Wednesday, August 29, 2018

CVE Announce - August 29, 2018 (opt-in newsletter from the CVE website)

CVE Announce e-newsletter — August 29, 2018

Welcome to the latest issue of the CVE Announce e-newsletter. This newsletter is intended to keep you up-to-date on recent news about CVE, such as advancements in the program, new CNAs, CVE in the news, and more. Common Vulnerabilities and Exposures (CVE®) is the standard for cybersecurity vulnerability identifiers. The CVE Board provides oversight and input into CVE’s strategic direction, ensuring CVE meets the vulnerability identification needs of the global technology community. CVE Numbering Authorities (CNAs) consist of vendors, open source projects, vulnerability researchers, industry and national CERTs, and bug bounty programs authorized to assign CVE Identifiers (CVE IDs) to newly discovered issues and include the CVE IDs in the first public disclosure of the vulnerabilities.

Contents:
1. Avaya and Odoo Added as CVE Numbering Authorities (CNAs)
2. New CVE Board Member from Microsoft
3. “CVE and Cloud Services” Is Main Topic of Article on Cloud Security Alliance Blog
4. CVE in the News
5. Keeping Up with CVE


Avaya and Odoo Added as CVE Numbering Authorities (CNAs)

Two additional organizations are now CVE Numbering Authorities (CNAs)Avaya, Inc. for Avaya products only, and Odoo for Odoo issues only.

CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 89 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; ASUSTOR; Atlassian; Autodesk; Avaya; BlackBerry; Booz Allen Hamilton; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; Dahua; Debian GNU/Linux; Dell EMC; Distributed Weakness Filing Project; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Facebook; Flexera Software; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (primary CNA); Mozilla; Naver; NetApp; Netflix; Netgear; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; Oracle; Palo Alto Networks; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Riverbed; SAP; Schneider Electric; Siemens; SonicWALL; Symantec; Synology; Talos; Tenable; TIBCO; Trend Micro; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

Read on CVE website or share:
https://cve.mitre.org/news/archives/2018/news.html#August212018_Avaya_and_Odoo_Added_as_CVE_Numbering_Authority_CNA


New CVE Board Member from Microsoft

Lisa Olson of Microsoft has joined the CVE Board. Read the full announcement and welcome message in the CVE Board email discussion list archive.

The CVE Board includes numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information. Through open and collaborative discussions, the Board provides critical input regarding the data sources, product coverage, coverage goals, operating structure, and strategic direction of the CVE program. All Board Meetings and Board Email List Discussions are archived for the community.

Read on CVE website or share:
https://cve.mitre.org/news/archives/2018/news.html#August202018_New_CVE_Board_Member_from_Microsoft


“CVE and Cloud Services” Is Main Topic of Article on Cloud Security Alliance Blog

CVE is the main topic of an August 13, 2018 article entitled “CVE and Cloud Services, Part 1: The Exclusion of Cloud Service Vulnerabilities” on the Cloud Security Alliance blog. The article was written by Kurt Seifried, a CVE Board member and Director of IT at Cloud Security Alliance, and Victor Chin, Research Analyst at Cloud Security Alliance.

In the article, the authors explain what CVE is and how the program works, the role of CVE Numbering Authorities (CNAs), and details what CVE currently considers to be a vulnerability as specified by the CNA Rules, Version 2.0 consensus document authored by CNAs and the CVE Board. The authors of the article state: “The CVE system is the linchpin of the vulnerability management process, as its widespread use and adoption allows different services and business processes to interoperate. The system provides a way for specific vulnerabilities to be tracked via the assignment of IDs … These IDs also allow important information regarding a vulnerability to be associated with it such as workarounds, vulnerable software versions, and Common Vulnerability Scoring System (CVSS) scores. Without the CVE system, it becomes difficult to track vulnerabilities in a way that allows the different stakeholders and their tools to interoperate.”

In a section of the article entitled “CVE Inclusion Rules and Limitations,” the authors discuss how CVE’s currently defined inclusion rules do not provide for CVE Entries to be assigned to vulnerabilities in cloud services and explain how this restricts cloud service vulnerabilities from being properly managed: “In the past, [CVE’s] inclusion rule has worked well for the IT industry as most enterprise IT services have generally been provisioned with infrastructure owned by the enterprise. However, … cloud services, as we currently understand them, are not customer controlled. As a result, vulnerabilities in cloud services are generally not assigned CVE IDs. Information such as workarounds, affected software or hardware versions, proof of concepts, references and patches are not available as this information is normally associated to a CVE ID. Without the support of the CVE system, it becomes difficult, if not impossible, to track and manage vulnerabilities.”

The authors conclude the article by advocating for a change in CVE inclusion rules to allow for cloud service vulnerabilities to be included, and request industry feedback on this issue and the “resulting impact on the vulnerability management ecosystem.”

We encourage you to contribute to the discussion.

Read on CVE website or share:
https://cve.mitre.org/news/archives/2018/news.html#August282018_CVE_and_Cloud_Services_Is_Main_Topic_of_Article_on_Cloud_Security_Alliance_Blog


CVE in the News

Why You Need Full Visibility to Manage Common Vulnerabilities and Exposures (CVE)
https://securityintelligence.com/why-you-need-full-visibility-to-manage-common-vulnerabilities-and-exposures-cve/

CVE-2018-11776: New Critical Struts Flaw Could Be Worse than Equifax
https://securityboulevard.com/2018/08/cve-2018-11776-new-critical-struts-flaw-could-be-worse-than-equifax/

Philips cardiovascular software found to contain privilege escalation, code execution bugs
https://www.scmagazine.com/philips-cardiovascular-software-found-to-contain-privilege-escalation-code-execution-bugs/article/789796/

Vulnerability in OpenSSH “for two decades” (no, the sky isn’t falling!)
https://securityboulevard.com/2018/08/cve-2018-5390-vulnerability-in-linux-kernel-allows-for-dos-attacks/

It Takes an Average 38 Days to Patch a Vulnerability
https://www.darkreading.com/cloud/it-takes-an-average-38-days-to-patch-a-vulnerability/d/d-id/1332638


Keeping Up with CVE

Follow us for the latest from CVE:

@CVEnew - Twitter feed of the latest CVE Entries
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVEProject - GitHub
CVE Documentation - GitHub
CVE Announce Newsletter - Email

If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).

Common Vulnerabilities and Exposures (CVE®) is sponsored by US-CERT in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Copyright © 2018, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.

Posted by at No comments:
Subscribe to: Comments (Atom)