Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is designed to bring recent news about CVE, such as new website features, new CNAs, CVE in the news, etc. right to your email box. Common Vulnerabilities and Exposures (CVE) is the standard for cybersecurity vulnerability names. The CVE Board provides oversight and input into CVE's strategic direction, ensuring CVE meets the vulnerability identification needs of the technology community. CVE Numbering Authorities (CNAs) are vendors and projects, vulnerability researchers, national and industry CERTs, and bug bounty programs that assign CVE Identifiers (CVE IDs) to newly discovered issues, and include the CVE IDs in the first public disclosure of the vulnerabilities. Details on subscribing (and unsubscribing) to the email newsletter are at the end. Please feel free to pass this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/January 8, 2018
-------------------------------------------------------
Contents:
1. "Meltdown" Is CVE-2017-5754, and "Spectre" Is CVE-2017-5753 and CVE-2017-5715
2. CVE BLOG: "CNA Rules, Version 2.0" Now in Effect
3. CVE Refreshes Website with New Look and Feel and Easier-to-Use Navigation Menus
4. Important Message About Our @CVEnew Twitter Account
5. Minutes from CVE Board Teleconference Meeting on December 13 Now Available
6. Follow us on LinkedIn and Twitter
7. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
"Meltdown" Is CVE-2017-5754, and "Spectre" Is CVE-2017-5753 and CVE-2017-5715
Three CVE Entries are cited in numerous major advisories, posts, and news media references related to the recent critical "Meltdown" and "Spectre" vulnerabilities -- CVE-2017-5754 for Meltdown, and CVE-2017-5753 and CVE-2017-5715 for Spectre -- including in the following examples:
* https://www.scmagazine.com/spectre-and-meltdown-patches-flow-hit-flood-stage/article/735285/
* https://www.techrepublic.com/article/massive-intel-cpu-flaw-understanding-the-technical-details-of-meltdown-and-spectre/
* https://www.macobserver.com/news/product-news/apple-says-meltdown-patched-ios-11-2-macos-10-13-2-tvos-11-2-no-measurable-impact-speed/
* http://www.zdnet.com/article/how-linux-is-dealing-with-meltdown-and-spectre/
* https://www.theregister.co.uk/2018/01/04/microsoft_windows_patch_meltdown/
* https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html
* https://support.apple.com/en-us/HT208394
* https://access.redhat.com/security/vulnerabilities/speculativeexecution
* https://securityintelligence.com/cpu-vulnerability-can-allow-attackers-to-read-privileged-kernel-memory-and-leak-data/
* https://www.theinquirer.net/inquirer/news/3023856/tech-industry-responds-to-chip-design-flaw
* http://www.itpro.co.uk/security/30223/meltdown-and-spectre-tech-industry-responds-to-the-cpu-vulnerability-affecting-most
* https://jaxenter.de/meltdown-spectre-kernel-bug-65931
* https://pc.watch.impress.co.jp/docs/news/1099687.html
* https://meltdownattack.com/
Other news articles may be found by searching on "CVE-2017-5754", "CVE-2017-5753", and "CVE-2017-5715" using your preferred search engine.
Also, the CVE Entry pages https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753, and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715 each include a list of advisories used as references.
ADDITIONAL LINKS:
CVE List -
https://cve.mitre.org/cve/
CVE News page article -
https://cve.mitre.org/news/archives/2018/news.html#January082018_Meltdown_Is_CVE-2017-5754_and_Spectre_Is_CVE-2017-5753_and_CVE-2017-5715
---------------------------------------------------------------
CVE BLOG: "CNA Rules, Version 2.0" Now in Effect
Version 2.0 of the "CVE Numbering Authorities (CNA) Rules" took effect on January 1, 2018. The CNA Rules are the policies and processes for managing the CVE Numbering Authorities (CNAs) Program, and were revised with significant input from the CNA community.
"CNA Rules, Version 2.0," which was updated from Version 1.1, includes detailed information on the following:
* CNAs Overview – Federated CNA Structure, and Purpose and Goal of the CNA Rules
* Rules for All CNAs – Assignment, Communication, and Administration
* Responsibilities of Root and Primary CNAs – Specific Assignment, Communications, and Administration Rules for Root CNAs and for the Primary CNA
* CNA Candidate Process – Qualifications, and On-Boarding Process
* Appeals Process
* Definitions
* CVE Information Format
* Common Vulnerabilities and Exposures (CVE) Counting Rules – Purpose, Introduction, Definitions, Vulnerability Report, Inclusion Decisions, and Counting Decisions
* Terms of Use
* Process to Correct Counting Issues
* Acronyms
* Quarterly Metrics
* Disclosure and Embargo Policies
For details about the changes from v1.1 to v2.0, please see our "CNA Rules, Version 2.0 to Take Effect on January 1st" blog article, issue tracker, and change logs, links for which are included in our blog post at: https://cve.mitre.org/blog/index.html#January012018_CNA_Rules_Version_2.0_Now_in_Effect.
If you have any questions or comments about the new CNA Rules document, please contact us via our CVE Request web form by selecting "Other" from the dropdown menu at https://cveform.mitre.org/, or email us directly at cve@mitre.org.
We look forward to hearing from you!
- The CVE Team
January 1, 2018
cve@mitre.org
LINKS:
CNA Rules, Version 2.0 -
https://cve.mitre.org/cve/cna/CNA_Rules_v2.0.pdf
CVE Blog post:
https://cve.mitre.org/blog/index.html#January012018_CNA_Rules_Version_2.0_Now_in_Effect
---------------------------------------------------------------
CVE Refreshes Website with New Look and Feel and Easier-to-Use Navigation Menus
We have updated the CVE website to streamline site navigation and simplify content for an improved user experience. Improvements include the following:
CVE LIST MAIN MENU
Our new main menu provides you with direct access to the CVE List. Located in the black navigation bar at the top of every page, each item in the main menu links to a single page with a specific purpose:
* Search CVE List
* Download CVE
* Data Feeds
* Request CVE IDs
* Update a CVE Entry
NEW SITE ORGANIZATION AND SECONDARY DROPDOWN MENU
The website is now organized into five sections, each of which is accessible from the dropdown menus located across the very top of every page:
* CVE List Home – visit for CVE List rules and guidance and other supporting information, as well as for the CVE Request web form and CVE List documentation and training
* CNAs – visit for a list of current CVE Numbering Authorities (CNAs), growth of the program worldwide, types of CNAs, instructions on how to become a CNA, and documentation and training for CNAs
* CVE Board – visit for a list of current members, meeting and discussion archives, and Board documentation
* About – visit for background information about the CVE Program including the CVE and NVD relationship, terminology, history, sponsor, documents, and FAQs, as well as a new "Getting Started" section focused on CVE List, CVE ID Request, CNA, and CVE Board training
* News & Blog – visit for our latest news, events, blog, free newsletter, and social media feeds
Also, the CVE logo in the upper left corner of every page is the "Home" link to the website's homepage.
Please send any comments or concerns to cve@mitre.org.
LINKS:
CVE Website -
https://cve.mitre.org/
CVE News page article -
https://cve.mitre.org/news/archives/2018/news.html#January032018_CVE_Refreshes_Website_with_New_Look_and_Feel_and_Easier_to_Use_Navigation_Menus
---------------------------------------------------------------
Important Message About Our @CVEnew Twitter Account
We recently identified a Twitter handle impersonating our @CVEnew handle. Twitter was notified and suspended the impersonating handle. Follow https://twitter.com/CVEnew for regular CVE Entry updates.
---------------------------------------------------------------
Minutes from CVE Board Teleconference Meeting on December 13 Now Available
The CVE Board held a teleconference meeting on December 13, 2017. Read the meeting minutes at https://cve.mitre.org/data/board/archives/2017-12/msg00032.html.html.
The CVE Board includes numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information. Through open and collaborative discussions, the Board provides critical input regarding the data sources, product coverage, coverage goals, operating structure, and strategic direction of the CVE program. All Board Meetings and Board Email List Discussions are archived for the community.
LINKS:
CVE Board -
https://cve.mitre.org/community/board/index.html
Board Archives -
https://cve.mitre.org/community/board/archive.html#meeting_summaries
https://cve.mitre.org/community/board/archive.html#board_mail_list_archive
CVE News page article -
https://cve.mitre.org/news/archives/2017/news.html#December262017_Minutes_from_CVE_Board_Teleconference_Meeting_on_December_13_Now_Available
---------------------------------------------------------------
Follow us on LinkedIn and Twitter
Please follow us on Twitter for the latest from CVE:
* Feed of the latest CVE Entries -
https://twitter.com/CVEnew/
* Feed of news and announcements about CVE -
https://twitter.com/CVEannounce/
Please also visit us on LinkedIn to more easily comment on our news articles and CVE Blog posts:
* CVE-CWE-CAPEC on LinkedIn -
https://www.linkedin.com/company/11033649
* CVE Blog -
https://cve.mitre.org/blog/
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the message to: listserv@lists.mitre.org. To subscribe, send an email message to listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE CVE-Announce-List".
CVE is sponsored by US-CERT (https://www.us-cert.gov/) in the office of Cybersecurity and Communications (https://www.dhs.gov/office-cybersecurity-and-communications/) at the U.S. Department of Homeland Security (https://www.dhs.gov/).
Copyright 2018, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE (https://www.mitre.org) maintains CVE and provides impartial technical guidance to the CVE Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.
For more information about CVE, visit the CVE website at https://cve.mitre.org or send an email to cve@mitre.org.
No comments:
Post a Comment