CVE Announce - January 29, 2019 (opt-in newsletter from the CVE website)

CVE Announce e-newsletter — January 29, 2019

Welcome to the latest issue of the CVE Announce e-newsletter. This newsletter is intended to keep you up-to-date on recent news about CVE, such as advancements in the program, new CNAs, CVE in the news, and more. Common Vulnerabilities and Exposures (CVE®) is the standard for cybersecurity vulnerability identifiers. The CVE Board provides oversight and input into CVE’s strategic direction, ensuring CVE meets the vulnerability identification needs of the global technology community. CVE Numbering Authorities (CNAs) consist of vendors, open source projects, vulnerability researchers, industry and national CERTs, and bug bounty programs authorized to assign CVE Identifiers (CVE IDs) to newly discovered issues and include the CVE IDs in the first public disclosure of the vulnerabilities.

Contents:
1. CVE Is Main Source of Vulnerability Data Used in Article about Application Security Vulnerabilities
2. CVE Is Main Topic of Article on WhiteSource Blog
3. CVE Mentioned in Article about NVD
4. CVE in the News
5. Keeping Up with CVE


CVE Is Main Source of Vulnerability Data Used in Article about Application Security Vulnerabilities

CVE is the main source of vulnerability data used in a January 15, 2019 article entitled “Top 10 Application Security Vulnerabilities of 2018” on the WhiteHat Security blog. The article, which uses CVE Entries to identify the vulnerabilities discussed, describes the “most common web exploits used by malicious attackers during the past 12 months—as well as valuable prevention tips for enterprises to implement in the new year.”

The CVE Entries cited in the article are: CVE-2018-9206, CVE-2018-6389, CVE-2018-7600, CVE-2018-7602, CVE-2018-1273, CVE-2018-1999024, CVE-2018-4878, and CVE-2018-1260. Visit these CVE Entry pages to learn more about these issues.

Read on CVE website or share:
https://cve.mitre.org/news/archives/2019/news.html#January232019_CVE_Is_Main_Source_of_Vulnerability_Data_Used_in_Article_about_Application_Security_Vulnerabilities


CVE Is Main Topic of Article on WhiteSource Blog

CVE is the main topic of a January 7, 2019 article entitled “What Is a CVE Vulnerability And How To Understand Its Details” on the WhiteSource blog.

In the article, the author explains what CVE is and how the program works; defines CVE Entries and discusses the role of CVE Numbering Authorities (CNAs) in assigning them; discusses what the CVE Program currently considers to be a vulnerability [for a detailed explanation, refer to Appendix C of the CNA Rules v2.0, a community consensus document authored by CNAs and the CVE Board]; discusses CVSS and severity scoring of CVE Entries by NVD; and explains the difference between the U.S. National Vulnerability Database (NVD) and CVE List.

The author concludes the article by stating that while “Security flaws are a wide and varied mix, reported in various databases, advisory boards and bug trackers and consisting of a diverse set of features and qualities … [CVE is] the foremost list for the documentation of security vulnerabilities in publicly released software.”

Read on CVE website or share:
https://cve.mitre.org/news/archives/2019/news.html#January232019_CVE_Is_Main_Topic_of_Article_on_WhiteSource_Blog


CVE Mentioned in Article about NVD

CVE is mentioned throughout a December 18, 2018 article entitled “The National Vulnerability Database Explained” on the WhiteSource blog. The main topic of the article is the National Institute of Standards and Technology’s U.S. National Vulnerability Database (NVD).

CVE is first mentioned when the author discusses the types of information in NVD, when the author notes that the base information of “a description of the CVE [Entry] and the source of the information” is provided by the CVE List, which NVD then builds upon by providing CVSS scores and other enhanced content. CVE is mentioned again in a section entitled “How The National Vulnerability Database Differs From The CVE,” in which the author explains how CVE and NVD are separate programs, and that the CVE List was established five years before NVD; that the CVE List provides the basic information for CVE Entries—identification number, description, and at least one public reference—that NVD then builds upon; and that the two efforts “work hand-in-hand, making the information more accessible for the readers. To put it simply, the CVE is the organization that receives submissions and IDs them, while the NVD adds the analysis and makes it easier to search and manage them.”

CVE is mentioned a third time in a section entitled “The Vulnerability Publishing Roadmap,” when the author briefly describes the process of how a vulnerability becomes a CVE Entry on the CVE List and is then posted to NVD. The author states: “NVD relies solely on the CVE for its feed of submitted vulnerabilities and does not perform any of its own searches for vulnerabilities in the wild … This means that the NVD has turned into a pretty exhaustive and dependable database that will continue to grow over time.”

Read on CVE website or share:
https://cve.mitre.org/news/archives/2019/news.html#January232019_CVE_Mentioned_in_Article_about_NVD


CVE in the News

Intel Patches High-Severity Privilege-Escalation Bugs
https://threatpost.com/intel-patches-privilege-escalation-bugs/140665/

LabKey Vulnerabilities Threaten Medical Research Data
https://threatpost.com/labkey-vulnerabilities-medical-research/141200/

Multiple Zero-Days in PremiSys IDenticard Access Control System
https://www.tenable.com/blog/multiple-zero-days-in-premisys-identicard-access-control-system

Electric cars: Security flaws could let attackers control charging stations
https://www.zdnet.com/article/electric-cars-security-flaws-could-let-attackers-control-charging-stations/

Old bugs, new bugs, red bugs … yes, it's Oracle mega-update day again
https://www.theregister.co.uk/2019/01/18/new_oracle_bugs/

Apple FaceTime at Risk From Severe Flaw
https://www.eweek.com/security/apple-facetime-at-risk-from-severe-flaw


Keeping Up with CVE

Follow us for the latest from CVE:

@CVEnew - Twitter feed of the latest CVE Entries
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVEProject - GitHub
CVE Documentation - GitHub
CVE Announce Newsletter - Email

If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).

Common Vulnerabilities and Exposures (CVE®) is sponsored by NSD, NCCIC in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Copyright © 2019, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.