CVE Announce e-newsletter — February 13, 2020
Welcome to the latest issue of the CVE Announce e-newsletter. This newsletter is intended to keep you up to date on recent news about CVE, such as advancements in the program, new CNAs, CVE in the news, and more. Common Vulnerabilities and Exposures (CVE®) is the de facto international standard for vulnerability identification and naming. The CVE Board provides oversight and input into CVE’s strategic direction, ensuring CVE meets the vulnerability identification needs of the global technology community. CVE Numbering Authorities (CNAs) consist of vendors, open source projects, vulnerability researchers, industry and national CERTs, and bug bounty programs authorized to assign CVE Identifiers (CVE IDs) to newly discovered issues and include the CVE IDs in the first public disclosure of the vulnerabilities.
Contents:
1. Help Choose Our New CVE Logo!
2. Alias Robotics, Google LLC, and Tcpdump Added as CVE Numbering Authorities (CNAs)
3. CVE BLOG: “CVE Program Report for Calendar Year Q4-2019”
4. CVE in the News
5. Keeping Up with CVE
Help Choose Our New CVE Logo!
The CVE Program would like the CVE Community to help us choose a new CVE logo!
The CVE Outreach and Communications Working Group (OCWG) officially launched the CVE logo contest on January 29, 2020. We received over 260 logo design concepts and the OCWG down selected to eight logo design finalists.
There are eight logo options to vote on via our CVE Logo Poll on 99 Designs. The winner of the contest is determined by the average rating and number of votes. Once tallies are complete, and if one winner is selected, the CVE Board will announce the winner on Friday, March 6, 2020. In the event of a tie, the CVE Board will break the tie and the winner will be announced no later than Friday, April 3, 2020. The winner will be announced on the CVE website, LinkedIn, and Twitter.
How to Vote
1. Visit https://99designs.com/contests/poll/aa730ecca6.
2. Vote for one or more logo designs by awarding each logo between 0-5 stars (0 is lowest and 5 highest).
3. Add a Comment about each logo (optional).
4. Enter your name and email address and click Submit.
Voting opens at 12:00 p.m. EST on Thursday, February 13, 2020, and closes at 12:00 a.m. EST on Friday, February 21, 2020. Participation is free.
Thank you for participating! Please contact us with any comments or concerns.
Read on CVE website or share:
https://cve.mitre.org/news/archives/2020/news.html#February132020_Help_Choose_Our_New_CVE_Logo!
Alias Robotics, Google LLC, and Tcpdump Added as CVE Numbering Authorities (CNAs)
Three additional organizations are now CVE Numbering Authorities (CNAs): Alias Robotics S.L. for all Alias Robotics products, as well as vulnerabilities in third-party robots and robot components (software and hardware) discovered by Alias Robotics that are not in another CNA’s scope; Google LLC for Google products that are not covered by Android and Chrome only (Android and Chrome are also CNAs); and Tcpdump Group for Tcpdump and Libpcap only.
CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
CNAs are the main method for requesting a CVE ID. The following 115 organizations from 22 countries currently participate as CNAs: ABB; Adobe; Airbus; Alias Robotics; Alibaba; Android; Apache; Apple; Appthority; Atlassian; Autodesk; Avaya; Bitdefender; BlackBerry; Bosch; Brocade; CA; Canonical; CERT/CC; Check Point; Chrome; Cisco; Cloudflare; Cybellum; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell; Document Foundation; Drupal.org; Eaton; Eclipse Foundation; Elastic; F5; Facebook; Fedora Project; Flexera Software; floragunn; Forcepoint; Fortinet; FreeBSD; GitHub; Google; HackerOne; HCL; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; INCIBE; ICS-CERT; Intel; ISC; Jenkins Project; Johnson Controls; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Kubernetes; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (CVE Program Root CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; Opera; OPPO; Oracle; OTRS; Palo Alto Networks; PHP Group; Pivotal Software; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Salesforce; SAP; Schneider Electric; SICK; Siemens; Sonicwall; Splunk; SUSE; Symantec; Snyk; Synology; Talos; Tcpdump; Tenable; TIBCO; Tigera; Trend Micro; TWCERT/CC; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.
For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.
Read on CVE website or share:
https://cve.mitre.org/news/archives/2020/news.html#February032020_Alias_Robotics_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2020/news.html#February042020_Google_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2020/news.html#January232020_Tcpdump_Added_as_CVE_Numbering_Authority_CNA
CVE Blog: “CVE Program Report for Calendar Year Q4-2019”
The CVE Program’s quarterly calendar year (CY) summary of program milestones and metrics for CY Q4-2019 is below.
CY Q4-2019 Milestones
7 CVE Numbering Authorities (CNAs) Added
Seven new CNAs were added: ABB (Switzerland), Eaton (Ireland), Opera Software (Norway), OTRS (Germany), SICK AG (Germany), Splunk (USA), and Tigera (USA).
CVE Board Charter Updated
In December, the CVE Board approved “CVE Board Charter,” version 3.0, which includes important updates to the CNA Liaison board member description and requirements, addition of a new section focused on organizational voting, and other updates to voting policies and procedures.
CVE Booth at Black Hat Europe 2019
The CVE Program continued ongoing engagement with the CVE and cybersecurity communities by hosting a CVE Booth at Black Hat Europe 2019 on December 4-5, in London, United Kingdom. Almost all visitors to the booth knew about the CVE Program and its value. However, very few understood that the program is scaling through a federated governance and operational model and how CNAs are critical to the model’s success.
CVE Team at Association for the Advancement of Artificial Intelligence 2019 Fall Symposium Series
The CVE Team continued to engage with the community on topics relevant to cybersecurity and CVE by participating in the “Artificial Intelligence in Government and Public Sector” discussion and other AI topics at the Association for the Advancement of Artificial Intelligence 2019 Fall Symposium Series on November 7-9, in Arlington, Virginia, USA.
CVE 20-Year Anniversary in October
The CVE Program celebrated its 20-year anniversary in October. The CVE Program began in 1999 with 321 entries listed, and since then, the CVE List has become a global, community-driven and continuously growing open data registry with more than 124,000 vulnerabilities listed as of October 2019. A true community effort, the CVE List continues to grow with new CVE Entries added daily by numerous CNAs from around the world populating their own CVE Entries. Learn how to become a CNA.
CY Q4-2019 Metrics
Metrics for CY Q4-2019 populated CVE Entries, reserved CVE Entries, and requests for CVE IDs from the CVE Program Root CNA (currently MITRE), are included below. Annual metrics are also included in the charts for year-to-year comparisons.
Terminology
- Populated – A populated CVE Entry includes the CVE ID, a brief description, at least one public reference, and is available to the general public on the CVE List.
- Reserved – CNAs reserve a CVE ID for a given vulnerability prior to assigning and populating it as a CVE Entry on the CVE List.
Populated CVE Entries
As shown in the table below, CVE Program production of 4,826 CVE Entries for CY Q4-2019 was the second most productive quarter ever with a 34% production increase compared to this same time last year (3,614 for CY Q4-2018). This includes all CVE Entries populated by all CNAs.
Comparison of Populated CVE Entries by Year for All Quarters (figure 1)
Reserved CVE Entries
The CVE Program tracks reserved CVE Entries. As shown in the table below, the number of CVE IDs in the reserved state was 8,444 for Q4-2019, which is a 24% increase compared to this same time last year (6,440 for CY Q4-2018). This increase in Q4 is partly due to CNAs reserving CVE IDs for the next calendar year. The chart below (figure 2) shows the number of CVE IDs added to the CVE List for each year. Unlike the table, the CVE IDs in the chart can be either in the reserved or populated state.
Comparison of Reserved CVE Entries by Year for All Quarters - All CNAs Year-to-Date CY Q4-2019 (figure 2)
Requests for CVE IDs from the Program Root CNA
Finally, the CVE Program Root CNA receives requests for CVE IDs from the community for vulnerabilities and open source software product vulnerabilities that are not already covered by another CNA. The chart below shows the number of unique requesters that received one or more CVE IDs from the Program Root CNA as of CY Q4-2019, as well as by year.
Requesters that Received a CVE ID from Program Root CNA for CY Q4-2019 and All Years (figure 3)
All CVE Entries Are Assigned by CNAs
All of the CVE Entries cited in the metrics above are assigned by CNAs. CNAs are software vendors, open source projects, coordination centers, bug bounty service providers, and research groups authorized by the CVE Program to assign CVE Entries to vulnerabilities within their own specific scopes of coverage. CNAs join the program from a variety of business sectors; there are minimal requirements, and there is no monetary fee or contract to sign.
Currently, 115 organizations from 22 countries are actively participating in the CVE Program as CNAs. Learn how to become a CNA.
Comments or Questions?
If you have any questions about this article, please use the CVE Request Web Form and select “Other” from the dropdown menu.
We look forward to hearing from you, but more importantly, we look forward to your participation in the CVE Program!
Read on CVE website or share:
https://cve.mitre.org/blog/index.html#February112020_CVE_Program_Report_for_Calendar_Year_Q4-2019
CVE in the News
These are the top ten software flaws used by crooks: Make sure you've applied the patches
https://www.zdnet.com/article/these-are-the-top-ten-software-flaws-used-by-crooks-make-sure-youve-applied-the-patches/
Critical Bluetooth bug leaves Android users open to attack
https://www.welivesecurity.com/2020/02/07/google-critical-android-bluetooth-flaw-attack/
MDhex vulnerabilities impact GE patient vital signs monitoring devices
https://www.zdnet.com/article/mdhex-vulnerabilities-impact-ge-patient-vital-signs-monitoring-devices/
Microsoft’s Patch Tuesday covers 99 CVEs, 12 critical with one zero day included
https://www.scmagazine.com/home/security-news/vulnerabilities/microsofts-patch-tuesday-covers-99-cve-12-critical-with-one-zero-day-included/
Adobe Addresses Critical Flash, Framemaker Flaws
https://threatpost.com/adobe-security-update-critical-flash-framemaker-flaws/152782/
The State of Vulnerabilities in 2019
https://securityboulevard.com/2020/01/the-state-of-vulnerabilities-in-2019/
Keeping Up with CVE
Follow us for the latest from CVE:
@CVEnew - Twitter feed of the latest CVE Entries
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVEProject - GitHub
CVE Documentation - GitHub
CVE Announce Newsletter - Email
If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).
Common Vulnerabilities and Exposures (CVE®) is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 2020, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.
No comments:
Post a Comment