CVE Announce e-newsletter — March 7, 2019
Welcome to the latest issue of the CVE Announce e-newsletter. This newsletter is intended to keep you up-to-date on recent news about CVE, such as advancements in the program, new CNAs, CVE in the news, and more. Common Vulnerabilities and Exposures (CVE®) is the de facto international standard for vulnerability identification and naming. The CVE Board provides oversight and input into CVE’s strategic direction, ensuring CVE meets the vulnerability identification needs of the global technology community. CVE Numbering Authorities (CNAs) consist of vendors, open source projects, vulnerability researchers, industry and national CERTs, and bug bounty programs authorized to assign CVE Identifiers (CVE IDs) to newly discovered issues and include the CVE IDs in the first public disclosure of the vulnerabilities.
Contents:
1. Changes to How CVE Content Is Provided Begins on March 17
2. NOTICE: CVEProject GitHub Submissions Service Will Be Temporarily Unavailable March 17-18
3. CVE Program Root CNA to Assume DWF’s Open Source Product Coverage Responsibilities Beginning March 7
4. CVE in the News
5. Keeping Up with CVE
Changes to How CVE Content Is Provided Begins on March 17
The CVE Program is upgrading the infrastructure used to process and post CVE Entries to the CVE List. This upgrade process will begin at 12:00 a.m. EST on March 17, 2019, and last for one or two days. As a result of the upgrades, some of the ways in which CVE content is provided on the individual CVE Entry pages and in the various CVE List download files on the CVE website will change. These changes may affect products, services, and processes that incorporate vulnerability content from the CVE download files. We will make a follow-up announcement once the rollout is complete.
Specific changes include:
- References in CVE Entries will now be listed in alphabetical order by source. This eliminates a legacy ordering that is inconsistent with current operations of the CVE Program. This change will be visible on the individual CVE Entry pages, but more importantly will affect all downloadable files on the Download CVE List page.
- The CVE download files will have slight formatting changes relative to what was present before March 17, 2019. In particular, the format of an XML file will remain valid, and its content will be accessible in the same way by any compliant XML parser, but the file will not be identical on a line-by-line or character-by-character basis. This is normally only relevant to those who process XML download files with command-line tools or scripting languages that lack native XML support. This change is occurring because we have modernized the set of software libraries for constructing the download files.
- In some instances, escaped characters may occur in a CVE Entry Description or Reference URL(s), which may affect how download files are processed. This affects fewer than 0.1% of CVE Entries, and resolves instances in which character representations were inconsistent with Internet standards. This change also results from the software library modernization.
Also, please note that during the rollout process searching and downloading of the CVE List may be temporarily unavailable or incomplete at times as the changes are rolled out. Other pages on the website such as supporting information, documents, news, blog, etc., will remain available.
Please use our CVE Request Web Form by selecting “Other” from the dropdown to contact us with any comments or concerns.
Read on CVE website or share:
https://cve.mitre.org/news/archives/2019/news.html#March072019_Changes_to_How_CVE_Content_Is_Provided_Begins_on_March_17
NOTICE: CVEProject GitHub Submissions Service Will Be Temporarily Unavailable March 17-18
The CVE Program is upgrading the infrastructure used to process and post CVE Entries to the CVE List. This upgrade process will begin on March 17, 2019, and last one or two days. Because of the upgrade, we are requesting that CVE Numbering Authorities (CNAs) with access to the CVEProject GitHub.com website service NOT USE the service—and especially NOT MAKE ANY PULL REQUESTS—beginning at 12:00 a.m. EST on March 17, 2019. This outage will last one or two days. We will make a follow-up announcement here, and on the CNA email list, once service resumes.
We apologize for any inconvenience. Please contact the CNA Coordinator directly with any comments or concerns, or use our CVE Request Web Form to contact us by selecting “Other” from the dropdown.
Read on CVE website or share:
https://cve.mitre.org/news/archives/2019/news.html#March072019_NOTICE_CVEProject_GitHub_Submissions_Service_Will_Be_Temporarily_Unavailable_March_17-18
CVE Program Root CNA to Assume DWF’s Open Source Product Coverage Responsibilities Beginning March 7
The Distributed Weakness Filing (DWF) project, which assigns vulnerability identifiers for Open Source products, was incorporated into CVE in 2016 as a pilot, becoming a Root CVE Numbering Authority (CNA) consistent with the CVE Program’s federated governance and operational strategy. As a result of the important work of Kurt Seifried of the Cloud Security Alliance (CSA) and other community volunteers, the CVE Program significantly increased Open Source product coverage and added several new CNAs. The program also gained important experience in onboarding and operating Root CNAs as part of the effort to federate the CVE Program.
The DWF pilot will end on March 7, 2019. The sub-CNAs that previously reported to DWF will coordinate with MITRE, the CVE Program Root CNA. Many thanks to Kurt Seifried for his dedication to security and for his enthusiasm and energy in establishing DWF and expanding CVE’s reach.
If you made a CVE ID request through a DWF web form (such as https://iwantacve.org) in the past but the CVE Entry was never populated, then DWF automatically made your request data public, and MITRE has a copy of that public data. Because of this, please do not send duplicate requests to MITRE. You should make a new CVE ID request to MITRE only if there was an embargo on the vulnerability information and your contact with DWF was only through email (i.e., you never used a DWF web form).
Follow these steps to request CVE IDs:
- Locate the correct CVE Numbering Authority (CNA) whose scope includes the product affected by the vulnerability in the Participating CNAs table on the Request a CVE ID page on the CVE website.
- Contact the appropriate CNA using the contact method provided.
- If the product affected by the vulnerability is not covered by an existing CNA, please contact the CVE Program Root CNA (MITRE) by completing our CVE Request Web Form.
Please use our CVE Request Web Form by selecting “Other” from the dropdown to contact us with any comments or concerns.
Read on CVE website or share:
https://cve.mitre.org/news/archives/2019/news.html#March072019_CVE_Program_Root_CNA_to_Assume_DWFs_Open_Source_Product_Coverage_Responsibilities_Beginning_March_7
CVE in the News
Several Industrial Automation Products Affected by WibuKey DRM Flaws
https://techbizweb.com/several-industrial-automation-products-affected-by-wibukey-drm-flaws/
Dirty Sock vulnerability lets attackers gain root access on Linux systems
https://www.zdnet.com/article/dirty-sock-vulnerability-lets-attackers-gain-root-access-on-linux-systems/
Update now: Latest Nvidia driver fixes dangerous security vulnerabilities
https://www.techspot.com/news/78997-update-now-latest-nvidia-driver-fixes-dangerous-security.html
Docker Container Escape Vulnerability With PoC (CVE-2019-5736)
https://latesthackingnews.com/2019/02/18/docker-container-escape-vulnerability-with-poc-cve-2019-5736/
Rockwell Automation Vulnerability – Energy Companies Worldwide At Risk
https://www.informationsecuritybuzz.com/expert-comments/rockwell-automation-vulnerability/
Keeping Up with CVE
Follow us for the latest from CVE:
@CVEnew - Twitter feed of the latest CVE Entries
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVEProject - GitHub
CVE Documentation - GitHub
CVE Announce Newsletter - Email
If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).
Common Vulnerabilities and Exposures (CVE®) is sponsored by NSD, NCCIC in CISA’s Cybersecurity Division at the U.S. Department of Homeland Security. Copyright © 2019, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.
