Monday, March 9, 2020

CVE Announce - March 9, 2020 (opt-in newsletter from the CVE website)

CVE Announce e-newsletter — March 9, 2020

Welcome to the latest issue of the CVE Announce e-newsletter. This newsletter is intended to keep you up to date on recent news about CVE, such as advancements in the program, new CNAs, CVE in the news, and more. Common Vulnerabilities and Exposures (CVE®) is the de facto international standard for vulnerability identification and naming. The CVE Board provides oversight and input into CVE's strategic direction, ensuring CVE meets the vulnerability identification needs of the global technology community. CVE Numbering Authorities (CNAs) consist of vendors, open source projects, vulnerability researchers, industry and national CERTs, and bug bounty programs authorized to assign CVE Identifiers (CVE IDs) to newly discovered issues and include the CVE IDs in the first public disclosure of the vulnerabilities.

Contents:
1. CVE BLOG: "CNA Rules, Version 3.0 Document Now Available"
2. Announcing the Winner of the CVE Logo Contest

3. Ampere Computing Added as CVE Numbering Authority (CNA)
4. CVE in the News
5. Keeping Up with CVE


CVE Blog: "CNA Rules, Version 3.0 Document Now Available"

Version 3.0 of the CVE Numbering Authorities (CNA) Rules took effect on March 5, 2020. The CNA Rules are the policies and processes for managing the CNA Program, and were revised with significant input from the CNA community.

Version 3.0 was a major update of the CNA Rules. The revised document updates and refines the roles of Sub-CNAs, Root CNAs, and the Program Root CNA, while adding two new roles: Secretariat and CNA of Last Resort (CNA-LR). Assignment, communication, and administration rules are specified for each role. In addition, separate chapters specify the CVE ID Assignment Rules, which includes the CVE Program's definition of a vulnerability; CVE Entry Requirements; the Appeals Process; Defining a CNA's Scope; and a CNA Rules Update chapter with rules for updating the CNA Rules document. The appendixes focus on CVE Program Definitions, including CVE Entry and CVE ID states; CVE's Terms of Use; the Process to Correct Assignment Issues or Update CVE Entries; and CVE's Disclosure and Embargo Policies.

CNA Rules, Version 3.0, which was updated from Version 2.0, includes detailed information on the following:

  • Introduction – CVE Numbering Authorities (CNAs), CNA Program Structure, Purpose and Goal of the CNA Rules, and Document Structure
  • Sub-CNAs – CVE ID Management Rules, CVE Entry Management Rules, CNA Record Management Rules, and Administration Rules
  • Root CNAs – Child CNA Management Rules, CNA-LR Management Rules, Escalated Issues Rules, CNA Recruitment Rules, and Administration Rules
  • CNA of Last Resort (CNA-LR) – CVE ID Management Rules, CVE Entry Management Rules, CNA Record Management Rules, and Administration Rules
  • Secretariat – CVE List Maintenance Rules, Infrastructure Maintenance Rules, and Administration Rules
  • Program Root CNA – Program Root CNA Rules
  • Assignment Rules – What is a Vulnerability?; How many Vulnerabilities?; CNA Scope; and Requirements for Assigning a CVE ID
  • CVE Entry Requirements – CVE Entry Information Requirements, Prose Description Requirements, Reference Requirements, and Formatting
  • Appeals Process
  • Defining a CNA's Scope
  • CNA Rules Updates – Rules for Updating the CNA Rules
  • Appendix A. Definitions – CVE States: CVE ID States and CVE Entry States
  • Appendix B. Terms of Use
  • Appendix C. Process to Correct Assignment Issues or Update CVE Entries – Dispute: CNA Rules Violations; Reject: A CVE ID Should Not Have Been Assigned; Merge: Multiple CVE IDs Assigned to One Vulnerability; Split: A Single CVE ID is Assigned when More than One is Required; and Dispute: Validity of the Vulnerability is Questioned
  • Appendix D. Disclosure and Embargo Policies
  • List of Acronyms

 

For details about the changes from v2.0 to v3.0, please see our "CNA Rules, Version 3.0 Coming Soon" blog article. To learn more about the CNA Program, and the business benefits of becoming a CNA, visit Why Become a CNA?

If you have any questions or comments about the new CNA Rules document, or how to become a CNA, please contact us via our CVE Request web form by selecting "Request information on the CVE Numbering Authority (CNA) Program" or "Other" from the dropdown menu. We look forward to hearing from you, but more importantly, we look forward to your participation in the CVE Program!

Read on CVE website or share:
https://cve.mitre.org/blog/index.html#March052020_CNA_Rules_Version_3.0_Now_in_Effect


Announcing the Winner of the CVE Logo Contest

The CVE Program is extremely happy to announce the winner of our CVE logo contest!

The contest began in January 2020, with 38 designers providing 260 initial design concepts, from which the CVE Outreach and Communications Working Group (OCWG) selected 8 finalists for the community to vote upon. The contest ran for two weeks, and one logo design by graphic designer Joe Abelgas received the most votes.

We are excited to announce that our new CVE logo is:

                                                                     Our new CVE logo!



The new logo will be rolled out on the website, social media accounts, and in our other communications materials over the next few months. Thank you again to everyone in the CVE Community who voted to help us choose our new CVE logo; we really appreciate it!

Read on CVE website or share:
https://cve.mitre.org/news/archives/2020/news.html#March062020_Announcing_the_Winner_of_the_CVE_Logo_Contest


Ampere Computing Added as CVE Numbering Authority (CNA)

Ampere Computing is now a CVE Numbering Authority (CNA) for Ampere issues only.

CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 115 organizations from 21 countries currently participate as CNAs: ABB; Adobe; Airbus; Alias Robotics; Alibaba; Ampere; Android; Apache; Apple; Appthority; Atlassian; Autodesk; Avaya; Bitdefender; BlackBerry; Bosch; Brocade; CA; Canonical; CERT/CC; Check Point; Chrome; Cisco; Cloudflare; Cybellum; Dahua; Debian GNU/Linux; Dell; Document Foundation; Drupal.org; Eaton; Eclipse Foundation; Elastic; F5; Facebook; Fedora Project; Flexera Software; floragunn; Forcepoint; Fortinet; FreeBSD; GitHub; Google; HackerOne; HCL; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; INCIBE; ICS-CERT; Intel; ISC; Jenkins Project; Johnson Controls; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Kubernetes; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (CVE Program Root CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; Opera; OPPO; Oracle; OTRS; Palo Alto Networks; PHP Group; Pivotal Software; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Salesforce; SAP; Schneider Electric; SICK; Siemens; Sonicwall; Splunk; SUSE; Symantec; Snyk; Synology; Talos; Tcpdump; Tenable; TIBCO; Tigera; Trend Micro; TWCERT/CC; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

Read on CVE website or share:
https://cve.mitre.org/news/archives/2020/news.html#February142020_Ampere_Added_as_CVE_Numbering_Authority_CNA


CVE in the News

Critical Microsoft Security Warning: Hackers Now Attacking Exchange Servers—Here's What You Do
https://www.forbes.com/sites/zakdoffman/2020/03/09/critical-microsoft-security-warning-hackers-now-attacking-targets-heres-what-you-do/#7b91f7761881

High-Severity Cisco Webex Flaws Fixed
https://threatpost.com/high-severity-cisco-webex-flaws-fixed/153462/

Active Scans for Apache Tomcat Ghostcat Vulnerability Detected, Patch Now
https://www.bleepingcomputer.com/news/security/active-scans-for-apache-tomcat-ghostcat-vulnerability-detected-patch-now/

KrØØk: Serious vulnerability affected encryption of billion+ Wi‑Fi devices
https://www.welivesecurity.com/2020/02/26/krook-serious-vulnerability-affected-encryption-billion-wifi-devices/

What's Old Is New, What's New Is Old: Aged Vulnerabilities Still in Use in Attacks Today
https://securityintelligence.com/posts/whats-old-is-new-whats-new-is-old-aged-vulnerabilities-still-in-use-in-attacks-today/


Keeping Up with CVE

Follow us for the latest from CVE:

@CVEnew - Twitter feed of the latest CVE Entries
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVEProject - GitHub
CVE Documentation - GitHub
CVE Announce Newsletter - Email

If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: "subscribe cve-announce-list" (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message "signoff cve-announce-list" (do not include the quote marks).

Common Vulnerabilities and Exposures (CVE®) is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 2020, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board, CVE Working Groups, and CVE Numbering Authorities on all matters related to ongoing development of CVE.



Posted by at No comments:
Subscribe to: Comments (Atom)