CVE Announce - September 20, 2018 (opt-in newsletter from the CVE website)

CVE Announce e-newsletter — September 20, 2018

Welcome to the latest issue of the CVE Announce e-newsletter. This newsletter is intended to keep you up-to-date on recent news about CVE, such as advancements in the program, new CNAs, CVE in the news, and more. Common Vulnerabilities and Exposures (CVE®) is the standard for cybersecurity vulnerability identifiers. The CVE Board provides oversight and input into CVE’s strategic direction, ensuring CVE meets the vulnerability identification needs of the global technology community. CVE Numbering Authorities (CNAs) consist of vendors, open source projects, vulnerability researchers, industry and national CERTs, and bug bounty programs authorized to assign CVE Identifiers (CVE IDs) to newly discovered issues and include the CVE IDs in the first public disclosure of the vulnerabilities.

Contents:
1. CyberSecurity Philippines - CERT and Appthority Added as CVE Numbering Authorities (CNAs)
2. CVE Blog: “A Look at the CVE and CVSS Relationship”
3. CVE in the News
4. Keeping Up with CVE


CyberSecurity Philippines - CERT and Appthority Added as CVE Numbering Authorities (CNAs)

Two additional organizations are now CVE Numbering Authorities (CNAs): CyberSecurity Philippines - CERT for vulnerability assignment related to its vulnerability coordination role that are not covered by another CNA, and Appthority for its own products as well as vulnerabilities in third-party software discovered by Appthority that are not covered by another CNA.

CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 91 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; ASUSTOR; Atlassian; Autodesk; Avaya; BlackBerry; Booz Allen Hamilton; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell EMC; Distributed Weakness Filing Project; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Facebook; Flexera Software; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (primary CNA); Mozilla; Naver; NetApp; Netflix; Netgear; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; Oracle; Palo Alto Networks; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Riverbed; SAP; Schneider Electric; Siemens; SonicWALL; Symantec; Synology; Talos; Tenable; TIBCO; Trend Micro; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

Read on CVE website or share:
https://cve.mitre.org/news/archives/2018/news.html#September192018_CyberSecurity_Philippines_CERT_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2018/news.html#September072018_Appthority_Added_as_CVE_Numbering_Authority_CNA


CVE Blog: “A Look at the CVE and CVSS Relationship”

We’ve received a few questions recently about CVSS and vulnerability severity scoring, so as a reminder, CVSS is a separate program from CVE.

CVE’s sole purpose it to provide common vulnerability identifiers called “CVE Entries.” CVE does not provide severity scoring or prioritization ratings for software vulnerabilities.

CVSS Defined

While separate from CVE, the Common Vulnerability Scoring System (CVSS) standard operated by the Forum of Incident Response and Security Teams (FIRST) can be used to score the severity of software vulnerabilities identified by CVE Entries.

CVSS Version 3.0 provides “a way to capture the principal characteristics of a vulnerability, and produce a numerical score reflecting its severity, as well as a textual representation of that score. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.”

CVE Entries are cited in the CVSS specification and documentation to identify individual vulnerabilities used as examples, but they are not required for using CVSS.

NVD Hosts a CVSS Calculator for CVE Entries

Severity rating scoring and prioritization for CVE Entries is available through a CVSS calculator provided by the U.S. National Vulnerability Database (NVD).

According to the NVD website, which is operated by the National Institute of Standards and Technology (NIST), NVD’s CVSS calculator for CVE Entries supports both the CVSS 2.0 and CVSS 3.0 standards, and provides qualitative severity rankings for CVE Entries using each version. In addition, NVD’s CVSS calculator also allows users to add two additional types of score data into their severity scoring: (1) temporal, for “metrics that change over time due to events external to the vulnerability,” and (2) environmental, for “scores customized to reflect the impact of the vulnerability on your organization.”

For details and help, visit NVD’s CVSS Calculator for CVE Entries on the NVD website.

CVE, CVSS, and NVD

To recap, CVE does not provide severity scoring or prioritization and does not have a direct relationship with CVSS. The sole purpose of the CVE List is to provide common identifiers—CVE Entries—for publicly known cybersecurity vulnerabilities.

CVE Entries can be scored for severity and prioritization using FIRST’s CVSS standard.

NIST’s NVD provides a free CVSS calculator for CVE Entries. NVD also provides a download on the NVD website of “CVSS scores for all published CVE vulnerabilities.” Visit the NVD website to learn more.

Did We Point You in the Right Direction?

To discuss this post with us, please use our LinkedIn page, or send an email to cve@mitre.org.

Read on CVE website or share:
https://cve.mitre.org/blog/index.html#September112018_A_Look_at_the_CVE_and_CVSS_Relationship


CVE in the News

Two billion devices still vulnerable to Blueborne flaws a year after discovery
https://www.zdnet.com/article/two-billion-devices-still-exposed-after-blueborne-vulnerabilities-reveal/

Bug in Bitcoin code also opens smaller cryptocurrencies to attacks
https://www.zdnet.com/article/bug-in-bitcoin-code-also-opens-smaller-cryptocurrencies-to-attacks/

CVE-2018-12794: Using Type Confusion to Get Code Execution in Adobe Reader
https://www.zerodayinitiative.com/blog/2018/9/18/cve-2018-12794-using-type-confusion-to-get-code-execution-in-adobe-reader

CVE-2018-14619: New Critical Linux Kernel Vulnerability
https://securityboulevard.com/2018/08/cve-2018-14619-new-critical-linux-kernel-vulnerability/

CVE-2018-11776—The latest Apache Struts vulnerability
https://securityboulevard.com/2018/08/cve-2018-11776-the-latest-apache-struts-vulnerability/

Microsoft's September Security Updates Include Zero-Day Fix
https://redmondmag.com/articles/2018/09/12/microsoft-september-security-updates.aspx


Keeping Up with CVE

Follow us for the latest from CVE:

@CVEnew - Twitter feed of the latest CVE Entries
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVEProject - GitHub
CVE Documentation - GitHub
CVE Announce Newsletter - Email

If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).

Common Vulnerabilities and Exposures (CVE®) is sponsored by US-CERT in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Copyright © 2018, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.