CVE Announce e-newsletter — August 16, 2019
Welcome to the latest issue of the CVE Announce e-newsletter. This newsletter is intended to keep you up-to-date on recent news about CVE, such as advancements in the program, new CNAs, CVE in the news, and more. Common Vulnerabilities and Exposures (CVE®) is the de facto international standard for vulnerability identification and naming. The CVE Board provides oversight and input into CVE’s strategic direction, ensuring CVE meets the vulnerability identification needs of the global technology community. CVE Numbering Authorities (CNAs) consist of vendors, open source projects, vulnerability researchers, industry and national CERTs, and bug bounty programs authorized to assign CVE Identifiers (CVE IDs) to newly discovered issues and include the CVE IDs in the first public disclosure of the vulnerabilities.
Contents:
1. 100 Organizations Now Participating as CVE Numbering Authorities (CNAs)
2. OPPO Added as CVE Numbering Authority (CNA)
3. NOTICE: CVE Main Website – Scheduled Maintenance from 8:00am-1:00pm EDT on August 17
4. CVE in the News
5. Keeping Up with CVE
100 Organizations Now Participating as CVE Numbering Authorities (CNAs)
The CVE Numbering Authority (CNA) Program now includes 100 organizations from around the world that are authorized to assign CVE IDs to software and firmware vulnerabilities.
CNAs are organizations authorized to assign CVE IDs to vulnerabilities that affect products or projects within their own distinct, agreed-upon scopes, so that the CVE IDs can be included in first-time public announcements of the new vulnerabilities. CNAs may be software vendors, open source projects, vulnerability researchers, national and industry CERTs, or bug bounty programs.
CNAs are how the CVE List is built. Every CVE Entry added to the list is assigned by a CNA.
CNA Program Continues to Grow
Since 2016, 78 CNAs have joined CVE’s CNA Program. The current 100 organizations participating as CNAs as of August 14, 2019 are:
1. Adobe
2. Airbus
3. Alibaba
4. Android
5. Apache
6. Apple
7. Appthority
8. Atlassian
9. Autodesk
10. Avaya
11. BlackBerry
12. Bosch
13. Brocade
14. CA
15. Canonical
16. CERT/CC
17. Check Point
18. Cisco
19. Cloudflare
20. CyberSecurity Philippines - CERT
21. Dahua
22. Debian GNU/Linux
23. Dell
24. Document Foundation
25. Drupal.org
26. Duo
27. Eclipse Foundation
28. Elastic
29. F5
30. Facebook
31. Fedora Project
32. Flexera Software
33. floragunn
34. Forcepoint
35. Fortinet
36. FreeBSD
37. Google
38. HackerOne
39. Hewlett Packard Enterprise
40. Hikvision
41. Hillstone
42. HP
43. Huawei
44. IBM
45. ICS-CERT
46. Intel
47. ISC
48. Jenkins Project
49. Johnson Controls
50. JPCERT/CC
51. Juniper
52. Kaspersky
53. KrCERT/CC
54. Kubernetes
55. Larry Cashdollar
56. Lenovo
57. MarkLogic
58. McAfee
59. Micro Focus
60. Microsoft
61. The MITRE Corporation (CVE Program Root CNA)
62. MongoDB
63. Mozilla
64. Naver
65. NetApp
66. Netflix
67. Node.js
68. Nvidia
69. Objective Development
70. Odoo
71. OpenSSL
72. OPPO
73. Oracle
74. Palo Alto Networks
75. PHP Group
76. Pivotal Software
77. Puppet
78. Qihoo 360
79. QNAP
80. Qualcomm
81. Rapid 7
82. Red Hat
83. SAP
84. Schneider Electric
85. Siemens
86. Sonicwall
87. SUSE
88. Symantec
89. Snyk
90. Synology
91. Talos
92. Tenable
93. TIBCO
94. Trend Micro
95. TWCERT/CC
96. VMware
97. Yandex
98. Zephyr Project
99. Zero Day Initiative
100. ZTE
Of these, 82 are Vendors and Projects that assign CVE IDs for vulnerabilities found in their own products and projects, 8 are Vulnerability Researchers that assign CVE IDs to products and projects upon which they perform vulnerability analysis, 5 are National and Industry CERTs that perform incident response and vulnerability disclosure services for nations or industries; 2 are Bug Bounty Programs that assign CVE IDs to products and projects that utilize the Bug Bounty service’s product offerings, 1 is a Root CNA that manages a group of sub-CNAs within a given domain or community, and 1 is the CVE Program Root CNA that coordinates the CNA Program.
Participation is also global, with CNAs from the following 16 countries participating: Australia: 1, Austria: 1, Belgium: 1, Canada: 2, China: 9, France: 1, Germany: 6, Israel: 1, Japan: 3, Netherlands: 2, Philippines: 1, Russia: 2, South Korea: 2, Taiwan: 3, UK: 2, and USA: 64.
CNAs World Map as of August 2019
Resources for CNAs Continuing to Expand
As the number of participating CNAs has grown, so have the guidance materials and other resources. In addition to the main CNA Rules Version 2.0document, our CNA Processes Documentation & Slides collection hosted on the CVE Documentation website on GitHub includes information for both current and prospective CNAs.
Examples of these resources include CVE Overview for Prospective CNAs, CNA Onboarding Processes, CNA Resources, CVE Content Decisions, Creating a CVE Entry for Submission, Submitting CVE Entries to Program Root CNA, and more.
These materials provide guidance and assistance to CNAs so that they can correctly fulfill their responsibilities for properly writing and completing the information required for each CVE Entry they submit to the CVE List.
Should Your Organization Become a CNA?
Numerous organizations from around the world are already participating as CNAs, while more and more organizations are deciding to become a CNA and join the CNA community to help build the CVE List.
Participation is voluntary, and the benefits of participation include the ability to publicly disclose a vulnerability with an already assigned CVE ID, the ability to control the disclosure of vulnerability information without pre-publishing, and notification of vulnerabilities in products within a CNA’s scope by researchers who request a CVE ID.
If your organization would like to become a CNA, please visit How to Become a CNA.
Read on CVE website or share:
https://cve.mitre.org/news/archives/2019/news.html#August142019_100_Organizations_Now_Participating_as_CVE_Numbering_Authorities_CNAs
OPPO Added as CVE Numbering Authority (CNA)
OPPO Mobile Telecommunication Corp., Ltd. is now a CVE Numbering Authority (CNA) for OPPO devices only.
CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
CNAs are the main method for requesting a CVE ID. The following 100 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; Atlassian; Autodesk; Avaya; BlackBerry; Bosch; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell; Document Foundation; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Facebook; Fedora Project; Flexera Software; floragunn; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; Jenkins Project; Johnson Controls; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Kubernetes; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (CVE Program Root CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; OPPO; Oracle; Palo Alto Networks; PHP Group; Pivotal Software; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; SAP; Schneider Electric; Siemens; Sonicwall; SUSE; Symantec; Snyk; Synology; Talos; Tenable; TIBCO; Trend Micro; TWCERT/CC; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.
For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.
Read on CVE website or share:
https://cve.mitre.org/news/archives/2019/news.html#August142019_OPPO_Added_as_CVE_Numbering_Authority_CNA
NOTICE: CVE Main Website – Scheduled Maintenance from 8:00am-1:00pm EDT on August 17
Due to scheduled maintenance, the CVE List and all other pages on this main CVE Website may be temporarily unavailable at times from 8:00 a.m. until 1:00 p.m. Eastern time on Saturday, August 17, 2019
We apologize for any inconvenience. Please contact us with any comments or concerns.
Read on CVE website or share:
https://cve.mitre.org/news/archives/2019/news.html#August142019_CVE_Main_Website_-_Possible_Intermittent_Outages_from_8am-1pm_EDT_on_August_17
CVE in the News
When it Comes to Application Security, Banks Pay Little Interest
https://securityboulevard.com/2019/08/when-it-comes-to-application-security-banks-pay-little-interest/
Unpatched Flaws in IoT Smart Deadbolt Open Homes to Danger
https://threatpost.com/unpatched-flaws-in-iot-smart-deadbolt-open-homes-to-danger/146871/
Vulnerabilities in the Picture Transfer Protocol (PTP) allows researchers to inject ransomware in Canon’s DSLR camera
https://hub.packtpub.com/vulnerabilities-in-the-picture-transfer-protocol-ptp-allows-researchers-to-inject-ransomware-in-canons-dslr-camera/
Kaspersky Antivirus Software Exposed Millions to Web Tracking
https://www.tomsguide.com/news/kaspersky-antivirus-software-exposed-millions-to-web-tracking
Check Point: Attackers executing commands remotely with latest malware
https://itbrief.co.nz/story/check-point-attackers-executing-commands-remotely-with-latest-malware
Keeping Up with CVE
Follow us for the latest from CVE:
@CVEnew - Twitter feed of the latest CVE Entries
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVEProject - GitHub
CVE Documentation - GitHub
CVE Announce Newsletter - Email
If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).
Common Vulnerabilities and Exposures (CVE®) is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 2019, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.
