CVE Announce e-newsletter — May 29, 2020
Welcome to the latest issue of the CVE Announce e-newsletter. This newsletter is intended to keep you up to date on recent news about CVE, such as advancements in the program, new CNAs, CVE in the news, and more. Common Vulnerabilities and Exposures (CVE®) is the de facto international standard for vulnerability identification and naming. The CVE Board provides oversight and input into CVE's strategic direction, ensuring CVE meets the vulnerability identification needs of the global technology community. CVE Numbering Authorities (CNAs) consist of vendors, open source projects, vulnerability researchers, industry and national CERTs, and bug bounty programs authorized to assign CVE Identifiers (CVE IDs) to newly discovered issues and include the CVE IDs in the first public disclosure of the vulnerabilities.
Contents:
1. Eight Organizations Became CVE Numbering Authorities (CNAs) in May
2. New CVE Board Member from Cybersecurity and Infrastructure Security Agency (CISA)
3. CVE Entries Used in CISA and FBI's "Top 10 Most Routinely Exploited Vulnerabilities"
4. CVE Blog: CVE Program Report for Calendar Year Q1-2020
5. CVE in the News
6. Keeping Up with CVE
Eight Organizations Became CVE Numbering Authorities (CNAs) in May
Eight additional organizations are now CNAs: (1) Advanced Micro Devices, Inc. for AMD branded products and technologies only; (2) GitLab Inc. for the GitLab application, any project hosted on GitLab.com in a public repository, and any vulnerabilities discovered by GitLab that are not in another CNA's scope; (3) NortonLifeLock Inc. for NortonLifeLock products only; (4) OpenVPN Inc. for all products and projects in which OpenVPN is directly involved commercially and for OpenVPN community projects, including Private Tunnel; (5) Pegasystems, Inc. for Pegasystems products only; (6) Sierra Wireless Inc. for Sierra Wireless products only; (7) Teradici Corporation for Teradici issues only; and (8) Xiaomi Technology Co., Ltd. for Xiaomi issues only.
CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
CNAs are the main method for requesting a CVE ID. The following 128 organizations from 21 countries currently participate as CNAs: ABB; Adobe; Airbus; Alias Robotics; Alibaba; AMD; Ampere; Android; Apache; Apple; Appthority; Atlassian; Autodesk; Avaya; Bitdefender; BlackBerry; Bosch; Brocade; CA; Canonical; CERT/CC; CERT@VDE; Check Point; Chrome; Cisco; Cloudflare; Cybellum; Dahua; Debian GNU/Linux; Dell; Document Foundation; Drupal.org; Eaton; Eclipse Foundation; Elastic; F5; Facebook; Fedora Project; Flexera Software; floragunn; Forcepoint; Fortinet; FreeBSD; GitHub; GitHub (Products Only); GitLab; Google; HackerOne; HCL; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; INCIBE; ICS-CERT; Intel; ISC; Jenkins Project; Johnson Controls; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Kubernetes; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (CVE Program Root CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Node.js; NortonLifeLock; Nvidia; Objective Development; Odoo; OpenSSL; OpenVPN; Opera; OPPO; Oracle; OTRS; Palo Alto Networks; Pegasystems; PHP Group; Pivotal Software; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Salesforce; SAP; Schneider Electric; SICK; Siemens; Sierra Wireless; Silver Peak; Sonicwall; Splunk; SUSE; Symantec; Snyk; Synology; Talos; Tcpdump; Tenable; Teradici; TIBCO; Tigera; Trend Micro; TWCERT/CC; Vivo; VMware; Xiaomi; Yandex; Zephyr Project; Zero Day Initiative; Zscaler; and ZTE
For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.
Read on CVE website or share:
https://cve.mitre.org/news/archives/2020/news.html#May052020_Pegasystems_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2020/news.html#May062020_Advanced_Micro_Devices_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2020/news.html#May122020_Teradici_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2020/news.html#March122020_GitHub-Products_Only-_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2020/news.html#May142020_Sierra_Wireless_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2020/news.html#May152020_NortonLifeLock_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2020/news.html#May192020_OpenVPN_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2020/news.html#May222020_GitLab_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2020/news.html#May282020_Xiaomi_Added_as_CVE_Numbering_Authority_CNA
New CVE Board Member from Cybersecurity and Infrastructure Security Agency (CISA)
Jay Gazlay of U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) has joined the CVE Board. Read the full announcement and welcome message in the CVE Board email discussion list archive.
The CVE Board includes numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information. Through open and collaborative discussions, the Board provides critical input regarding the data sources, product coverage, coverage goals, operating structure, and strategic direction of the CVE Program. All Board Meetings and Board Email List Discussions are archived for the community.
Read on CVE website or share:
https://cve.mitre.org/news/archives/2020/news.html#May202020_New_CVE_Board_Member_from_DHS_CISA
CVE Entries Used in CISA and FBI's "Top 10 Most Routinely Exploited Vulnerabilities"
CVE Entries are used to identify the vulnerabilities cited in the "Top 10 Routinely Exploited Vulnerabilities" list released on May 12, 2020 by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). CISA sponsors the CVE Program.
The list was created to "advise IT security professionals at public and private sector organizations to place an increased priority on patching the most commonly known vulnerabilities exploited by sophisticated foreign cyber actors. [The list] provides details on vulnerabilities routinely exploited by foreign cyber actors—primarily Common Vulnerabilities and Exposures (CVEs)[1]—to help organizations reduce the risk of these foreign threats."
The CVE Entries cited in the "Top 10 Routinely Exploited Vulnerabilities" are:
CVE-2017-11882
CVE-2017-0199
CVE-2017-5638
CVE-2012-0158
CVE-2019-0604
CVE-2017-0143
CVE-2018-4878
CVE-2017-8759
CVE-2015-1641
CVE-2018-7600
The report also includes "indicators of compromise (IOCs) and additional guidance associated with the CVEs" in a Mitigations section of the document.
Visit "CISA Alert (AA20-133A): Top 10 Routinely Exploited Vulnerabilities" for detailed information.
Read on CVE website or share:
https://cve.mitre.org/news/archives/2020/news.html#May142020_CVE_Entries_Used_in_CISA_and_FBI_Top_10_Most_Routinely_Exploited_Vulnerabilities
CVE BLOG: "CVE Program Report for Calendar Year Q1-2020"
The CVE Program's quarterly calendar year (CY) summary of program milestones and metrics for CY Q1-2020 is below.
CY Q1-2020 Milestones
7 CVE Numbering Authorities (CNAs) Added
Seven new CNAs were added: Alias Robotics (Spain), Ampere Computing (USA), Cybellum (Israel), GitHub (Products Only) (USA), Google LLC (USA), Spanish National Cybersecurity Institute (Spain), and Tcpdump Group (Canada).
CNA Rules Version 3.0 Released
Version 3.0 of the CNA Rules took effect on March 5 and was revised with significant input from the CNA community. Version 3.0 was a major update of the CNA Rules. Important updates include refining the roles of Sub-CNAs, Root CNAs, and the Program Root CNA, while adding two new roles: Secretariat and CNA of Last Resort (CNA-LR). Assignment, communication, and administration rules are specified for each role. In addition, separate chapters specify the CVE ID Assignment Rules, which includes the CVE Program's definition of a vulnerability; CVE Entry Requirements; the Appeals Process; Defining a CNA's Scope; and a CNA Rules Update chapter with rules for updating the CNA Rules document.
CVE Program Channel on YouTube
The CVE Program Channel on YouTube was launched in March with two playlists, "CVE Basics" with introductory videos for all audiences and "CNA Onboarding Guidance" with several videos of detailed processes and procedures guidance for organizations that have signed on to participate as official CNAs.
CVE Team at RSA Conference 2020
The CVE Team continued to engage with the community on topics relevant to cybersecurity and CVE by attending RSA Conference 2020 on February 24-28, in San Francisco, California, USA. CVE Team members also actively engaged throughout the conference with interested organizations about the benefits of joining the CNA Program.
CVE Team at PSIRT Technical Colloquium 2020
The CVE Team continued to engage with the community on topics relevant to cybersecurity and CVE by participating in the PSIRT Technical Colloquium 2020 on March 4-5, in Durham, North Carolina, USA. CVE Team members also actively engaged throughout the conference with interested organizations about the benefits of joining the CNA Program.
New CVE Logo Chosen by the Community
The CVE Program held a logo contest for the community to select a new CVE logo for the CVE Program. The contest began in January with 38 designers providing 260 initial design concepts, from which the CVE Outreach and Communications Working Group (OCWG) selected 8 finalists for the community to vote upon. The community voting portion of the contest ran for two weeks, and the winning logo was announced to the community on March 6 (see logo here). It will be rolled out on the website, social media accounts, and in other communications materials in the coming months.
CY Q1-2020 Metrics
Metrics for CY Q1-2020 populated CVE Entries, reserved CVE Entries, and requests for CVE IDs from the CVE Program Root CNA (currently MITRE), are included below. Annual metrics are also included in the charts for year-to-year comparisons.
Terminology
- Populated – A populated CVE Entry includes the CVE ID, a brief description, at least one public reference, and is available to the general public on the CVE List.
- Reserved – CNAs reserve a CVE ID for a given vulnerability prior to assigning and populating it as a CVE Entry on the CVE List.
Populated CVE Entries
As shown in the table below, CVE Program production was 4,808 CVE Entries for CY Q1-2020, a 15% production increase compared to this same time last year (3,245 CVE Entries for CY Q1-2019). This includes all CVE Entries populated by all CNAs.
Comparison of Populated CVE Entries by Year for All Quarters (figure 1)
Reserved CVE Entries
The CVE Program tracks reserved CVE Entries. As shown in the table below, the number of CVE IDs in the reserved state was 6,723 for Q1-2020. The chart below (figure 2) shows the number of CVE IDs added to the CVE List for each year. Unlike the table, the CVE IDs in the chart can be either in the reserved or populated state.
Comparison of Reserved CVE Entries by Year for All Quarters - All CNAs Year-to-Date CY Q1-2020 (figure 2)
Requests for CVE IDs from the Program Root CNA
Finally, the CVE Program Root CNA receives requests for CVE IDs from the community for vulnerabilities and open source software product vulnerabilities that are not already covered by another CNA. The chart below shows the number of unique requesters that received one or more CVE IDs from the Program Root CNA as of CY Q1-2020, as well as by year.
Requesters that Received a CVE ID from Program Root CNA for CY Q1-2020 and All Years (figure 3)
All CVE Entries Are Assigned by CNAs
All of the CVE Entries cited in the metrics above are assigned by CNAs. CNAs are software vendors, open source projects, coordination centers, bug bounty service providers, and research groups authorized by the CVE Program to assign CVE Entries to vulnerabilities within their own specific scopes of coverage. CNAs join the program from a variety of business sectors; there are minimal requirements, and there is no monetary fee or contract to sign.
Currently, 128 organizations from 21 countries are actively participating in the CVE Program as CNAs. Learn how to become a CNA.
Comments or Questions?
If you have any questions about this article, please use the CVE Request Web Form and select "Other" from the dropdown menu. We look forward to hearing from you, but more importantly, we look forward to your participation in the CVE Program!
Read on CVE website or share:
https://cve.mitre.org/blog/index.html#April302020_CVE_Program_Report_for_Calendar_Year_Q1-2020
CVE in the News
StrandHogg 2.0 Critical Bug Allows Android App Hijacking
https://threatpost.com/strandhogg-2-critical-bug-android-app-hijacking/156058/
Cisco fixes critical RCE flaw in call center solution
https://www.helpnetsecurity.com/2020/05/22/cve-2020-3280/
Uncovering Memory Defects in cereal (CVE-2020-11104 & CVE-2020-11105)
https://securityboulevard.com/2020/05/uncovering-memory-defects-in-cereal-cve-2020-11104-cve-2020-11105/
Nine in ten biz applications harbor out-of-date, unsupported, insecure open-source code, study shows
https://www.theregister.co.uk/2020/05/12/open_source_bugs/
What your DevOps team needs to know: 4 lessons from exploited vulnerabilities
https://techbeacon.com/security/what-your-devops-team-needs-know-4-lessons-exploited-vulnerabilities
Keeping Up with CVE
Follow us for the latest from CVE:
@CVEnew - Twitter feed of the latest CVE Entries
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVEProject - GitHub
CVE Documentation - GitHub
CVE Announce Newsletter - Email
If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: "subscribe cve-announce-list" (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message "signoff cve-announce-list" (do not include the quote marks).
Common Vulnerabilities and Exposures (CVE®) is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 2020, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board, CVE Working Groups, and CVE Numbering Authorities on all matters related to ongoing development of CVE.
No comments:
Post a Comment