CVE Announce e-newsletter — January 20, 2020
Welcome to the latest issue of the CVE Announce e-newsletter. This newsletter is intended to keep you up to date on recent news about CVE, such as advancements in the program, new CNAs, CVE in the news, and more. Common Vulnerabilities and Exposures (CVE®) is the de facto international standard for vulnerability identification and naming. The CVE Board provides oversight and input into CVE’s strategic direction, ensuring CVE meets the vulnerability identification needs of the global technology community. CVE Numbering Authorities (CNAs) consist of vendors, open source projects, vulnerability researchers, industry and national CERTs, and bug bounty programs authorized to assign CVE Identifiers (CVE IDs) to newly discovered issues and include the CVE IDs in the first public disclosure of the vulnerabilities.
Contents:
1. Cybellum, Opera, SICK, and Spanish National Cybersecurity Institute (INCIBE) Added as CVE Numbering Authorities (CNAs)
2. CVE BLOG: “CNA Rules, Version 3.0 Coming Soon”
3. CVE in the News
4. Keeping Up with CVE
Cybellum, Opera, SICK, and Spanish National Cybersecurity Institute (INCIBE) Added as CVE Numbering Authorities (CNAs)
Four additional organizations are now CVE Numbering Authorities (CNAs): Cybellum Technologies LTD for all Cybellum products, as well as vulnerabilities in third-party software discovered by Cybellum that are not in another CNA’s scope; Opera Software AS for Opera issues only; SICK AG for SICK AG issues only; and Spanish National Cybersecurity Institute, S.A. (INCIBE) for vulnerability assignment related to its vulnerability coordination role for Industrial Control Systems (ICS), Information Technologies (IT), and Internet of Things (IoT) systems issues at the national level.
CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
CNAs are the main method for requesting a CVE ID. The following 112 organizations from 22 countries currently participate as CNAs: BB; Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; Atlassian; Autodesk; Avaya; Bitdefender; BlackBerry; Bosch; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; Cybellum; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell; Document Foundation; Drupal.org; Eaton; Eclipse Foundation; Elastic; F5; Facebook; Fedora Project; Flexera Software; floragunn; Forcepoint; Fortinet; FreeBSD; GitHub; Google; HackerOne; HCL; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; INCIBE; ICS-CERT; Intel; ISC; Jenkins Project; Johnson Controls; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Kubernetes; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (CVE Program Root CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; Opera; OPPO; Oracle; OTRS; Palo Alto Networks; PHP Group; Pivotal Software; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Salesforce; SAP; Schneider Electric; SICK; Siemens; Sonicwall; Splunk; SUSE; Symantec; Snyk; Synology; Talos; Tenable; TIBCO; Tigera; Trend Micro; TWCERT/CC; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE
For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.
Read on CVE website or share:
https://cve.mitre.org/news/archives/2020/news.html#January162020_INCIBE_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2020/news.html#January142020_Cybellum_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2019/news.html#December132019_Opera_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2019/news.html#December022019_SICK_Added_as_CVE_Numbering_Authority_CNA
CVE Blog: “CNA Rules, Version 3.0 Coming Soon”
The policies and processes for the successful execution of the CVE Numbering Authorities (CNAs) Program, known as the “CNA Rules,” were revised with significant participation from the CNA community. Updates to the CVE Numbering Authorities (CNA) Rules, Version 3.0 document are currently being reviewed, and a specific publication date will be announced once they have been approved by the CVE Board.
The following clarifications and improvements have been made in the CNA Rules, Version 3.0, which was updated from Version 2.0:
- Updated the CVE Program’s definition of vulnerability.
- Moved the Assignment Rules from an appendix into the main document.
- Updated the CVE Entry Management Rules regarding when a CVE Entry with the details are not yet populated is considered public by the CVE Program.
- Specified the requirements for CVE ID management rules, CVE Entry management rules, CVE Record management rules, and CVE List Maintenance management rules for all CNAs.
- Clarified the roles, requirements, and responsibilities of parent CNAs (i.e., Root CNAs) and child CNAs (i.e., other Root CNAs, Sub-CNAs, CNAs of Last Resort).
- Added information regarding the role of CNAs of Last Resort (CNA-LR).
- Defined when and how an issue with a child CNA should be escalated to the child’s parent CNA.
- Added a requirement that all CNAs must provide public access to their vulnerability disclosure policy and security advisories.
- Added a new rule for defining a CNA’s scope.
- Clarified the roles of CVE Program Secretariat, CVE Program Root CNA, and CVE Program CNA of Last Resort.
Once published, if you have any questions or comments about the CVE Numbering Authorities (CNA) Rules, Version 3.0, please contact us via our CVE Request web form by selecting “Other” from the dropdown menu.
We look forward to hearing from you!
Read on CVE website or share:
https://cve.mitre.org/blog/index.html#January132020_CNA_Rules_Version_3.0_Coming_Soon
CVE in the News
FBI Warns of Maze Ransomware Focusing on U.S. Companies
https://www.bleepingcomputer.com/news/security/fbi-warns-of-maze-ransomware-focusing-on-us-companies/
U.S. Government Issues Powerful Security Alert: Upgrade VPN Or Expect Cyber-Attacks
https://www.forbes.com/sites/daveywinder/2020/01/13/us-government-critical-security-alert-upgrade-vpn-or-expect-continued-cyber-attacks/
CISA Releases Test Tool for Citrix ADC CVE-2019-19781 Vulnerability
https://www.bleepingcomputer.com/news/security/cisa-releases-test-tool-for-citrix-adc-cve-2019-19781-vulnerability/
Mobile Banking Malware Up 50% in First Half of 2019
https://www.darkreading.com/cloud/mobile-banking-malware-up-50--in-first-half-of-2019/d/d-id/1336834
Nexus Intelligence Insights: CVE-2018-5382 Bouncycastle Information Exposure
https://blog.sonatype.com/cve-2018-2018-5382-bouncycastle-information-exposure
Keeping Up with CVE
Follow us for the latest from CVE:
@CVEnew - Twitter feed of the latest CVE Entries
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVEProject - GitHub
CVE Documentation - GitHub
CVE Announce Newsletter - Email
If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).
Common Vulnerabilities and Exposures (CVE®) is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 2020, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.
