vulnerabilities.
Contents:
1. TWCERT/CC and MongoDB Added as CVE Numbering Authorities (CNAs)
2. New CVE Board Member from DHS
3. CVE in the News
4. Keeping Up with CVE
TWCERT/CC and MongoDB Added as CVE Numbering Authorities (CNAs)
Two additional organizations are now CVE Numbering Authorities (CNAs): TWCERT/CC for vulnerability assignment related to its vulnerability coordination role, and MongoDB for its own products.
CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
CNAs are the main method for requesting a CVE ID. The following 93 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; ASUSTOR; Atlassian; Autodesk; Avaya; BlackBerry; Booz Allen Hamilton; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell; Distributed Weakness Filing Project; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Facebook; Flexera Software; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (primary CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Netgear; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; Oracle; Palo Alto Networks; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Riverbed; SAP; Schneider Electric; Siemens; SonicWALL; Symantec; Synology; Talos; Tenable; TIBCO; Trend Micro; TWCERT/CC; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.
For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.
Read on CVE website or share:
https://cve.mitre.org/news/archives/2018/news.html#September262018_TWCERT_CC_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2018/news.html#December102018_MongoDB_Added_as_CVE_Numbering_Authority_CNA
New CVE Board Member from DHS
Kathleen Trimble of U.S. Department of Homeland Security (DHS) has joined the CVE Board. Read the full announcement and welcome message in the CVE Board email discussion list archive.
The CVE Board includes numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information. Through open and collaborative discussions, the Board provides critical input regarding the data sources, product coverage, coverage goals, operating structure, and strategic direction of the CVE program. All Board Meetings and Board Email List Discussions are archived for the community.
Read on CVE website or share:
https://cve.mitre.org/news/archives/2018/news.html#December102018_New_CVE_Board_Member_from_DHS
CVE in the News
An Avoidable Breach That Could Happen to Any Organization
https://securityboulevard.com/2018/12/an-avoidable-breach-that-could-happen-to-any-organization/
House Releases Cybersecurity Strategy Report
https://www.infosecurity-magazine.com/news/house-releases-cybersecurity/
Critical Kubernetes vulnerability could have widespread effects
https://searchcloudsecurity.techtarget.com/news/252454109/Critical-Kubernetes-vulnerability-could-have-widespread-effects
Google Patches 11 Critical RCE Android Vulnerabilities
https://threatpost.com/google-patches-11-critical-rce-android-vulnerabilities/139612/
Update now! Microsoft and Adobe’s December 2018 Patch Tuesday is here
https://nakedsecurity.sophos.com/2018/12/13/update-now-microsoft-and-adobes-december-2018-patch-tuesday-is-here/
It's December of 2018 and, to hell with it, just patch your stuff
https://www.theregister.co.uk/2018/12/12/december_patch_tuesday/
Keeping Up with CVE
Follow us for the latest from CVE:
@CVEnew - Twitter feed of the latest CVE Entries
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVEProject - GitHub
CVE Documentation - GitHub
CVE Announce Newsletter - Email
If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).
Common Vulnerabilities and Exposures (CVE®) is sponsored by NSD, NCCIC in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Copyright © 2018, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.
Wednesday, December 19, 2018
CVE Announce - December 19, 2018 (opt-in newsletter from the CVE website)
Thursday, September 20, 2018
CVE Announce - September 20, 2018 (opt-in newsletter from the CVE website)
CVE Announce e-newsletter — September 20, 2018
Welcome to the latest issue of the CVE Announce e-newsletter. This newsletter is intended to keep you up-to-date on recent news about CVE, such as advancements in the program, new CNAs, CVE in the news, and more. Common Vulnerabilities and Exposures (CVE®) is the standard for cybersecurity vulnerability identifiers. The CVE Board provides oversight and input into CVE’s strategic direction, ensuring CVE meets the vulnerability identification needs of the global technology community. CVE Numbering Authorities (CNAs) consist of vendors, open source projects, vulnerability researchers, industry and national CERTs, and bug bounty programs authorized to assign CVE Identifiers (CVE IDs) to newly discovered issues and include the CVE IDs in the first public disclosure of the vulnerabilities.
Contents:
1. CyberSecurity Philippines - CERT and Appthority Added as CVE Numbering Authorities (CNAs)
2. CVE Blog: “A Look at the CVE and CVSS Relationship”
3. CVE in the News
4. Keeping Up with CVE
CyberSecurity Philippines - CERT and Appthority Added as CVE Numbering Authorities (CNAs)
Two additional organizations are now CVE Numbering Authorities (CNAs): CyberSecurity Philippines - CERT for vulnerability assignment related to its vulnerability coordination role that are not covered by another CNA, and Appthority for its own products as well as vulnerabilities in third-party software discovered by Appthority that are not covered by another CNA.
CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
CNAs are the main method for requesting a CVE ID. The following 91 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; ASUSTOR; Atlassian; Autodesk; Avaya; BlackBerry; Booz Allen Hamilton; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell EMC; Distributed Weakness Filing Project; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Facebook; Flexera Software; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (primary CNA); Mozilla; Naver; NetApp; Netflix; Netgear; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; Oracle; Palo Alto Networks; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Riverbed; SAP; Schneider Electric; Siemens; SonicWALL; Symantec; Synology; Talos; Tenable; TIBCO; Trend Micro; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.
For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.
Read on CVE website or share:
https://cve.mitre.org/news/archives/2018/news.html#September192018_CyberSecurity_Philippines_CERT_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2018/news.html#September072018_Appthority_Added_as_CVE_Numbering_Authority_CNA
CVE Blog: “A Look at the CVE and CVSS Relationship”
We’ve received a few questions recently about CVSS and vulnerability severity scoring, so as a reminder, CVSS is a separate program from CVE.
CVE’s sole purpose it to provide common vulnerability identifiers called “CVE Entries.” CVE does not provide severity scoring or prioritization ratings for software vulnerabilities.
CVSS Defined
While separate from CVE, the Common Vulnerability Scoring System (CVSS) standard operated by the Forum of Incident Response and Security Teams (FIRST) can be used to score the severity of software vulnerabilities identified by CVE Entries.
CVSS Version 3.0 provides “a way to capture the principal characteristics of a vulnerability, and produce a numerical score reflecting its severity, as well as a textual representation of that score. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.”
CVE Entries are cited in the CVSS specification and documentation to identify individual vulnerabilities used as examples, but they are not required for using CVSS.
NVD Hosts a CVSS Calculator for CVE Entries
Severity rating scoring and prioritization for CVE Entries is available through a CVSS calculator provided by the U.S. National Vulnerability Database (NVD).
According to the NVD website, which is operated by the National Institute of Standards and Technology (NIST), NVD’s CVSS calculator for CVE Entries supports both the CVSS 2.0 and CVSS 3.0 standards, and provides qualitative severity rankings for CVE Entries using each version. In addition, NVD’s CVSS calculator also allows users to add two additional types of score data into their severity scoring: (1) temporal, for “metrics that change over time due to events external to the vulnerability,” and (2) environmental, for “scores customized to reflect the impact of the vulnerability on your organization.”
For details and help, visit NVD’s CVSS Calculator for CVE Entries on the NVD website.
CVE, CVSS, and NVD
To recap, CVE does not provide severity scoring or prioritization and does not have a direct relationship with CVSS. The sole purpose of the CVE List is to provide common identifiers—CVE Entries—for publicly known cybersecurity vulnerabilities.
CVE Entries can be scored for severity and prioritization using FIRST’s CVSS standard.
NIST’s NVD provides a free CVSS calculator for CVE Entries. NVD also provides a download on the NVD website of “CVSS scores for all published CVE vulnerabilities.” Visit the NVD website to learn more.
Did We Point You in the Right Direction?
To discuss this post with us, please use our LinkedIn page, or send an email to cve@mitre.org.
Read on CVE website or share:
https://cve.mitre.org/blog/index.html#September112018_A_Look_at_the_CVE_and_CVSS_Relationship
CVE in the News
Two billion devices still vulnerable to Blueborne flaws a year after discovery
https://www.zdnet.com/article/two-billion-devices-still-exposed-after-blueborne-vulnerabilities-reveal/
Bug in Bitcoin code also opens smaller cryptocurrencies to attacks
https://www.zdnet.com/article/bug-in-bitcoin-code-also-opens-smaller-cryptocurrencies-to-attacks/
CVE-2018-12794: Using Type Confusion to Get Code Execution in Adobe Reader
https://www.zerodayinitiative.com/blog/2018/9/18/cve-2018-12794-using-type-confusion-to-get-code-execution-in-adobe-reader
CVE-2018-14619: New Critical Linux Kernel Vulnerability
https://securityboulevard.com/2018/08/cve-2018-14619-new-critical-linux-kernel-vulnerability/
CVE-2018-11776—The latest Apache Struts vulnerability
https://securityboulevard.com/2018/08/cve-2018-11776-the-latest-apache-struts-vulnerability/
Microsoft's September Security Updates Include Zero-Day Fix
https://redmondmag.com/articles/2018/09/12/microsoft-september-security-updates.aspx
Keeping Up with CVE
Follow us for the latest from CVE:
@CVEnew - Twitter feed of the latest CVE Entries
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVEProject - GitHub
CVE Documentation - GitHub
CVE Announce Newsletter - Email
If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).
Common Vulnerabilities and Exposures (CVE®) is sponsored by US-CERT in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Copyright © 2018, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.
Wednesday, August 29, 2018
CVE Announce - August 29, 2018 (opt-in newsletter from the CVE website)
CVE Announce e-newsletter — August 29, 2018
Welcome to the latest issue of the CVE Announce e-newsletter. This newsletter is intended to keep you up-to-date on recent news about CVE, such as advancements in the program, new CNAs, CVE in the news, and more. Common Vulnerabilities and Exposures (CVE®) is the standard for cybersecurity vulnerability identifiers. The CVE Board provides oversight and input into CVE’s strategic direction, ensuring CVE meets the vulnerability identification needs of the global technology community. CVE Numbering Authorities (CNAs) consist of vendors, open source projects, vulnerability researchers, industry and national CERTs, and bug bounty programs authorized to assign CVE Identifiers (CVE IDs) to newly discovered issues and include the CVE IDs in the first public disclosure of the vulnerabilities.
Contents:
1. Avaya and Odoo Added as CVE Numbering Authorities (CNAs)
2. New CVE Board Member from Microsoft
3. “CVE and Cloud Services” Is Main Topic of Article on Cloud Security Alliance Blog
4. CVE in the News
5. Keeping Up with CVE
Avaya and Odoo Added as CVE Numbering Authorities (CNAs)
Two additional organizations are now CVE Numbering Authorities (CNAs): Avaya, Inc. for Avaya products only, and Odoo for Odoo issues only.
CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
CNAs are the main method for requesting a CVE ID. The following 89 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; ASUSTOR; Atlassian; Autodesk; Avaya; BlackBerry; Booz Allen Hamilton; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; Dahua; Debian GNU/Linux; Dell EMC; Distributed Weakness Filing Project; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Facebook; Flexera Software; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (primary CNA); Mozilla; Naver; NetApp; Netflix; Netgear; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; Oracle; Palo Alto Networks; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Riverbed; SAP; Schneider Electric; Siemens; SonicWALL; Symantec; Synology; Talos; Tenable; TIBCO; Trend Micro; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.
For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.
Read on CVE website or share:
https://cve.mitre.org/news/archives/2018/news.html#August212018_Avaya_and_Odoo_Added_as_CVE_Numbering_Authority_CNA
New CVE Board Member from Microsoft
Lisa Olson of Microsoft has joined the CVE Board. Read the full announcement and welcome message in the CVE Board email discussion list archive.
The CVE Board includes numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information. Through open and collaborative discussions, the Board provides critical input regarding the data sources, product coverage, coverage goals, operating structure, and strategic direction of the CVE program. All Board Meetings and Board Email List Discussions are archived for the community.
Read on CVE website or share:
https://cve.mitre.org/news/archives/2018/news.html#August202018_New_CVE_Board_Member_from_Microsoft
“CVE and Cloud Services” Is Main Topic of Article on Cloud Security Alliance Blog
CVE is the main topic of an August 13, 2018 article entitled “CVE and Cloud Services, Part 1: The Exclusion of Cloud Service Vulnerabilities” on the Cloud Security Alliance blog. The article was written by Kurt Seifried, a CVE Board member and Director of IT at Cloud Security Alliance, and Victor Chin, Research Analyst at Cloud Security Alliance.
In the article, the authors explain what CVE is and how the program works, the role of CVE Numbering Authorities (CNAs), and details what CVE currently considers to be a vulnerability as specified by the CNA Rules, Version 2.0 consensus document authored by CNAs and the CVE Board. The authors of the article state: “The CVE system is the linchpin of the vulnerability management process, as its widespread use and adoption allows different services and business processes to interoperate. The system provides a way for specific vulnerabilities to be tracked via the assignment of IDs … These IDs also allow important information regarding a vulnerability to be associated with it such as workarounds, vulnerable software versions, and Common Vulnerability Scoring System (CVSS) scores. Without the CVE system, it becomes difficult to track vulnerabilities in a way that allows the different stakeholders and their tools to interoperate.”
In a section of the article entitled “CVE Inclusion Rules and Limitations,” the authors discuss how CVE’s currently defined inclusion rules do not provide for CVE Entries to be assigned to vulnerabilities in cloud services and explain how this restricts cloud service vulnerabilities from being properly managed: “In the past, [CVE’s] inclusion rule has worked well for the IT industry as most enterprise IT services have generally been provisioned with infrastructure owned by the enterprise. However, … cloud services, as we currently understand them, are not customer controlled. As a result, vulnerabilities in cloud services are generally not assigned CVE IDs. Information such as workarounds, affected software or hardware versions, proof of concepts, references and patches are not available as this information is normally associated to a CVE ID. Without the support of the CVE system, it becomes difficult, if not impossible, to track and manage vulnerabilities.”
The authors conclude the article by advocating for a change in CVE inclusion rules to allow for cloud service vulnerabilities to be included, and request industry feedback on this issue and the “resulting impact on the vulnerability management ecosystem.”
We encourage you to contribute to the discussion.
Read on CVE website or share:
https://cve.mitre.org/news/archives/2018/news.html#August282018_CVE_and_Cloud_Services_Is_Main_Topic_of_Article_on_Cloud_Security_Alliance_Blog
CVE in the News
Why You Need Full Visibility to Manage Common Vulnerabilities and Exposures (CVE)
https://securityintelligence.com/why-you-need-full-visibility-to-manage-common-vulnerabilities-and-exposures-cve/
CVE-2018-11776: New Critical Struts Flaw Could Be Worse than Equifax
https://securityboulevard.com/2018/08/cve-2018-11776-new-critical-struts-flaw-could-be-worse-than-equifax/
Philips cardiovascular software found to contain privilege escalation, code execution bugs
https://www.scmagazine.com/philips-cardiovascular-software-found-to-contain-privilege-escalation-code-execution-bugs/article/789796/
Vulnerability in OpenSSH “for two decades” (no, the sky isn’t falling!)
https://securityboulevard.com/2018/08/cve-2018-5390-vulnerability-in-linux-kernel-allows-for-dos-attacks/
It Takes an Average 38 Days to Patch a Vulnerability
https://www.darkreading.com/cloud/it-takes-an-average-38-days-to-patch-a-vulnerability/d/d-id/1332638
Keeping Up with CVE
Follow us for the latest from CVE:
@CVEnew - Twitter feed of the latest CVE Entries
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVEProject - GitHub
CVE Documentation - GitHub
CVE Announce Newsletter - Email
If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).
Common Vulnerabilities and Exposures (CVE®) is sponsored by US-CERT in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Copyright © 2018, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.
Thursday, June 28, 2018
CVE Announce - June 28, 2018 (opt-in newsletter from the CVE website)
CVE Announce e-newsletter — June 28, 2018
Welcome to the latest issue of the CVE Announce e-newsletter. This newsletter is intended to keep you up-to-date on recent news about CVE, such as advancements in the program, new CNAs, CVE in the news, and more. Common Vulnerabilities and Exposures (CVE®) is the standard for cybersecurity vulnerability identifiers. The CVE Board provides oversight and input into CVE’s strategic direction, ensuring CVE meets the vulnerability identification needs of the global technology community. CVE Numbering Authorities (CNAs) consist of vendors, open source projects, vulnerability researchers, industry and national CERTs, and bug bounty programs authorized to assign CVE Identifiers (CVE IDs) to newly discovered issues and include the CVE IDs in the first public disclosure of the vulnerabilities.
Contents:
1. Naver Added as CVE Numbering Authority (CNA)
2. CVE Is Main Source of Vulnerability Data Used in 2018 Vulnerability Remediation Strategies Report
3. CVE’s 100,000+ Entries Milestone Is Main Topic of Article on Rapid7 Blog
4. CVE in the News
5. Keeping Up with CVE
Naver Added as CVE Numbering Authority (CNA)
Naver Corporation is now a CVE Numbering Authority (CNA) for Naver products only, except Line products.
CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
CNAs are the main method for requesting a CVE ID. The following 88 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; ASUSTOR; Atlassian; Autodesk; BlackBerry; Booz Allen Hamilton; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; Dahua; Debian GNU/Linux; Dell EMC; Distributed Weakness Filing Project; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Facebook; Flexera Software; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; IOActive; ISC; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (primary CNA); Mozilla; Naver; Netflix; Netgear; Node.js; Nvidia; Objective Development; OpenSSL; Oracle; Palo Alto Networks; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Riverbed; SAP; Schneider Electric; Siemens; Silicon Graphics; SonicWALL; Symantec; Synology; Talos; Tenable; TIBCO; Trend Micro; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.
For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.
Read on CVE website or share:
https://cve.mitre.org/news/archives/2018/news.html#June142018_Naver_Added_as_CVE_Numbering_Authority_CNA
CVE Is Main Source of Vulnerability Data Used in 2018 Vulnerability Remediation Strategies Report
CVE is the main source of vulnerability data used in the 2018 “Prioritization to Prediction: Analyzing Vulnerability Remediation Strategies” report by Kenna Security and Cyentia Institute.
The authors of the report found that “The number of CVEs published every year is steadily growing. Between its inception in 1999 through January 1st, 2018, over 120,000 vulnerabilities have been published to [the] Common Vulnerabilities and Exposures (CVE) [List]. 894 CVEs were published in 1999 and 6,447 CVEs published in 2016. 2017 saw a massive spike to 14,712 CVEs and 2018 is trending to meet the 2017 numbers.”
In the report, the authors discuss the effectiveness of the various vulnerability remediation strategies in use today, and conclude that current strategies are lacking but “predictive models are critical to proactively reduce risk efficiently and effectively” and “can and do enable businesses to adopt a proactive strategy for vulnerability remediation that delivers the most efficient use of their people, tools, time, and ultimately dollars to address the threats that pose the greatest risk.”
Read the complete report at: https://www.kennasecurity.com/prioritization-to-prediction-report/. The report is free to download, but sign-up may be required.
Read on CVE website or share:
https://cve.mitre.org/news/archives/2018/news.html#June272018_CVE_Is_Main_Source_of_Vulnerability_Data_Used_in_2018_Vulnerability_Remediation_Strategies_Report
CVE’s 100,000+ Entries Milestone Is Main Topic of Article on Rapid7 Blog
CVE is the main topic of an April 30, 2018 blog article by Rapid7 entitled “CVE 100K: A Big, Round Number.” The article discusses the CVE List’s 100,000+ entries milestone, describes what CVE is and how it works, details the expansion of the CVE Numbering Authorities (CNAs) program, notes the creation of CVE Automation Working Group, and discusses the future of CVE. The article concludes by recommending that other organizations—as Rapid7 itself did in 2016—also become a CNA and help continue to grow the CVE List.
Read on CVE website or share:
https://cve.mitre.org/news/archives/2018/news.html#June272018_CVEs_100,000+_Entries_Milestone_Is_Main_Topic_of_Article_on_Rapid7_Blog
CVE in the News
MacOS Bypass Flaw Lets Attackers Sign Malicious Code as Apple
https://www.darkreading.com/vulnerabilities---threats/macos-bypass-flaw-lets-attackers-sign-malicious-code-as-apple/d/d-id/1332031
CVE-2018-3665: Floating Point Lazy State Save/Restore vulnerability affects Intel chips
https://betanews.com/2018/06/14/floating-point-lazy-state-save-restore-vulnerability/
Decades-old PGP bug allowed hackers to spoof just about anyone’s signature
https://arstechnica.com/information-technology/2018/06/decades-old-pgp-bug-allowed-hackers-to-spoof-just-about-anyones-signature/
Experts Reveal Bugs in Hundreds of IP Cameras
https://www.infosecurity-magazine.com/news/axis-cameras-experts-urge-firmware/
Jump-Start Your Management of Known Vulnerabilities
https://securityintelligence.com/jump-start-your-management-of-known-vulnerabilities/
Keeping Up with CVE
Follow us for the latest from CVE:
@CVEnew - Twitter feed of the latest CVE Entries
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVEProject - GitHub
CVE Documentation - GitHub
CVE Announce Newsletter - Email
If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).
Common Vulnerabilities and Exposures (CVE®) is sponsored by US-CERT in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Copyright © 2018, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.
Monday, June 4, 2018
CVE Announce - June 4, 2018 (opt-in newsletter from the CVE website)
CVE Announce e-newsletter — June 4, 2018
Welcome to the latest issue of the CVE Announce e-newsletter. This newsletter is intended to keep you up-to-date on recent news about CVE, such as advancements in the program, new CNAs, CVE in the news, and more. Common Vulnerabilities and Exposures (CVE®) is the standard for cybersecurity vulnerability identifiers. The CVE Board provides oversight and input into CVE’s strategic direction, ensuring CVE meets the vulnerability identification needs of the global technology community. CVE Numbering Authorities (CNAs) consist of vendors, open source projects, vulnerability researchers, industry and national CERTs, and bug bounty programs authorized to assign CVE Identifiers (CVE IDs) to newly discovered issues and include the CVE IDs in the first public disclosure of the vulnerabilities.
Contents:
1. Preparing CVE for the Future Is Main Topic of Article on The Daily Swig
2. New CVE Board Charter Is Approved
3. CVE in the News
4. Keeping Up with CVE
Preparing CVE for the Future Is Main Topic of Article on The Daily Swig
CVE is the main topic of a May 16, 2017 article entitled “CVE board looks ahead to the next 20 years of vulnerability identification,” on The Daily Swig. In the article, CVE Board members Kent Landfield of McAfee and Chris Levendis of MITRE “take stock of the program’s journey [during its first 20 years] to becoming the world’s de facto vulnerability identification standard” and discuss how CVE is being effectively positioned for the next 20 years.
The author states: “If ever proof were needed that the security industry is evolving at a rapid pace, the CVE program recently announced that the CVE List had surpassed 100,000 entries – a dubious milestone that demonstrates the program’s diligence, while hammering home the sheer scale of the threat landscape in 2018.”
The author then discusses how CVE growing the number of participants in its CVE Numbering Authority (CNA) program helped the CVE List surpass the 100,000+ entries by having more and more CNAs assigning CVE Entries to vulnerabilities, and how CVE will continue to benefit from this federated approach in the future. The author quotes Chris Levendis about this, who states: “[CVE now has] 87 CNAs in the program, who are all involved in the assignment process and help chart the path forward. The CNAs are going to be the primary means by which we scale the CVE program … As far as onboarding [new] CNAs is concerned, the program will strategically look to target certain organizations to fulfil different kinds of roles. We have open and transparent rules for the requirements to become a CNA.”
The author also quotes Kent Landfield regarding the future of CVE, the role of automation, and the CNA program, who states: “During the next year or so, we’re going to be putting in place lots of different pieces and parts to ensure that federated environment [fully] occurs, and that we have set ourselves up for the next 20 years. We have built working groups into the program that allow the board members, the CNAs, and the public to participate in trying to develop some of that automation.”
“CVE is really a fundamental piece of our security defense mechanisms … I would like to stress the sheer number of external participants who take part in this program. CVE is vital to the security industry, and vital to our ability to defend ourselves.”
Read on CVE website or share:
https://cve.mitre.org/news/archives/2018/news.html#May232018_Preparing_CVE_for_the_Future_Is_Main_Topic_of_Article_on_The_Daily_Swig
New CVE Board Charter Is Approved
We are pleased to announce that the CVE Board has approved the latest version of the “CVE Board Charter,” version 2.6, which includes several important updates to board structure; membership descriptions, including the addition of a CNA liaison board member; and voting policies and procedures.
This update was the result of many hours of hard work by the Board, and the resulting document better positions CVE for success as it continues to expand.
Read on CVE website or share:
https://cve.mitre.org/news/archives/2018/news.html#May232018_New_CVE_Board_Charter_Is_Approved
CVE in the News
How to Deal with Open Source Vulnerabilities
https://www.infoq.com/articles/vulnerability-open-source
Git security vulnerability could lead to an attack of the (repo) clones
https://www.theregister.co.uk/2018/05/30/git_vulnerability_could_lead_to_an_attack_of_the_repo_clones/
Using a D-Link router? Watch out for hardcoded backdoors that give hackers admin access
https://www.techrepublic.com/article/using-a-d-link-router-watch-out-for-hardcoded-backdoors-that-give-hackers-admin-access/
Microsoft’s Patch Tuesday Fixes Two CVEs Under Active Attack
https://www.darkreading.com/endpoint/microsofts-patch-tuesday-fixes-two-cves-under-active-attack/d/d-id/1331748
Keeping Up with CVE
Follow us for the latest from CVE:
@CVEnew - Twitter feed of the latest CVE Entries
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVEProject - GitHub
CVE Documentation - GitHub
CVE Announce Newsletter - Email
If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).
Common Vulnerabilities and Exposures (CVE®) is sponsored by US-CERT in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Copyright © 2018, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.
Tuesday, May 15, 2018
CVE Announce - May 15, 2018 (opt-in newsletter from the CVE website)
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/May 15, 2018
-------------------------------------------------------
Contents:
1. Your CVE Announce Email Subscription Is Changing 2. Minutes from CVE Board Teleconference Meetings on April 25 and May 2 Now Available 3. Follow us on GitHub, LinkedIn, and Twitter 4. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
Your CVE Announce Email Subscription Is Changing
We have upgraded our email server, and your CVE Announce e-newsletter subscription will now be sent from a new email address: "cve-announce-list@mitre.org". Please add our new email address to your email program's Safe Senders list.
What will change:
* Old Email List Sender Address: cve-announce-list@lists.mitre.org
* New Email List Sender Address: cve-announce-list@mitre.org
Please contact us at https://cve.mitre.org/about/contactus.html with any comments or concerns.
LINKS:
CVE Announce Sign-up page -
https://cve.mitre.org/news/newsletter.html
CVE News page article -
https://cve.mitre.org/news/archives/2018/news.html#May152018_Your_CVE_Announce_Mail_Subscription_Is_Changing
---------------------------------------------------------------
Minutes from CVE Board Teleconference Meetings on April 25 and May 2 Now Available
The CVE Board held teleconference meetings on April 25, 2018 and May 2, 2018. Read the April 25 meeting minutes at https://cve.mitre.org/data/board/archives/2018-05/msg00008.html, and the May 2 meeting minutes at https://cve.mitre.org/data/board/archives/2018-05/msg00010.html.
The CVE Board includes numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information. Through open and collaborative discussions, the Board provides critical input regarding the data sources, product coverage, coverage goals, operating structure, and strategic direction of the CVE program. All Board Meetings and Board Email List Discussions are archived for the community.
LINKS:
CVE Board -
https://cve.mitre.org/community/board/index.html
Board Archives -
https://cve.mitre.org/community/board/archive.html#meeting_summaries
https://cve.mitre.org/community/board/archive.html#board_mail_list_archive
CVE News page articles -
https://cve.mitre.org/news/archives/2018/news.html#May042018_Minutes_from_CVE_Board_Teleconference_Meeting_on_April_25_Now_Available
https://cve.mitre.org/news/archives/2018/news.html#May112018_Minutes_from_CVE_Board_Teleconference_Meeting_on_May_2_Now_Available
---------------------------------------------------------------
Follow us on GitHub, LinkedIn, and Twitter
Please follow us on Twitter for the latest from CVE:
* Feed of the latest CVE Entries -
https://twitter.com/CVEnew/
* Feed of news and announcements about CVE - https://twitter.com/CVEannounce/
Please also visit us on LinkedIn to more easily comment on our news articles and CVE Blog posts:
* CVE-CWE-CAPEC on LinkedIn -
https://www.linkedin.com/company/11033649
* CVE Blog -
https://cve.mitre.org/blog/
Please visit us on GitHub:
* CVEProject -
https://github.com/CVEProject
* CVE Documentation -
https://cveproject.github.io/
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
To unsubscribe from the CVE Announce e-newsletter, open a new email message and copy the following text to the SUBJECT of the message "signoff cve-announce-list" (do not include the quote marks), then send the message to: LMS@mitre.org. To subscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message: "subscribe cve-announce-list" (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html.
CVE is sponsored by US-CERT (https://www.us-cert.gov/) in the office of Cybersecurity and Communications (https://www.dhs.gov/office-cybersecurity-and-communications/) at the U.S. Department of Homeland Security (https://www.dhs.gov/).
Copyright 2018, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE (https://www.mitre.org) maintains CVE and provides impartial technical guidance to the CVE Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.
For more information about CVE, visit the CVE website at https://cve.mitre.org or send an email to cve@mitre.org.
Tuesday, April 24, 2018
CVE Announce - April 24, 2018 (opt-in newsletter from the CVE website)
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/April 24, 2018
-------------------------------------------------------
Contents:
1. CVE List Surpasses 100,000 CVE Entries
2. Hillstone Added as CVE Numbering Authority (CNA)
3. Follow us on LinkedIn and Twitter
4. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
CVE List Surpasses 100,000 CVE Entries
The CVE website now contains 100,051 CVE Entries, each of which is a unique identifier for a publicly known software or firmware vulnerability.
CVE, which began in 1999 with just 321 common entries on the CVE List, is considered the international standard for public vulnerability identifiers.
CVE Entries are assigned to vulnerabilities in any code-based entity or standards upon which code-based entities are designed. This can include software, shared codebases, libraries, protocols, standards, hardware (e.g., firmware or microcode), hardware platforms, file formats, or data encodings. This definition of what CVE considers to be a vulnerability is specified by the "CVE Numbering Authority (CNA) Rules, Version 2.0," a consensus document authored by CNAs and the CVE Board.
Every CVE Entry added to the list is assigned by a CNA. Numerous organizations from around the world already participate as CNAs, with more and more organizations deciding to join the CVE effort and become a CNA to help the community continue to build the CVE List.
LINKS:
CVE List -
https://cve.mitre.org/cve/
CNAs -
https://cve.mitre.org/cve/cna.html
CNA Rules -
https://cve.mitre.org/cve/cna/rules.html
CVE Board -
https://cve.mitre.org/community/board/index.html
CVE News page article -
https://cve.mitre.org/news/archives/2018/news.html#April242018_CVE_List_Surpasses_100000_CVE_Entries
---------------------------------------------------------------
Hillstone Added as CVE Numbering Authority (CNA)
Hillstone Networks, Inc. is now a CVE Numbering Authority (CNA) for all Hillstone products only.
CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
CNAs are the main method for requesting a CVE ID. The following 87 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Apache; Apple; Atlassian; Autodesk; BlackBerry; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; Dahua; Debian GNU/Linux; Dell EMC; Distributed Weakness Filing Project; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Facebook; Flexera Software; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; IOActive; ISC; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (primary CNA); Mozilla; Netflix; Netgear; Nvidia; Objective Development; OpenSSL; Oracle; Palo Alto Networks; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Riverbed; Schneider Electric; Siemens; Silicon Graphics; SonicWALL; Symantec; Synology; Talos; Tenable; TIBCO; Trend Micro; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.
For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID on the CVE website at https://cve.mitre.org/cve/request_id.html.
LINKS:
Hillstone -
https://www.hillstonenet.com/
CNAs -
https://cve.mitre.org/cve/cna.html
Request a CVE ID from a CNA -
https://cve.mitre.org/cve/request_id.html
How to become a CNA -
https://cve.mitre.org/cve/cna.html#become_a_cna
CVE News page article -
https://cve.mitre.org/news/archives/2018/news.html#April242018_Hillstone_Added_as_CVE_Numbering_Authority_CNA
---------------------------------------------------------------
Follow us on LinkedIn and Twitter
Please follow us on Twitter for the latest from CVE:
* Feed of the latest CVE Entries -
https://twitter.com/CVEnew/
* Feed of news and announcements about CVE -
https://twitter.com/CVEannounce/
Please also visit us on LinkedIn to more easily comment on our news articles and CVE Blog posts:
* CVE-CWE-CAPEC on LinkedIn -
https://www.linkedin.com/company/11033649
* CVE Blog -
https://cve.mitre.org/blog/
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the message to: listserv@lists.mitre.org. To subscribe, send an email message to listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE CVE-Announce-List".
CVE is sponsored by US-CERT (https://www.us-cert.gov/) in the office of Cybersecurity and Communications (https://www.dhs.gov/office-cybersecurity-and-communications/) at the U.S. Department of Homeland Security (https://www.dhs.gov/).
Copyright 2018, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE (https://www.mitre.org) maintains CVE and provides impartial technical guidance to the CVE Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.
For more information about CVE, visit the CVE website at https://cve.mitre.org or send an email to cve@mitre.org.
