CVE Announce e-newsletter — April 27, 2020
Welcome to the latest issue of the CVE Announce e-newsletter. This newsletter is intended to keep you up to date on recent news about CVE, such as advancements in the program, new CNAs, CVE in the news, and more. Common Vulnerabilities and Exposures (CVE®) is the de facto international standard for vulnerability identification and naming. The CVE Board provides oversight and input into CVE's strategic direction, ensuring CVE meets the vulnerability identification needs of the global technology community. CVE Numbering Authorities (CNAs) consist of vendors, open source projects, vulnerability researchers, industry and national CERTs, and bug bounty programs authorized to assign CVE Identifiers (CVE IDs) to newly discovered issues and include the CVE IDs in the first public disclosure of the vulnerabilities.
Contents:
1. CERT@VDE, GitHub (Products Only), Silver Peak, Vivo, and Zscaler Added as CVE Numbering Authorities (CNAs)
2. CVE Launches YouTube Channel
3. CVE Board Charter Updated to Version 3.1
4. CVE in the News
5. Keeping Up with CVE
CERT@VDE, GitHub (Products Only), Silver Peak, Vivo, and Zscaler Added as CVE Numbering Authorities (CNAs)
Five additional organizations are now CVE Numbering Authorities (CNAs): CERT@VDE for Beckhoff, Bender, Endress+Hauser, HIMA, Festo, Koramis, ifm, Miele, Pepperl+Fuchs, Phoenix Contact, PILZ, Weidmueller, and WAGO products, as well as industrial and infrastructure control systems (and its components) of European Union (EU) based vendors as long as there is no CNA with a more specific scope for the vulnerability; GitHub, Inc. (Products Only) for GitHub Enterprise Server issues only (GitHub, Inc. is also a CNA for libraries and products hosted on github.com in a public repository); Silver Peak Systems, Inc. for Silver Peak product issues only; Vivo Mobile Communication Technology Co., Ltd. for Vivo issues only; and Zscaler, Inc. for Zscaler issues only.
CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
CNAs are the main method for requesting a CVE ID. The following 120 organizations from 21 countries currently participate as CNAs: ABB; Adobe; Airbus; Alias Robotics; Alibaba; Ampere; Android; Apache; Apple; Appthority; Atlassian; Autodesk; Avaya; Bitdefender; BlackBerry; Bosch; Brocade; CA; Canonical; CERT/CC; CERT@VDE; Check Point; Chrome; Cisco; Cloudflare; Cybellum; Dahua; Debian GNU/Linux; Dell; Document Foundation; Drupal.org; Eaton; Eclipse Foundation; Elastic; F5; Facebook; Fedora Project; Flexera Software; floragunn; Forcepoint; Fortinet; FreeBSD; GitHub; GitHub (Products Only); Google; HackerOne; HCL; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; INCIBE; ICS-CERT; Intel; ISC; Jenkins Project; Johnson Controls; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Kubernetes; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (CVE Program Root CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; Opera; OPPO; Oracle; OTRS; Palo Alto Networks; PHP Group; Pivotal Software; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Salesforce; SAP; Schneider Electric; SICK; Siemens; Silver Peak; Sonicwall; Splunk; SUSE; Symantec; Snyk; Synology; Talos; Tcpdump; Tenable; TIBCO; Tigera; Trend Micro; TWCERT/CC; Vivo; VMware; Yandex; Zephyr Project; Zero Day Initiative; Zscaler; and ZTE.
For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.
Read on CVE website or share:
https://cve.mitre.org/news/archives/2020/news.html#April232020_Silver_Peak_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2020/news.html#April222020_CERT@VDE_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2020/news.html#April062020_Zscaler_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2020/news.html#April022020_Vivo_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2020/news.html#March122020_GitHub-Products_Only-_Added_as_CVE_Numbering_Authority_CNA
CVE Program Launches YouTube Channel
The CVE Program is now on YouTube!
Our new CVE Program Channel on YouTube currently includes two playlists: "CVE Basics" with introductory videos for all audiences, and "CNA Onboarding Guidance" with several videos of detailed processes and procedures guidance for organizations that have signed on to participate as official CVE Numbering Authorities (CNAs).
You can watch the videos and download the slides to follow along here on the CVE website, or you can watch directly on YouTube. Please check out the videos and let us know what you think by commenting on YouTube. We look forward to hearing from you!
Read on CVE website or share:
https://cve.mitre.org/news/archives/2020/news.html#March312020_CVE_Program_Launches_YouTube_Channel
CVE Board Charter Updated to Version 3.1
The CVE Board has approved the latest version of the "CVE Board Charter," version 3.1, which adds two additional sections about CVE Working Groups: Section 2.13 Disbanding or Pausing Working Groups and Section 2.14 Guidelines.
Read on CVE website or share:
https://cve.mitre.org/news/archives/2020/news.html#April232020_CVE_Board_Charter_Updated_to_Version_3-1
CVE in the News
VMware patches two vulnerabilities in vRealize Log Insight, one critical
https://www.scmagazine.com/home/security-news/vulnerabilities/vmware-patches-two-vulnerabilities-in-vrealize-log-insight-one-critical/
Microsoft Issues Out-Of-Band Security Update For Office, Paint 3D
https://threatpost.com/microsoft-issues-out-of-band-security-update-for-office-paint-3d/155016/
Kernel vulnerabilities in Android devices using Qualcomm chips explored
https://www.zdnet.com/article/technical-details-of-kernel-vulnerabilities-in-android-devices-using-qualcomm-chips-revealed/
Contrast Labs: CVE-2020-11444: Privilege Escalation Vulnerability in Sonatype Nexus Repository Manager
https://securityboulevard.com/2020/04/contrast-labs-cve-2020-11444-privilege-escalation-vulnerability-in-sonatype-nexus-repository-manager/
Keeping Up with CVE
Follow us for the latest from CVE:
@CVEnew - Twitter feed of the latest CVE Entries
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVEProject - GitHub
CVE Documentation - GitHub
CVE Announce Newsletter - Email
If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: "subscribe cve-announce-list" (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message "signoff cve-announce-list" (do not include the quote marks).
Common Vulnerabilities and Exposures (CVE®) is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 2020, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board, CVE Working Groups, and CVE Numbering Authorities on all matters related to ongoing development of CVE.
