Thursday, June 28, 2018

CVE Announce - June 28, 2018 (opt-in newsletter from the CVE website)

CVE Announce e-newsletter — June 28, 2018

Welcome to the latest issue of the CVE Announce e-newsletter. This newsletter is intended to keep you up-to-date on recent news about CVE, such as advancements in the program, new CNAs, CVE in the news, and more. Common Vulnerabilities and Exposures (CVE®) is the standard for cybersecurity vulnerability identifiers. The CVE Board provides oversight and input into CVE’s strategic direction, ensuring CVE meets the vulnerability identification needs of the global technology community. CVE Numbering Authorities (CNAs) consist of vendors, open source projects, vulnerability researchers, industry and national CERTs, and bug bounty programs authorized to assign CVE Identifiers (CVE IDs) to newly discovered issues and include the CVE IDs in the first public disclosure of the vulnerabilities.

Contents:
1. Naver Added as CVE Numbering Authority (CNA)
2. CVE Is Main Source of Vulnerability Data Used in 2018 Vulnerability Remediation Strategies Report
3. CVE’s 100,000+ Entries Milestone Is Main Topic of Article on Rapid7 Blog
4. CVE in the News
5. Keeping Up with CVE

Naver Added as CVE Numbering Authority (CNA)

Naver Corporation is now a CVE Numbering Authority (CNA) for Naver products only, except Line products.

CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 88 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; ASUSTOR; Atlassian; Autodesk; BlackBerry; Booz Allen Hamilton; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; Dahua; Debian GNU/Linux; Dell EMC; Distributed Weakness Filing Project; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Facebook; Flexera Software; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; IOActive; ISC; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (primary CNA); Mozilla; Naver; Netflix; Netgear; Node.js; Nvidia; Objective Development; OpenSSL; Oracle; Palo Alto Networks; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Riverbed; SAP; Schneider Electric; Siemens; Silicon Graphics; SonicWALL; Symantec; Synology; Talos; Tenable; TIBCO; Trend Micro; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

Read on CVE website or share:
https://cve.mitre.org/news/archives/2018/news.html#June142018_Naver_Added_as_CVE_Numbering_Authority_CNA


CVE Is Main Source of Vulnerability Data Used in 2018 Vulnerability Remediation Strategies Report

CVE is the main source of vulnerability data used in the 2018 “Prioritization to Prediction: Analyzing Vulnerability Remediation Strategies” report by Kenna Security and Cyentia Institute.

The authors of the report found that “The number of CVEs published every year is steadily growing. Between its inception in 1999 through January 1st, 2018, over 120,000 vulnerabilities have been published to [the] Common Vulnerabilities and Exposures (CVE) [List]. 894 CVEs were published in 1999 and 6,447 CVEs published in 2016. 2017 saw a massive spike to 14,712 CVEs and 2018 is trending to meet the 2017 numbers.”

In the report, the authors discuss the effectiveness of the various vulnerability remediation strategies in use today, and conclude that current strategies are lacking but “predictive models are critical to proactively reduce risk efficiently and effectively” and “can and do enable businesses to adopt a proactive strategy for vulnerability remediation that delivers the most efficient use of their people, tools, time, and ultimately dollars to address the threats that pose the greatest risk.”

Read the complete report at: https://www.kennasecurity.com/prioritization-to-prediction-report/. The report is free to download, but sign-up may be required.

Read on CVE website or share:
https://cve.mitre.org/news/archives/2018/news.html#June272018_CVE_Is_Main_Source_of_Vulnerability_Data_Used_in_2018_Vulnerability_Remediation_Strategies_Report


CVE’s 100,000+ Entries Milestone Is Main Topic of Article on Rapid7 Blog

CVE is the main topic of an April 30, 2018 blog article by Rapid7 entitled “CVE 100K: A Big, Round Number.” The article discusses the CVE List’s 100,000+ entries milestone, describes what CVE is and how it works, details the expansion of the CVE Numbering Authorities (CNAs) program, notes the creation of CVE Automation Working Group, and discusses the future of CVE. The article concludes by recommending that other organizations—as Rapid7 itself did in 2016—also become a CNA and help continue to grow the CVE List.

Read on CVE website or share:
https://cve.mitre.org/news/archives/2018/news.html#June272018_CVEs_100,000+_Entries_Milestone_Is_Main_Topic_of_Article_on_Rapid7_Blog


CVE in the News

MacOS Bypass Flaw Lets Attackers Sign Malicious Code as Apple
https://www.darkreading.com/vulnerabilities---threats/macos-bypass-flaw-lets-attackers-sign-malicious-code-as-apple/d/d-id/1332031

CVE-2018-3665: Floating Point Lazy State Save/Restore vulnerability affects Intel chips
https://betanews.com/2018/06/14/floating-point-lazy-state-save-restore-vulnerability/

Decades-old PGP bug allowed hackers to spoof just about anyone’s signature
https://arstechnica.com/information-technology/2018/06/decades-old-pgp-bug-allowed-hackers-to-spoof-just-about-anyones-signature/

Experts Reveal Bugs in Hundreds of IP Cameras
https://www.infosecurity-magazine.com/news/axis-cameras-experts-urge-firmware/

Jump-Start Your Management of Known Vulnerabilities
https://securityintelligence.com/jump-start-your-management-of-known-vulnerabilities/


Keeping Up with CVE

Follow us for the latest from CVE:

@CVEnew - Twitter feed of the latest CVE Entries
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVEProject - GitHub
CVE Documentation - GitHub
CVE Announce Newsletter - Email

If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).

Common Vulnerabilities and Exposures (CVE®) is sponsored by US-CERT in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Copyright © 2018, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.


Posted by at No comments:

Monday, June 4, 2018

CVE Announce - June 4, 2018 (opt-in newsletter from the CVE website)

CVE Announce e-newsletter — June 4, 2018

Welcome to the latest issue of the CVE Announce e-newsletter. This newsletter is intended to keep you up-to-date on recent news about CVE, such as advancements in the program, new CNAs, CVE in the news, and more. Common Vulnerabilities and Exposures (CVE®) is the standard for cybersecurity vulnerability identifiers. The CVE Board provides oversight and input into CVE’s strategic direction, ensuring CVE meets the vulnerability identification needs of the global technology community. CVE Numbering Authorities (CNAs) consist of vendors, open source projects, vulnerability researchers, industry and national CERTs, and bug bounty programs authorized to assign CVE Identifiers (CVE IDs) to newly discovered issues and include the CVE IDs in the first public disclosure of the vulnerabilities.

Contents:
1. Preparing CVE for the Future Is Main Topic of Article on The Daily Swig
2. New CVE Board Charter Is Approved
3. CVE in the News
4. Keeping Up with CVE

Preparing CVE for the Future Is Main Topic of Article on The Daily Swig

CVE is the main topic of a May 16, 2017 article entitled “CVE board looks ahead to the next 20 years of vulnerability identification,” on The Daily Swig. In the article, CVE Board members Kent Landfield of McAfee and Chris Levendis of MITRE “take stock of the program’s journey [during its first 20 years] to becoming the world’s de facto vulnerability identification standard” and discuss how CVE is being effectively positioned for the next 20 years.

The author states: “If ever proof were needed that the security industry is evolving at a rapid pace, the CVE program recently announced that the CVE List had surpassed 100,000 entries – a dubious milestone that demonstrates the program’s diligence, while hammering home the sheer scale of the threat landscape in 2018.”

The author then discusses how CVE growing the number of participants in its CVE Numbering Authority (CNA) program helped the CVE List surpass the 100,000+ entries by having more and more CNAs assigning CVE Entries to vulnerabilities, and how CVE will continue to benefit from this federated approach in the future. The author quotes Chris Levendis about this, who states: “[CVE now has] 87 CNAs in the program, who are all involved in the assignment process and help chart the path forward. The CNAs are going to be the primary means by which we scale the CVE program … As far as onboarding [new] CNAs is concerned, the program will strategically look to target certain organizations to fulfil different kinds of roles. We have open and transparent rules for the requirements to become a CNA.”

The author also quotes Kent Landfield regarding the future of CVE, the role of automation, and the CNA program, who states: “During the next year or so, we’re going to be putting in place lots of different pieces and parts to ensure that federated environment [fully] occurs, and that we have set ourselves up for the next 20 years. We have built working groups into the program that allow the board members, the CNAs, and the public to participate in trying to develop some of that automation.”

“CVE is really a fundamental piece of our security defense mechanisms … I would like to stress the sheer number of external participants who take part in this program. CVE is vital to the security industry, and vital to our ability to defend ourselves.”

Read on CVE website or share:
https://cve.mitre.org/news/archives/2018/news.html#May232018_Preparing_CVE_for_the_Future_Is_Main_Topic_of_Article_on_The_Daily_Swig


New CVE Board Charter Is Approved

We are pleased to announce that the CVE Board has approved the latest version of the “CVE Board Charter,” version 2.6, which includes several important updates to board structure; membership descriptions, including the addition of a CNA liaison board member; and voting policies and procedures.

This update was the result of many hours of hard work by the Board, and the resulting document better positions CVE for success as it continues to expand.

Read on CVE website or share:
https://cve.mitre.org/news/archives/2018/news.html#May232018_New_CVE_Board_Charter_Is_Approved


CVE in the News

How to Deal with Open Source Vulnerabilities
https://www.infoq.com/articles/vulnerability-open-source

Git security vulnerability could lead to an attack of the (repo) clones
https://www.theregister.co.uk/2018/05/30/git_vulnerability_could_lead_to_an_attack_of_the_repo_clones/

Using a D-Link router? Watch out for hardcoded backdoors that give hackers admin access
https://www.techrepublic.com/article/using-a-d-link-router-watch-out-for-hardcoded-backdoors-that-give-hackers-admin-access/

Microsoft’s Patch Tuesday Fixes Two CVEs Under Active Attack
https://www.darkreading.com/endpoint/microsofts-patch-tuesday-fixes-two-cves-under-active-attack/d/d-id/1331748


Keeping Up with CVE

Follow us for the latest from CVE:

@CVEnew - Twitter feed of the latest CVE Entries
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVEProject - GitHub
CVE Documentation - GitHub
CVE Announce Newsletter - Email

If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).

Common Vulnerabilities and Exposures (CVE®) is sponsored by US-CERT in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Copyright © 2018, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.


 

Posted by at No comments:
Subscribe to: Comments (Atom)