CVE Announce - April 22, 2019 (opt-in newsletter from the CVE website)

CVE Announce e-newsletter — April 22, 2019

Welcome to the latest issue of the CVE Announce e-newsletter. This newsletter is intended to keep you up-to-date on recent news about CVE, such as advancements in the program, new CNAs, CVE in the news, and more. Common Vulnerabilities and Exposures (CVE®) is the de facto international standard for vulnerability identification and naming. The CVE Board provides oversight and input into CVE’s strategic direction, ensuring CVE meets the vulnerability identification needs of the global technology community. CVE Numbering Authorities (CNAs) consist of vendors, open source projects, vulnerability researchers, industry and national CERTs, and bug bounty programs authorized to assign CVE Identifiers (CVE IDs) to newly discovered issues and include the CVE IDs in the first public disclosure of the vulnerabilities.

Contents:
1. Jenkins Project, Kubernetes, PHP Group, Pivotal Software, and Snyk Added as CVE Numbering Authorities (CNAs)
2. CVE Board Adds a “CNA Coordination Working Group Liaison” Board Member
3. CVE in the News
4. Keeping Up with CVE


Jenkins Project, Kubernetes, PHP Group, Pivotal Software, and Snyk Added as CVE Numbering Authorities (CNAs)

Five additional organizations are now CVE Numbering Authorities (CNAs): Jenkins Project for Jenkins and Jenkins plugins distributed by the Jenkins project (listed on plugins.jenkins.io) only; Kubernetes for Kubernetes issues only; PHP Group for vulnerabilities in PHP code (code in https://github.com/php/php-src) only; Pivotal Software, Inc. for Pivotal, Spring, and Cloud Foundry issues only; and Snyk for vulnerabilities in third-party products discovered by Snyk only.

CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 98 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; Atlassian; Autodesk; Avaya; BlackBerry; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell; Document Foundation; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Facebook; Flexera Software; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; Jenkins Project; Johnson Controls; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Kubernetes; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (CVE Program Root CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Netgear; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; Oracle; Palo Alto Networks; PHP Group; Pivotal Software; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid7; Red Hat; Riverbed; SAP; Schneider Electric; Siemens; SonicWALL; SUSE; Symantec; Snyk; Synology; Talos; Tenable; TIBCO; Trend Micro; TWCERT/CC; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

Read on CVE website or share:
https://cve.mitre.org/news/archives/2019/news.html#April182019_Jenkins_Project_Kubernetes_PHP_Group_Pivotal_Software_and_Snyk_Added_as_CVE_Numbering_Authority_CNA


CVE Board Adds a “CNA Coordination Working Group Liaison” Board Member

Tod Beardsley of Rapid7 has been added as the “CNA Coordination Working Group Liaison” CVE Board member, and will represent the CVE Numbering Authorities (CNAs) in CVE Board meetings.

Read on CVE website or share:
https://cve.mitre.org/news/archives/2019/news.html#April172019_CVE_Board_Adds_a_CNA_Coordination_Working_Group_Liaison_Board_Member


CVE in the News

Broadcom WiFi Driver Flaws Expose Computers, Phones, IoT to RCE Attacks
https://www.bleepingcomputer.com/news/security/broadcom-wifi-driver-flaws-expose-computers-phones-iot-to-rce-attacks/

Multiple Enterprise VPN Apps Allow Attackers to Bypass Authentication
https://www.bleepingcomputer.com/news/security/multiple-enterprise-vpn-apps-allow-attackers-to-bypass-authentication/

Cisco Patches Critical Flaw In ASR 9000 Routers
https://threatpost.com/cisco-patch-asr-9000-routers/143895/

Intel Patches Vulnerabilities In Four Different Products
https://latesthackingnews.com/2019/04/12/intel-patches-vulnerabilities-in-four-different-products/

CVE-2018-18500: Heap write-after-free in Firefox, Analysis and Exploitation
https://news.sophos.com/en-us/2019/04/18/protected-cve-2018-18500-heap-write-after-free-in-firefox-analysis-and-exploitation/

The wave of domain hijackings besetting the Internet is worse than we thought
https://arstechnica.com/information-technology/2019/04/state-sponsored-domain-hijacking-op-targets-40-organizations-in-13-countries/


Keeping Up with CVE

Follow us for the latest from CVE:

@CVEnew - Twitter feed of the latest CVE Entries
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVEProject - GitHub
CVE Documentation - GitHub
CVE Announce Newsletter - Email

If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).

Common Vulnerabilities and Exposures (CVE®) is sponsored by NSD, NCCIC in CISA’s Cybersecurity Division at the U.S. Department of Homeland Security. Copyright © 2019, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.