CVE Announce e-newsletter — November 24, 2020
Welcome to the latest issue of the CVE Announce e-newsletter. This newsletter is intended to keep you up to date on recent news about CVE, such as advancements in the program, new CNAs, CVE in the news, and more. Common Vulnerabilities and Exposures (CVE®) is the de facto international standard for vulnerability identification and naming. The CVE Board provides oversight and input into CVE’s strategic direction, ensuring CVE meets the vulnerability identification needs of the global technology community. CVE Numbering Authorities (CNAs) consist of vendors, open source projects, vulnerability researchers, industry and national CERTs, and bug bounty programs authorized to assign CVE Identifiers (CVE IDs) to newly discovered issues and include the CVE IDs in the first public disclosure of the vulnerabilities.
Contents:
1. CSW, Joomla!, Logitech, NLnet Labs, Secomea, and WhiteSource Added as CVE Numbering Authorities (CNAs)
2. Our CVE Story: CVE IDs for Simplifying Vulnerability Communications
3. Our CVE Story: The Gift of CVE
4. CVE Blog Also Now on Medium for Easier Commenting and Sharing
5. New CVE Board Member from JPMorgan
6. CVE in the News
7. Keeping Up with CVE
CSW, Joomla!, Logitech, NLnet Labs, Secomea, and WhiteSource Added as CVE Numbering Authorities (CNAs)
Six additional organizations are now CNAs: (1) Cyber Security Works Pvt. Ltd. (CSW) for vulnerabilities in third-party software discovered by CSW that are not in another CNA’s scope; (2) The Joomla! Project for core Joomla! CMS, the Joomla Framework, and Joomla! Extensions issues only; (3) Logitech for all current products/software/apps made by Logitech, Ultimate Ears, Jaybird, Streamlabs, Logitech G, Logicool, Blue, and Astro Gaming; (4) NLnet Labs for all NLnet Labs projects; (5) Secomea for supported Secomea products only; and (6) WhiteSource for vulnerabilities in its own products and vulnerabilities in third-party software discovered by WhiteSource that are not in another CNA’s scope.
To date, 146 organizations from 25 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVEs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
To request a CVE ID number from a CNA, visit Request a CVE ID.
Read on CVE website or share:
https://cve.mitre.org/news/archives/2020/news.html#November032020_Cyber_Security_Works_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2020/news.html#November182020_Joomla_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2020/news.html#October262020_Logitech_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2020/news.html#October282020_NLnet_Labs_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2020/news.html#November202020_Secomea_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2020/news.html#November052020_WhiteSource_Added_as_CVE_Numbering_Authority_CNA
Our CVE Story: CVE IDs for Simplifying Vulnerability Communications
Guest author Chandan Nandakumaraiah of Palo Alto Networks is Co-chair of the CVE Quality Working Group, and Palo Alto Networks is a CNA.
Most organizations that publish security alerts to warn their consumers need unique identifiers to use as a reference. The identifier may be used during meetings, included in emails, discussed over the telephone, cited in chat rooms, displayed in slide presentations, sent in text messages, or tweeted to help identify an individual security alert. They also help people distinguish between issues and ensure people are on the same page when discussing a security problem. Until recently, Palo Alto Networks always used an identifier scheme of PAN-SA-- to identify our advisories, which typically provide the information specific to a security vulnerability also identified by a CVE ID.
We upgraded our security advisory site at the beginning of 2020. In that process, I gave a hard look at our numbering scheme and asked if we really needed to create our own advisory identifiers when each entry likely has a CVE ID associated with it. When someone uses a CVE ID instead of an advisory ID, one needs to connect the dots and find the corresponding advisory ID. If there was a piece of information quoting the advisory ID somewhere on the Interwebs—such as discussion forums, wikis, chat rooms—someone seeking that information can miss it if they only search by the CVE ID.
The acronym “CVE” in the IT industry is synonymous with security holes and has instant name recognition. “Pay attention: There is a PAN-SA!” doesn’t convey the message as much as saying, “Pay attention: There is a CVE!” CVE IDs have become the de facto primary keys that our customers use to refer to security issues.
In the new site, we decided to stop using PAN-SA numbers in favor of using CVE IDs as the primary key. There are, however, some corner cases where we cannot use a CVE ID to identify a security advisory. When we need to publish an issue that does not meet the criteria for assigning a CVE ID, or we need to publish an advisory, grouping together several CVE IDs, we still have the flexibility to crank out a custom PAN-SA identifier. For the majority of issues, however, it is a one-to-one relationship between an advisory and a CVE ID, and this change eliminates a redundant identifier from usage altogether.
The switchover of the primary key has largely been transparent to our consumers, and no one has complained that they miss the old PAN-SA identifiers. It wasn't hard to set up URL redirection for older existing advisory IDs to corresponding pages identified by CVE IDs.
As a CVE Numbering Authority (CNA), we have automated the syncing of our CVE information with the official CVE corpus hosted on the public CVE website. Whether someone is looking at the CVE website or our corporate site, they see a consistent description, which further eliminates the need to keep our own identifier namespace for vulnerabilities.
The use of CVE IDs during the flurry of activities around an advisory publication has greatly helped us streamline communication, avoid confusion, help people get to the right information right away, and stay secure.
Chandan Nandakumaraiah
Sr. Director, Product Security Assurance and Vulnerability Remediation
Palo Alto Networks
Comments or Questions?
If you have any questions about this article, please comment on the CVE Blog on Medium or use the CVE Request Web Form and select “Other” from the dropdown menu to contact the CVE Program. We look forward to hearing from you!
Read on CVE website or share on Medium:
https://cve.mitre.org/blog/October212020_Our_CVE_Story_CVE_IDs_for_Simplifying_Vulnerability_Communications.html
https://medium.com/@cve_program/our-cve-story-cve-ids-for-simplifying-vulnerability-communications-24f45992c66c
Our CVE Story: The Gift of CVE
Guest author GS McNamara is Principal Application Security Engineer and co-founder of the Global Product Security Incident Response Team (PSIRT) at Forcepoint, and Forcepoint is a CNA.
Forcepoint has partnered with the CVE Program since 2017 as a CVE Numbering Authority (CNA) and has received many benefits from that relationship that continue to have a direct impact on our products. If you are thinking about becoming a CNA, consider the following:
CVE benefits organizations by creating common ground to enable a conversation about managing vulnerabilities whether internally, with peers, or with vendors. Defensive security products can be explicit about the vulnerabilities they protect, which gives the consumer a clear idea of their organization’s residual exposure. People, databases, and tools can all be on the same page.
The value of assigning a vulnerability a convenient CVE ID extends beyond patching. These IDs can be used when tracking corresponding exploits as they’re crafted and used in attacks. As part of a threat intelligence program, CVE IDs help to keep track of threat actors and trends by the vulnerabilities they leverage in their attacks.
CVE benefits producers of hardware, software products, or services with or without bug bounty programs because a CVE ID is an asset that they can offer in lieu of payment to thank a researcher for their effort and participation in a coordinated vulnerability disclosure. This benefits organizations that either don’t want to establish a bug bounty program or those that can’t due to budget considerations or other reasons. Because of the CVE Program, organizations can do this all for free in an official capacity as a CNA for vulnerabilities affecting products within their distinct, agreed-upon scope.
Participation as a CNA can be a sign that an organization has a mature vulnerability management program. Being a CNA also gives the organization the earliest opportunity to direct the conversation about a vulnerability within their scope before it goes public. A CVE ID is something the issuer can attach additional useful information to, such as risk rating, affected versions, mitigations, patches, and whether certain circumstances are required to actually exploit the vulnerability.
CVE benefits researchers by helping them build up a vulnerability research portfolio, full of accomplishments, denoted with globally unique identifiers and the accompanying recognition by established organizations. This is great for researchers looking for an opportunity to establish themselves by getting the recognition they deserve, and especially for those minting their own credentials without needing a formal educational background.
CVE Benefits Us Here at Forcepoint
Participating in the CVE Program has many benefits, and because participation is voluntary, every benefit is a gift. As a CNA, Forcepoint has been able to issue CVE IDs crediting researchers, both external and internal, who have graciously worked with our Product Security Incident Response Team to improve the security of the products and services we make. Being a CNA has given us access to the pulse of the latest developments in the program that will affect us down the road, another gift of CVE, and wherever we can we look to pay it forward.
GS McNamara
Principal Application Security Engineer, Co-founder of the Global Product Security Incident Response Team (PSIRT)
Forcepoint
Comments or Questions?
If you have any questions about this article, please comment on the CVE Blog on Medium or use the CVE Request Web Form and select “Other” from the dropdown menu to contact the CVE Program. We look forward to hearing from you!
Read on CVE website or share on Medium:
https://cve.mitre.org/blog/November162020_Our_CVE_Story_The_Gift_of_CVE.html
https://medium.com/@cve_program/our-cve-story-the-gift-of-cve-7061b98014ae
CVE Blog Also Now on Medium for Easier Commenting and Sharing
CVE Blog articles posted on the CVE website will also now be posted on the CVE Blog on Medium for easier commenting and sharing of posts.
CVE Blog articles co-posted on Medium to date:
Our CVE Story: The Gift of CVE (guest author)
Our CVE Story: CVE IDs for Simplifying Vulnerability Communications (guest author)
CVE Program Report for Calendar Year Q3-2020
Our CVE Story: Ancient History of the CVE Program – Did the Microsoft Security Response Center have Precognition? (guest author)
CVE Program Partners with Cybersecurity & Infrastructure Security Agency to Protect Industrial Control Systems and Medical Devices
Our CVE Story: Rapid7 (guest author)
Process for Assigning CVE IDs to End-of-Life (EOL) Products
Our CVE Story: Bringing Our ZDI Community to the CVE Community (guest author)
We encourage you to engage with us on these and future posts. Please contact us with any suggestions for future blog topics.
Visit CVE Blog on Medium:
https://medium.com/@CVE_Program
New CVE Board Member from JPMorgan Chase
Jessica Colvin of JPMorgan Chase has joined the CVE Board. Read the full announcement and welcome message in the CVE Board email discussion list archive.
The CVE Board includes numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information. Through open and collaborative discussions, the Board provides critical input regarding the data sources, product coverage, coverage goals, operating structure, and strategic direction of the CVE Program. All Board Meetings and Board Email List Discussions are archived for the community.
Read on CVE website:
https://cve.mitre.org/news/archives/2020/news.html#October012020_New_CVE_Board_Member_from_JPMorgan_Chase
CVE in the News
VMware releases workarounds for another critical flaw (CVE-2020-4006)
https://www.helpnetsecurity.com/2020/11/24/vmware-releases-workarounds-for-another-critical-flaw-cve-2020-4006/
Cisco reveals this critical bug in Cisco Security Manager after exploits are posted – patch now
https://www.zdnet.com/article/cisco-reveals-this-critical-bug-in-cisco-security-manager-after-exploits-are-posted-patch-now/
Security Vulnerability In VIOS, AIX, And Maybe IBM i
https://www.itjungle.com/2020/11/23/security-vulnerability-in-vios-aix-and-maybe-ibm-i/
Citrix SD-WAN Bugs Allow Remote Code Execution
https://threatpost.com/citrix-sd-wan-bugs-remote-code-execution/161274/
PLATYPUS: Hackers Can Obtain Crypto Keys by Monitoring CPU Power Consumption
https://www.securityweek.com/platypus-hackers-can-obtain-crypto-keys-monitoring-cpu-power-consumption
Apache Unomi CVE-2020-13942: RCE Vulnerabilities Discovered
https://securityboulevard.com/2020/11/apache-unomi-cve-2020-13942-rce-vulnerabilities-discovered/
Keeping Up with CVE
Follow us for the latest from CVE:
@CVEnew - Twitter feed of the latest CVE Entries
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVE Blog on Medium - Medium
CVEProject - GitHub
CVE Documentation - GitHub
CVE Program Channel - YouTube
CVE Announce Newsletter - Email
If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).
Common Vulnerabilities and Exposures (CVE®) is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 2020, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board, CVE Working Groups, and CVE Numbering Authorities on all matters related to ongoing development of CVE.
