CVE Announce - June 28, 2018 (opt-in newsletter from the CVE website)

CVE Announce e-newsletter — June 28, 2018

Welcome to the latest issue of the CVE Announce e-newsletter. This newsletter is intended to keep you up-to-date on recent news about CVE, such as advancements in the program, new CNAs, CVE in the news, and more. Common Vulnerabilities and Exposures (CVE®) is the standard for cybersecurity vulnerability identifiers. The CVE Board provides oversight and input into CVE’s strategic direction, ensuring CVE meets the vulnerability identification needs of the global technology community. CVE Numbering Authorities (CNAs) consist of vendors, open source projects, vulnerability researchers, industry and national CERTs, and bug bounty programs authorized to assign CVE Identifiers (CVE IDs) to newly discovered issues and include the CVE IDs in the first public disclosure of the vulnerabilities.

Contents:
1. Naver Added as CVE Numbering Authority (CNA)
2. CVE Is Main Source of Vulnerability Data Used in 2018 Vulnerability Remediation Strategies Report
3. CVE’s 100,000+ Entries Milestone Is Main Topic of Article on Rapid7 Blog
4. CVE in the News
5. Keeping Up with CVE

Naver Added as CVE Numbering Authority (CNA)

Naver Corporation is now a CVE Numbering Authority (CNA) for Naver products only, except Line products.

CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 88 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; ASUSTOR; Atlassian; Autodesk; BlackBerry; Booz Allen Hamilton; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; Dahua; Debian GNU/Linux; Dell EMC; Distributed Weakness Filing Project; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Facebook; Flexera Software; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; IOActive; ISC; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (primary CNA); Mozilla; Naver; Netflix; Netgear; Node.js; Nvidia; Objective Development; OpenSSL; Oracle; Palo Alto Networks; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Riverbed; SAP; Schneider Electric; Siemens; Silicon Graphics; SonicWALL; Symantec; Synology; Talos; Tenable; TIBCO; Trend Micro; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

Read on CVE website or share:
https://cve.mitre.org/news/archives/2018/news.html#June142018_Naver_Added_as_CVE_Numbering_Authority_CNA


CVE Is Main Source of Vulnerability Data Used in 2018 Vulnerability Remediation Strategies Report

CVE is the main source of vulnerability data used in the 2018 “Prioritization to Prediction: Analyzing Vulnerability Remediation Strategies” report by Kenna Security and Cyentia Institute.

The authors of the report found that “The number of CVEs published every year is steadily growing. Between its inception in 1999 through January 1st, 2018, over 120,000 vulnerabilities have been published to [the] Common Vulnerabilities and Exposures (CVE) [List]. 894 CVEs were published in 1999 and 6,447 CVEs published in 2016. 2017 saw a massive spike to 14,712 CVEs and 2018 is trending to meet the 2017 numbers.”

In the report, the authors discuss the effectiveness of the various vulnerability remediation strategies in use today, and conclude that current strategies are lacking but “predictive models are critical to proactively reduce risk efficiently and effectively” and “can and do enable businesses to adopt a proactive strategy for vulnerability remediation that delivers the most efficient use of their people, tools, time, and ultimately dollars to address the threats that pose the greatest risk.”

Read the complete report at: https://www.kennasecurity.com/prioritization-to-prediction-report/. The report is free to download, but sign-up may be required.

Read on CVE website or share:
https://cve.mitre.org/news/archives/2018/news.html#June272018_CVE_Is_Main_Source_of_Vulnerability_Data_Used_in_2018_Vulnerability_Remediation_Strategies_Report


CVE’s 100,000+ Entries Milestone Is Main Topic of Article on Rapid7 Blog

CVE is the main topic of an April 30, 2018 blog article by Rapid7 entitled “CVE 100K: A Big, Round Number.” The article discusses the CVE List’s 100,000+ entries milestone, describes what CVE is and how it works, details the expansion of the CVE Numbering Authorities (CNAs) program, notes the creation of CVE Automation Working Group, and discusses the future of CVE. The article concludes by recommending that other organizations—as Rapid7 itself did in 2016—also become a CNA and help continue to grow the CVE List.

Read on CVE website or share:
https://cve.mitre.org/news/archives/2018/news.html#June272018_CVEs_100,000+_Entries_Milestone_Is_Main_Topic_of_Article_on_Rapid7_Blog


CVE in the News

MacOS Bypass Flaw Lets Attackers Sign Malicious Code as Apple
https://www.darkreading.com/vulnerabilities---threats/macos-bypass-flaw-lets-attackers-sign-malicious-code-as-apple/d/d-id/1332031

CVE-2018-3665: Floating Point Lazy State Save/Restore vulnerability affects Intel chips
https://betanews.com/2018/06/14/floating-point-lazy-state-save-restore-vulnerability/

Decades-old PGP bug allowed hackers to spoof just about anyone’s signature
https://arstechnica.com/information-technology/2018/06/decades-old-pgp-bug-allowed-hackers-to-spoof-just-about-anyones-signature/

Experts Reveal Bugs in Hundreds of IP Cameras
https://www.infosecurity-magazine.com/news/axis-cameras-experts-urge-firmware/

Jump-Start Your Management of Known Vulnerabilities
https://securityintelligence.com/jump-start-your-management-of-known-vulnerabilities/


Keeping Up with CVE

Follow us for the latest from CVE:

@CVEnew - Twitter feed of the latest CVE Entries
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVEProject - GitHub
CVE Documentation - GitHub
CVE Announce Newsletter - Email

If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).

Common Vulnerabilities and Exposures (CVE®) is sponsored by US-CERT in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Copyright © 2018, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.