CVE Announce - December 19, 2018 (opt-in newsletter from the CVE website)

CVE Announce e-newsletter — December 19, 2018

Welcome to the latest issue of the CVE Announce e-newsletter. This newsletter is intended to keep you up-to-date on recent news about CVE, such as advancements in the program, new CNAs, CVE in the news, and more. Common Vulnerabilities and Exposures (CVE®) is the standard for cybersecurity vulnerability identifiers. The CVE Board provides oversight and input into CVE’s strategic direction, ensuring CVE meets the vulnerability identification needs of the global technology community. CVE Numbering Authorities (CNAs) consist of vendors, open source projects, vulnerability researchers, industry and national CERTs, and bug bounty programs authorized to assign CVE Identifiers (CVE IDs) to newly discovered issues and include the CVE IDs in the first public disclosure of the vulnerabilities.

Contents:
1. TWCERT/CC and MongoDB Added as CVE Numbering Authorities (CNAs)
2. New CVE Board Member from DHS
3. CVE in the News
4. Keeping Up with CVE


TWCERT/CC and MongoDB Added as CVE Numbering Authorities (CNAs)

Two additional organizations are now CVE Numbering Authorities (CNAs):  TWCERT/CC for vulnerability assignment related to its vulnerability coordination role, and MongoDB for its own products.

CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 93 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; ASUSTOR; Atlassian; Autodesk; Avaya; BlackBerry; Booz Allen Hamilton; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell; Distributed Weakness Filing Project; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Facebook; Flexera Software; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (primary CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Netgear; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; Oracle; Palo Alto Networks; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Riverbed; SAP; Schneider Electric; Siemens; SonicWALL; Symantec; Synology; Talos; Tenable; TIBCO; Trend Micro; TWCERT/CC; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

Read on CVE website or share:
https://cve.mitre.org/news/archives/2018/news.html#September262018_TWCERT_CC_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2018/news.html#December102018_MongoDB_Added_as_CVE_Numbering_Authority_CNA


New CVE Board Member from DHS

Kathleen Trimble of U.S. Department of Homeland Security (DHS) has joined the CVE Board. Read the full announcement and welcome message in the CVE Board email discussion list archive.

The CVE Board includes numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information. Through open and collaborative discussions, the Board provides critical input regarding the data sources, product coverage, coverage goals, operating structure, and strategic direction of the CVE program. All Board Meetings and Board Email List Discussions are archived for the community.

Read on CVE website or share:
https://cve.mitre.org/news/archives/2018/news.html#December102018_New_CVE_Board_Member_from_DHS


CVE in the News

An Avoidable Breach That Could Happen to Any Organization
https://securityboulevard.com/2018/12/an-avoidable-breach-that-could-happen-to-any-organization/

House Releases Cybersecurity Strategy Report
https://www.infosecurity-magazine.com/news/house-releases-cybersecurity/

Critical Kubernetes vulnerability could have widespread effects
https://searchcloudsecurity.techtarget.com/news/252454109/Critical-Kubernetes-vulnerability-could-have-widespread-effects

Google Patches 11 Critical RCE Android Vulnerabilities
https://threatpost.com/google-patches-11-critical-rce-android-vulnerabilities/139612/

Update now! Microsoft and Adobe’s December 2018 Patch Tuesday is here
https://nakedsecurity.sophos.com/2018/12/13/update-now-microsoft-and-adobes-december-2018-patch-tuesday-is-here/

It's December of 2018 and, to hell with it, just patch your stuff
https://www.theregister.co.uk/2018/12/12/december_patch_tuesday/


Keeping Up with CVE

Follow us for the latest from CVE:

@CVEnew - Twitter feed of the latest CVE Entries
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVEProject - GitHub
CVE Documentation - GitHub
CVE Announce Newsletter - Email

If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).

Common Vulnerabilities and Exposures (CVE®) is sponsored by NSD, NCCIC in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Copyright © 2018, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.