Friday, November 22, 2019

CVE Announce - November 22, 2019 (opt-in newsletter from the CVE website)

CVE Announce e-newsletter — November 22, 2019

Welcome to the latest issue of the CVE Announce e-newsletter. This newsletter is intended to keep you up to date on recent news about CVE, such as advancements in the program, new CNAs, CVE in the news, and more. Common Vulnerabilities and Exposures (CVE®) is the de facto international standard for vulnerability identification and naming. The CVE Board provides oversight and input into CVE’s strategic direction, ensuring CVE meets the vulnerability identification needs of the global technology community. CVE Numbering Authorities (CNAs) consist of vendors, open source projects, vulnerability researchers, industry and national CERTs, and bug bounty programs authorized to assign CVE Identifiers (CVE IDs) to newly discovered issues and include the CVE IDs in the first public disclosure of the vulnerabilities.

Contents:
1. Splunk, ABB, Eaton, and OTRS Added as CVE Numbering Authorities (CNAs)
2. CVE BLOG: “CVE Program Report for Calendar Year Q3-2019”
3. CVE in the News
4. Keeping Up with CVE


Splunk, ABB, Eaton, and OTRS Added as CVE Numbering Authorities (CNAs)

Four additional organizations are now CVE Numbering Authorities (CNAs)Splunk Inc. for Splunk products only; Asea Brown Boveri Ltd. (ABB) for ABB issues only; Eaton for Eaton issues only; and OTRS AG  for OTRS and ((OTRS)) Community Edition and modules only.

CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 108 organizations from 20 countries currently participate as CNAs: ABB; Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; Atlassian; Autodesk; Avaya; Bitdefender; BlackBerry; Bosch; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell; Document Foundation; Drupal.org; Eaton; Eclipse Foundation; Elastic; F5; Facebook; Fedora Project; Flexera Software; floragunn; Forcepoint; Fortinet; FreeBSD; GitHub; Google; HackerOne; HCL; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; Jenkins Project; Johnson Controls; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Kubernetes; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (CVE Program Root CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; OPPO; Oracle; OTRS; Palo Alto Networks; PHP Group; Pivotal Software; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Salesforce; SAP; Schneider Electric; Siemens; Sonicwall; Splunk; SUSE; Symantec; Snyk; Synology; Talos; Tenable; TIBCO; Tigera; Trend Micro; TWCERT/CC; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

Read on CVE website or share:
https://cve.mitre.org/news/archives/2019/news.html#November212019_OTRS_Added_as_CVE_Numbering_Authority_CNA

https://cve.mitre.org/news/archives/2019/news.html#November152019_Eaton_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2019/news.html#November132019_ABB_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2019/news.html#November122019_Splunk_Added_as_CVE_Numbering_Authority_CNA


CVE Blog: “CVE Program Report for Calendar Year Q3-2019”

The CVE Program will issue a summary of program milestones and metrics for each quarter of the calendar year (CY), beginning with the summary for CY Q3-2019, below.

CY Q3 Milestones

5 CVE Numbering Authorities (CNAs) Added
Five new CNAs were added: Bitdefender (Romania), GitHub (USA), HCL Software (India), OPPO (China), and Salesforce (USA). DUO merged with Cisco, which remains a CNA.

100+ CNAs Milestone Achieved
On August 14, the CVE Program achieved the milestone of 100 organizations participating as CNAs. By the end of CY Q3, there were 103 CNAs.

Added a New CVE Board Member from Trend Micro/ZDI
Shannon Sabens of Trend Micro Incorporated/Zero Day Initiative (ZDI) was elected to the CVE Board on July 2.

Added a New CVE Working Group Focused on Outreach and Communications
The Outreach and Communications Working Group (OCWG), formed in July, is focused on promoting the CVE Program to achieve program adoption and coverage goals through increased community awareness.

CVE Working Groups (WGs) Information Added to Main CVE Website
Information about contact methods, documents, and projects for the five CVE WGs—which are open to community participation—were added for the community on the CVE website. CVE WGs are actively focused on: automation, strategic planning, CNA coordination, CVE quality, and outreach and communications.

Began CVE 20-Year Anniversary Activities
The CVE Program began its 20-year anniversary by continuing ongoing engagement with the CVE and cybersecurity communities at Black Hat USA 2019 on August 3-8, and DEF CON 27 on August 8-11, in Las Vegas, Nevada, USA.

CY Q3 Metrics

Metrics for CY Q3-2019 populated CVE Entries, reserved CVE Entries, and requests for CVE IDs from the CVE Program Root CNA (currently MITRE), are included below. Annual metrics are also included in the charts for year-to-year comparisons.

Terminology

  • Populated – A populated CVE Entry includes the CVE ID, a brief description, and at least one public reference.
  • Reserved – CNAs reserve a CVE ID for a given vulnerability prior to assigning and populating it as a CVE Entry on the CVE List.


Populated CVE Entries

As shown in the table below, CVE Program production was 30% above average in Q3 for this calendar year. This includes all CVE Entries populated by all CNAs. An average of 3,960 CVE Entries have been populated per quarter, year-to-date.


 

Comparison of Populated CVE Entries by Year for All Quarters (figure 1)


Reserved CVE Entries

The CVE Program tracks reserved CVE Entries. As shown in the table below, the number of CVE IDs in the reserved state for Q3 is 10.7% above the previous quarter. The chart below (figure 2) shows the number of CVE IDs added to the CVE List for each year. As we are still in 2019, only the number of CVE IDs before October are shown for 2019. Unlike the table, the CVE IDs in the chart can be either in the reserved or populated state.

 

Comparison of Reserved CVE Entries by Year for All Quarters - All CNAs Year-to-Date CYQ32019 (figure 2)


Requests for CVE IDs from the Program Root CNA

Finally, the CVE Program Root CNA receives requests for CVE IDs from the community for vulnerabilities and open source software product vulnerabilities that are not already covered by another CNA. The chart below shows the number of unique requesters that received one or more CVE IDs from the Program Root CNA as of CY Q3-2019, as well as by year.

Requesters that Received a CVE ID from Program Root CNA for CYQ32019 and All Years (figure 3)


All CVE Entries Are Assigned by CNAs

All of the CVE Entries cited in the metrics above are assigned by CNAs. CNAs are software vendors, open source projects, coordination centers, bug bounty service providers, and research groups authorized by the CVE Program to assign CVE Entries to vulnerabilities within their own specific scopes of coverage. CNAs join the program from a variety of business sectors; there are minimal requirements, and there is no monetary fee or contract to sign.

Currently, 108 organizations from 20 countries are actively participating in the CVE Program as CNAs. Learn how to become a CNA.

Comments or Questions?
If you have any questions about this article, please use the CVE Request Web Form and select “Other” from the dropdown menu.

We look forward to hearing from you!

Read on CVE website or share:
https://cve.mitre.org/blog/index.html#November182019_CVE_Program_Report_for_Calendar_Year_Q3-2019


CVE in the News

Combating the Continuous Development of Vulnerable Software
https://securityboulevard.com/2019/11/combating-the-continuous-development-of-vulnerable-software/

GitHub Initiative Seeks to Secure Open Source Code
https://www.darkreading.com/vulnerabilities---threats/github-initiative-seeks-to-secure-open-source-code/d/d-id/1336394

Gaping 'hole' in Qualcomm’s Secure World mobile vault leaked sensitive data
https://www.zdnet.com/article/qualcomms-secure-world-virtual-processor-leaks-mobile-payment-data/

Critical updates to Excel and publicly disclosed exploits make for an urgent November Patch Tuesday
https://www.computerworld.com/article/3453738/critical-updates-to-excel-and-publicly-disclosed-exploits-make-for-an-urgent-november-patch-tuesday.html

CVE program marks 20th anniversary as registered security vulnerabilities soar
https://portswigger.net/daily-swig/cve-program-marks-20th-anniversary-as-registered-security-vulnerabilities-soar


Keeping Up with CVE

Follow us for the latest from CVE:

@CVEnew - Twitter feed of the latest CVE Entries
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVEProject - GitHub
CVE Documentation - GitHub
CVE Announce Newsletter - Email

If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).

Common Vulnerabilities and Exposures (CVE®) is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 2019, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.




 

Posted by at No comments:

Thursday, October 17, 2019

CVE Announce - October 17, 2019 (opt-in newsletter from the CVE website)

CVE Announce e-newsletter — October 17, 2019

Welcome to the latest issue of the CVE Announce e-newsletter. This newsletter is intended to keep you up to date on recent news about CVE, such as advancements in the program, new CNAs, CVE in the news, and more. Common Vulnerabilities and Exposures (CVE®) is a global, community-driven and continuously growing open data registry of vulnerabilities. The CVE Board provides oversight and input into CVE’s strategic direction, ensuring CVE meets the vulnerability identification needs of the global technology community. CVE Working Groups, which are open to the community for participation, develop the program’s policies for consideration and approval by the CVE Board. CVE Numbering Authorities (CNAs) consist of vendors, open source projects, vulnerability researchers, industry and national CERTs, and bug bounty programs authorized to assign CVE Identifiers (CVE IDs) to newly discovered issues and include the CVE IDs in the first public disclosure of the vulnerabilities.

Special Edition


CVE Celebrates 20 Years!

The CVE Program was created 20 years ago this month, and since then, the CVE List has become a global, community-driven and continuously growing open data registry with more than 124,000 vulnerabilities listed. The list continues to grow, with new CVE Entries added daily.

20 Years of CVE Entries

20 Years                 124,374

15 Years                   64,492

10 Years                   38,727

5 Years                        7,191

1999 Launch                 321

 

20 Years of Community Participation

CVE is an international community effort, with representatives from across the security community participating on the initial CVE Editorial Board, which guided the program and voted on which CVE Entries would be included on the CVE List.

Today, community participation remains integral to the success of CVE. The CVE Program relies heavily on the community—researchers, vendors, end users, etc.—to discover and register new vulnerabilities. The CVE Board, which has expanded to include other types of organizations, such as academic and government agencies, as well as end-users of vulnerability information, continues to provide operational and strategic guidance to the CVE Program. CVE Working Groups, which are open to the community for participation, develop the program’s policies for consideration and approval by the CVE Board. Most importantly, organizations from around the world now actively participate as “CVE Numbering Authorities (CNAs)” to assign and populate CVE Entries for vulnerabilities within their own specific scopes of coverage.

CNA Participation Continues to Expand Worldwide

CNAs are integral to the ongoing success of the CVE Program; today, 104 organizations from 18 countries actively participate as CNAs. The CVE Program continues to actively recruit organizations from around the world to participate as CNAs.

CNAs are software vendors, open source projects, coordination centers, bug bounty service providers, and research groups that assign CVE Entries to vulnerabilities within their own specific scopes of coverage. By assigning and populating their own CVE Entries, CNAs responsibly control the vulnerability disclosure process for those vulnerabilities, improve security for their own customers, and enhance vulnerability management practices for the entire community.

CNAs join the program from a variety of business sectors; there are minimal requirements, it is easy to join, and there is no fee or contract to sign. CNAs volunteer their own time for their own benefit.

Widespread Use of CVE by the Community

The cybersecurity community endorsed the importance of incorporating CVE into products and services from the moment the CVE Program was launched in 1999. Today, that adoption has increased significantly with numerous products and services from around the world incorporating CVE Entries.

Another compelling factor for adoption is the ongoing inclusion of CVE IDs in security advisories. Numerous major open source (OS) vendors and other organizations from around the world include CVE IDs in their alerts to ensure that the international community benefits by having the CVE IDs as soon as a problem is announced. In addition, CVE IDs are also frequently cited in trade publications and general news media reports regarding software bugs, including “named” vulnerabilities such as CVE-2014-0160 for “Heartbleed;” CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278 for “Shellshock;” and CVE-2019-0708 for “BlueKeep,” among others.

CVE has also been used as the basis for entirely new services. The National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD) is synchronized with, and based upon, the CVE List. NVD also includes Security Content Automation Protocol (SCAP) mappings for CVE Entries. In addition, the U.S. Federal Desktop Core Configuration (FDCC) requires verification of compliance with FDCC requirements using SCAP-validated scanning tools. CVE Change Logs is a tool created by CERIAS/Purdue University that monitors additions and changes to the CVE List and allows users to obtain daily or monthly reports. Common Weakness Enumeration (CWE™) is a formal dictionary of common software weaknesses that is based, in part, on the 124,000+ CVE Entries on the CVE List, and the recently released “2019 CWE Top 25 Most Dangerous Software Errors” leveraged CVE Entries to help determine the Top 25.

Finally, the International Telecommunication Union’s (ITU-T) Cybersecurity Rapporteur Group, which is the telecom/information system standards body within the treaty-based 150-year-old intergovernmental organization, adopted CVE as a part of its new “Global Cybersecurity Information Exchange techniques (X.CYBEX)” by issuing Recommendation ITU-T X.1520 Common Vulnerabilities and Exposures (CVE).

Our Anniversary Celebration

Please join us on December 4-5, 2019 at Black Hat Europe 2019 as we continue to celebrate our 20-year anniversary with a CVE booth, #615.

Additional events will be announced soon, but in the meantime, follow us on the CVE website, CVE-Announce, GitHub, LinkedIn, and Twitter, as we continue our celebration throughout our anniversary year.

Finally, thank you very much for your continuing use of CVE and your ongoing interest and participation over these last 20 years. It is greatly appreciated. We look forward to the next 20 years!

Read on CVE website or share:
https://cve.mitre.org/news/archives/2019/news.html#October162019_CVE_Celebrates_20_Years!


Keeping Up with CVE

Follow us for the latest from CVE:

@CVEnew - Twitter feed of the latest CVE Entries
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVEProject - GitHub
CVE Documentation - GitHub
CVE Announce Newsletter - Email

If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).

Common Vulnerabilities and Exposures (CVE®) is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 2019, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.





 

Posted by at No comments:

Monday, October 7, 2019

CVE Announce - October 7, 2019 (opt-in newsletter from the CVE website)

CVE Announce e-newsletter — October 7, 2019

Welcome to the latest issue of the CVE Announce e-newsletter. This newsletter is intended to keep you up-to-date on recent news about CVE, such as advancements in the program, new CNAs, CVE in the news, and more. Common Vulnerabilities and Exposures (CVE®) is the de facto international standard for vulnerability identification and naming. The CVE Board provides oversight and input into CVE’s strategic direction, ensuring CVE meets the vulnerability identification needs of the global technology community. CVE Numbering Authorities (CNAs) consist of vendors, open source projects, vulnerability researchers, industry and national CERTs, and bug bounty programs authorized to assign CVE Identifiers (CVE IDs) to newly discovered issues and include the CVE IDs in the first public disclosure of the vulnerabilities.

Contents:
1. GitHub, HLC, and Tigera Added as CVE Numbering Authorities (CNAs)
2. CVE in the News
3. Keeping Up with CVE


GitHub, HLC, and Tigera Added as CVE Numbering Authorities (CNAs):

Three additional organizations are now CVE Numbering Authorities (CNAs)GitHub, Inc. for all libraries and products hosted on github.com in a public repository, unless they are covered by another CNA; HCL America Products & Platforms for all HCL products only; and Tigera, Inc. for all vulnerabilities for Calico and all of Tigera’s products only.

CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 104 organizations from 18 countries currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; Atlassian; Autodesk; Avaya; Bitdefender; BlackBerry; Bosch; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell; Document Foundation; Drupal.org; Eclipse Foundation; Elastic; F5; Facebook; Fedora Project; Flexera Software; floragunn; Forcepoint; Fortinet; FreeBSD; GitHub; Google; HackerOne; HCL; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; Jenkins Project; Johnson Controls; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Kubernetes; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (CVE Program Root CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; OPPO; Oracle; Palo Alto Networks; PHP Group; Pivotal Software; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Salesforce; SAP; Schneider Electric; Siemens; Sonicwall; SUSE; Symantec; Snyk; Synology; Talos; Tenable; TIBCO; Tigera; Trend Micro; TWCERT/CC; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

Read on CVE website or share:
https://cve.mitre.org/news/archives/2019/news.html#October032019_Tigera_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2019/news.html#September242019_HCL_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2019/news.html#September182019_GitHub_Added_as_CVE_Numbering_Authority_CNA

CVE in the News

Unpatched VPN Servers Targeted by Nation-State Attackers
https://www.bankinfosecurity.com/unpatched-vpn-servers-targeted-by-nation-state-attackers-a-13202
 
Signal Rushes to Patch Serious Eavesdropping Vulnerability
https://www.securityweek.com/signal-rushes-patch-serious-eavesdropping-vulnerability

WhatsApp vulnerability exploited through malicious GIFs to hijack chat sessions
https://www.zdnet.com/article/whatsapp-vulnerability-exploited-through-malicious-gifs-to-hijack-chat-sessions/

Virus Bulletin 2019: Japanese Attacks Highlight Savvy APT Strategy
https://threatpost.com/virus-bulletin-japanese-attacks-apt-strategygy/148859/

How MITRE and the Department of Homeland Security Collaborate to Validate Vulns
https://www.rapid7.com/resources/how-mitre-and-the-department-of-homeland-security-collaborate-to-validate-vulns/


Keeping Up with CVE

Follow us for the latest from CVE:

@CVEnew - Twitter feed of the latest CVE Entries
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVEProject - GitHub
CVE Documentation - GitHub
CVE Announce Newsletter - Email

If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).

Common Vulnerabilities and Exposures (CVE®) is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 2019, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.


Posted by at No comments:

Friday, September 6, 2019

CVE Announce - September 6, 2019 (opt-in newsletter from the CVE website)

CVE Announce e-newsletter — September 6, 2019

Welcome to the latest issue of the CVE Announce e-newsletter. This newsletter is intended to keep you up to date on recent news about CVE, such as advancements in the program, new CNAs, CVE in the news, and more. Common Vulnerabilities and Exposures (CVE®) is the de facto international standard for vulnerability identification and naming. The CVE Board provides oversight and input into CVE’s strategic direction, ensuring CVE meets the vulnerability identification needs of the global technology community. CVE Numbering Authorities (CNAs) consist of vendors, open source projects, vulnerability researchers, industry and national CERTs, and bug bounty programs authorized to assign CVE Identifiers (CVE IDs) to newly discovered issues and include the CVE IDs in the first public disclosure of the vulnerabilities.

Contents:
1. Salesforce and Bitdefender Added as CVE Numbering Authorities (CNAs)
2. CVE Blog: Become a CNA to Assign Your Own CVE IDs
3. CVE in the News
4. Keeping Up with CVE


Salesforce and Bitdefender Added as CVE Numbering Authorities (CNAs)

Two additional organizations are now CVE Numbering Authorities (CNAs)Salesforce, Inc. for Salesforce products only, and Bitdefender for all Bitdefender products as well as vulnerabilities in third-party software discovered by Bitdefender that are not in another CNA’s scope.

CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 101 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; Atlassian; Autodesk; Avaya; Bitdefender; BlackBerry; Bosch; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell; Document Foundation; Drupal.org; Eclipse Foundation; Elastic; F5; Facebook; Fedora Project; Flexera Software; floragunn; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; Jenkins Project; Johnson Controls; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Kubernetes; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (CVE Program Root CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; OPPO; Oracle; Palo Alto Networks; PHP Group; Pivotal Software; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Salesforce; SAP; Schneider Electric; Siemens; Sonicwall; SUSE; Symantec; Snyk; Synology; Talos; Tenable; TIBCO; Trend Micro; TWCERT/CC; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.
 
For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

Read on CVE website or share:
https://cve.mitre.org/news/archives/2019/news.html#September032019_Bitdefender_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2019/news.html#August292019_Salesforce_Added_as_CVE_Numbering_Authority_CNA


CVE Blog: Become a CNA to Assign Your Own CVE IDs

CVE Numbering Authorities, or “CNAs,” are organizations authorized to assign and populate CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope.

A CNA may be a software vendor, open source project, coordination center, bug bounty service provider, or research group. CNAs are essential to the CVE Program’s success and every CVE Entry added to the CVE List is added by a CNA.

Benefits of Being a CNA

Currently, 101 organizations from around the world are actively participating in the CVE Program as CNAs. There is no monetary fee and no contract to sign to become a CNA. CNAs volunteer their own time for their own benefit.

The only requirements are to have a public vulnerability disclosure policy and a public source for new vulnerability disclosures, to agree to the CVE Terms of Use, and agree to follow the program’s rules and guidelines.

Becoming a CNA allows you to:

  • Demonstrate mature vulnerability management practices and a commitment to cybersecurity to current and potential customers.
  • Communicate value-added vulnerability information to your customer base.
  • Control the CVE publication release process for vulnerabilities in your scope.
  • Assign CVE IDs without having to share embargoed information with another CNA.
  • Streamline your vulnerability disclosure processes.

 

CNAs are also able to participate in other aspects of the CVE Program. Examples include influencing the CNA rules and guidelines upon which the program operates, and joining one or more of the CVE Working Groups to help improve CVE workflows and processes.

How to Become a CNA

If your organization would like to become a CNA, please follow these four easy steps:

  1. Contact the CNA Coordination Team.
  2. Fill out the registration form.
  3. Attend an introductory session.
  4. Successfully create CVE ID entries from examples.

 

Comments or Questions?

If you have any questions, or would like to start the process, please use our CVE Request Web Form and select “Request information on the CVE Numbering Authority (CNA) Program” from the dropdown. We look forward to hearing from you!

Read on CVE website or share:
https://cve.mitre.org/blog/index.html#August292019_Become_a_CNA_to_Assign_Your_Own_CVE_IDs


CVE in the News

Android Zero-Day Bug Opens Door to Privilege Escalation Attack, Researchers Warn
https://threatpost.com/android-zero-day-bug-opens-door-to-privilege-escalation-attack-researchers-warn/148014/

Espressif IoT devices susceptible to WiFi vulnerabilities can allow hijackers to crash devices connected to enterprise networks
https://hub.packtpub.com/espressif-iot-devices-susceptible-to-wifi-vulnerabilities-can-allow-hijackers-to-crash-devices-connected-to-enterprise-networks/

Tripwire Patch Priority Index for August 2019
https://www.tripwire.com/state-of-security/vert/vert-news/tripwire-patch-priority-index-for-august-2019/

August, 2019 Patch Tuesday Targets Remote Desktop and Active Directory
https://news.sophos.com/en-us/2019/08/30/august-2019-patch-tuesday-targets-remote-desktop-and-active-directory/

Top 5 New Open Source Security Vulnerabilities in August 2019
https://resources.whitesourcesoftware.com/blog-whitesource/top-5-new-open-source-vulnerabilities-in-august-2019


Keeping Up with CVE

Follow us for the latest from CVE:

@CVEnew - Twitter feed of the latest CVE Entries
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVEProject - GitHub
CVE Documentation - GitHub
CVE Announce Newsletter - Email

If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).

Common Vulnerabilities and Exposures (CVE®) is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 2019, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.



 

Posted by at No comments:

Friday, August 16, 2019

CVE Announce - August 16, 2019 (opt-in newsletter from the CVE website)

CVE Announce e-newsletter — August 16, 2019

Welcome to the latest issue of the CVE Announce e-newsletter. This newsletter is intended to keep you up-to-date on recent news about CVE, such as advancements in the program, new CNAs, CVE in the news, and more. Common Vulnerabilities and Exposures (CVE®) is the de facto international standard for vulnerability identification and naming. The CVE Board provides oversight and input into CVE’s strategic direction, ensuring CVE meets the vulnerability identification needs of the global technology community. CVE Numbering Authorities (CNAs) consist of vendors, open source projects, vulnerability researchers, industry and national CERTs, and bug bounty programs authorized to assign CVE Identifiers (CVE IDs) to newly discovered issues and include the CVE IDs in the first public disclosure of the vulnerabilities.

Contents:
1. 100 Organizations Now Participating as CVE Numbering Authorities (CNAs)
2. OPPO Added as CVE Numbering Authority (CNA)
3. NOTICE: CVE Main Website – Scheduled Maintenance from 8:00am-1:00pm EDT on August 17
4. CVE in the News
5. Keeping Up with CVE


100 Organizations Now Participating as CVE Numbering Authorities (CNAs)

The CVE Numbering Authority (CNA) Program now includes 100 organizations from around the world that are authorized to assign CVE IDs to software and firmware vulnerabilities.

CNAs are organizations authorized to assign CVE IDs to vulnerabilities that affect products or projects within their own distinct, agreed-upon scopes, so that the CVE IDs can be included in first-time public announcements of the new vulnerabilities. CNAs may be software vendors, open source projects, vulnerability researchers, national and industry CERTs, or bug bounty programs.

CNAs are how the CVE List is built. Every CVE Entry added to the list is assigned by a CNA.

CNA Program Continues to Grow

Since 2016, 78 CNAs have joined CVE’s CNA Program. The current 100 organizations participating as CNAs as of August 14, 2019 are:

1.      Adobe

2.      Airbus

3.      Alibaba

4.      Android

5.      Apache

6.      Apple

7.      Appthority

8.      Atlassian

9.      Autodesk

10.  Avaya

11.  BlackBerry

12.  Bosch

13.  Brocade

14.  CA

15.  Canonical

16.  CERT/CC

17.  Check Point

18.  Cisco

19.  Cloudflare

20.  CyberSecurity Philippines - CERT

21.  Dahua

22.  Debian GNU/Linux

23.  Dell

24.  Document Foundation

25.  Drupal.org

26.  Duo

27.  Eclipse Foundation

28.  Elastic

29.  F5

30.  Facebook

31.  Fedora Project

32.  Flexera Software

33.  floragunn

34.  Forcepoint

35.  Fortinet

36.  FreeBSD

37.  Google

38.  HackerOne

39.  Hewlett Packard Enterprise

40.  Hikvision

41.  Hillstone

42.  HP

43.  Huawei

44.  IBM

45.  ICS-CERT

46.  Intel

47.  ISC

48.  Jenkins Project

49.  Johnson Controls

50.  JPCERT/CC

51.  Juniper

52.  Kaspersky

53.  KrCERT/CC

54.  Kubernetes

55.  Larry Cashdollar

56.  Lenovo

57.  MarkLogic

58.  McAfee

59.  Micro Focus

60.  Microsoft

61.  The MITRE Corporation (CVE Program Root CNA)

62.  MongoDB

63.  Mozilla

64.  Naver

65.  NetApp

66.  Netflix

67.  Node.js

68.  Nvidia

69.  Objective Development

70.  Odoo

71.  OpenSSL

72.  OPPO

73.  Oracle

74.  Palo Alto Networks

75.  PHP Group

76.  Pivotal Software

77.  Puppet

78.  Qihoo 360

79.  QNAP

80.  Qualcomm

81.  Rapid 7

82.  Red Hat

83.  SAP

84.  Schneider Electric

85.  Siemens

86.  Sonicwall

87.  SUSE

88.  Symantec

89.  Snyk

90.  Synology

91.  Talos

92.  Tenable

93.  TIBCO

94.  Trend Micro

95.  TWCERT/CC

96.  VMware

97.  Yandex

98.  Zephyr Project

99.  Zero Day Initiative

100.    ZTE

 

Of these, 82 are Vendors and Projects that assign CVE IDs for vulnerabilities found in their own products and projects, 8 are Vulnerability Researchers that assign CVE IDs to products and projects upon which they perform vulnerability analysis, 5 are National and Industry CERTs that perform incident response and vulnerability disclosure services for nations or industries; 2 are Bug Bounty Programs that assign CVE IDs to products and projects that utilize the Bug Bounty service’s product offerings, 1 is a Root CNA that manages a group of sub-CNAs within a given domain or community, and 1 is the CVE Program Root CNA that coordinates the CNA Program.

Participation is also global, with CNAs from the following 16 countries participating: Australia: 1, Austria: 1, Belgium: 1, Canada: 2, China: 9, France: 1, Germany: 6, Israel: 1, Japan: 3, Netherlands: 2, Philippines: 1, Russia: 2, South Korea: 2, Taiwan: 3, UK: 2, and USA: 64.

CNAs World Map as of August 2019

 

Resources for CNAs Continuing to Expand

As the number of participating CNAs has grown, so have the guidance materials and other resources. In addition to the main CNA Rules Version 2.0document, our CNA Processes Documentation & Slides collection hosted on the CVE Documentation website on GitHub includes information for both current and prospective CNAs.

Examples of these resources include CVE Overview for Prospective CNAs, CNA Onboarding Processes, CNA Resources, CVE Content Decisions, Creating a CVE Entry for Submission, Submitting CVE Entries to Program Root CNA, and more.

These materials provide guidance and assistance to CNAs so that they can correctly fulfill their responsibilities for properly writing and completing the information required for each CVE Entry they submit to the CVE List.

Should Your Organization Become a CNA?

Numerous organizations from around the world are already participating as CNAs, while more and more organizations are deciding to become a CNA and join the CNA community to help build the CVE List.

Participation is voluntary, and the benefits of participation include the ability to publicly disclose a vulnerability with an already assigned CVE ID, the ability to control the disclosure of vulnerability information without pre-publishing, and notification of vulnerabilities in products within a CNA’s scope by researchers who request a CVE ID.

If your organization would like to become a CNA, please visit How to Become a CNA.

Read on CVE website or share:
https://cve.mitre.org/news/archives/2019/news.html#August142019_100_Organizations_Now_Participating_as_CVE_Numbering_Authorities_CNAs


OPPO Added as CVE Numbering Authority (CNA)

OPPO Mobile Telecommunication Corp., Ltd. is now a CVE Numbering Authority (CNA) for OPPO devices only.

CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 100 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; Atlassian; Autodesk; Avaya; BlackBerry; Bosch; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell; Document Foundation; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Facebook; Fedora Project; Flexera Software; floragunn; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; Jenkins Project; Johnson Controls; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Kubernetes; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (CVE Program Root CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; OPPO; Oracle; Palo Alto Networks; PHP Group; Pivotal Software; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; SAP; Schneider Electric; Siemens; Sonicwall; SUSE; Symantec; Snyk; Synology; Talos; Tenable; TIBCO; Trend Micro; TWCERT/CC; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

Read on CVE website or share:
https://cve.mitre.org/news/archives/2019/news.html#August142019_OPPO_Added_as_CVE_Numbering_Authority_CNA


NOTICE: CVE Main Website – Scheduled Maintenance from 8:00am-1:00pm EDT on August 17

Due to scheduled maintenance, the CVE List and all other pages on this main CVE Website may be temporarily unavailable at times from 8:00 a.m. until 1:00 p.m. Eastern time on Saturday, August 17, 2019

We apologize for any inconvenience. Please contact us with any comments or concerns.

Read on CVE website or share:
https://cve.mitre.org/news/archives/2019/news.html#August142019_CVE_Main_Website_-_Possible_Intermittent_Outages_from_8am-1pm_EDT_on_August_17


CVE in the News

When it Comes to Application Security, Banks Pay Little Interest
https://securityboulevard.com/2019/08/when-it-comes-to-application-security-banks-pay-little-interest/

Unpatched Flaws in IoT Smart Deadbolt Open Homes to Danger
https://threatpost.com/unpatched-flaws-in-iot-smart-deadbolt-open-homes-to-danger/146871/

Vulnerabilities in the Picture Transfer Protocol (PTP) allows researchers to inject ransomware in Canon’s DSLR camera
https://hub.packtpub.com/vulnerabilities-in-the-picture-transfer-protocol-ptp-allows-researchers-to-inject-ransomware-in-canons-dslr-camera/

Kaspersky Antivirus Software Exposed Millions to Web Tracking
https://www.tomsguide.com/news/kaspersky-antivirus-software-exposed-millions-to-web-tracking

Check Point: Attackers executing commands remotely with latest malware
https://itbrief.co.nz/story/check-point-attackers-executing-commands-remotely-with-latest-malware


Keeping Up with CVE

Follow us for the latest from CVE:

@CVEnew - Twitter feed of the latest CVE Entries
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVEProject - GitHub
CVE Documentation - GitHub
CVE Announce Newsletter - Email

If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).

Common Vulnerabilities and Exposures (CVE®) is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 2019, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.

Posted by at No comments:
Subscribe to: Comments (Atom)