CVE Announce e-newsletter — December 30, 2020
Welcome to the latest issue of the CVE Announce e-newsletter. This newsletter is intended to keep you up to date on recent news about CVE, such as advancements in the program, new CNAs, CVE in the news, and more. Common Vulnerabilities and Exposures (CVE®) is the de facto international standard for vulnerability identification and naming. The CVE Board provides oversight and input into CVE’s strategic direction, ensuring CVE meets the vulnerability identification needs of the global technology community. CVE Numbering Authorities (CNAs) consist of vendors, open source projects, vulnerability researchers, hosted service providers, industry and national CERTs, and bug bounty programs authorized to assign CVE Identifiers (CVE IDs) to newly discovered issues and include the CVE IDs in the first public disclosure of the vulnerabilities.
Contents:
1. Coalfire Labs, LINE, and Mitsubishi Electric Added as CVE Numbering Authorities (CNAs)
2. Our CVE Story: Using the CVE Program to Provide Reliable Vulnerability Information
3. JPCERT/CC Blog Announces Two New CNAs from Japan and Encourages Other Vendors to Participate
4. CVE in the News
5. Keeping Up with CVE
Coalfire Labs, LINE, and Mitsubishi Electric Added as CVE Numbering Authorities (CNAs)
Three additional organizations are now CNAs: (1) Coalfire Labs for all CoalfireONE products, as well as vulnerabilities in third-party software discovered by Coalfire Labs that are not in another CNA’s scope; (2) LINE Corporation for current versions of LINE Messenger Application for iOS, Android, Mac, and Windows, plus LINE Open Source projects hosted on https://github.com/line; and (3) Mitsubishi Electric Corporation for Mitsubishi Electric issues only.
To date, 149 organizations from 25 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
To request a CVE ID number from a CNA, visit Request a CVE ID on the CVE website.
Read on CVE website or share:
https://cve.mitre.org/news/archives/2020/news.html#December172020_Coalfire_Labs_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2020/news.html#December042020_LINE_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2020/news.html#December042020_Mitsubishi_Added_as_CVE_Numbering_Authority_CNA
Our CVE Story: Using the CVE Program to Provide Reliable Vulnerability Information
Guest author Milind Kulkarni is a member of the CVE Outreach and Communications Working Group and NVIDIA is a CNA.
Customers and developers often rely on vulnerability descriptions to determine the security risks to their systems. If the information associated with a vulnerability is incomplete or vague, consumers of this information may miscalculate their risk assessments. This can make it difficult to determine the urgency of applying remediations, which may result in systems remaining vulnerable to cyber threats. By becoming a CVE Numbering Authority (CNA) and assigning a CVE ID when disclosing a security vulnerability, you can publish structured and reliable vulnerability information. This provides your customers the benefit of the accurate information they need to prioritize remediation activities necessary to secure their systems.
NVIDIA became a CNA in 2016. After becoming a CNA, we started using the CVE Program to gain significant benefits. Our status as a CNA gives us the authority to assign CVE IDs to vulnerabilities reported in our products and to provide tailored descriptions that get published in the public CVE List, and allows us to own the messaging for our security vulnerabilities.
After a security update is released, we publish a comprehensive security bulletin that serves as an authoritative reference for the CVE Record. In the security bulletin, we provide a brief description about the CVE, severity and vector, security impact, affected versions, instructions on how to apply the remediation, and acknowledgement to the finders for responsible disclosure (if applicable). NVIDIA utilizes industry standards like Common Weakness Enumeration (CWE™) for creating the vulnerability description and Common Vulnerability Scoring System (CVSS) for scoring severity and vector for the CVE Record.
Incorporating the CVE Program may initially appear to be a burden on your security operations because you might think that this will need complete change of process and consume a lot of time, but, in my experience, the CVE Program is flexible enough to easily accommodate your existing processes which, once integrated, become a routine set of activities. The steps for assigning CVE IDs and publishing CVE Records can be completed either manually, or by using automation if you have the resources. The CVE Program can be well adopted by organizations, irrespective of their size, that have a growing product portfolio and consumers. The CVE Program gives a sense that there is a security lifecycle for your products and that you give attention to security issues. Following these simple and straightforward CVE Record Requirements outlined in the CVE Program have helped NVIDIA to integrate the CVE steps in our processes for disclosing vulnerabilities and messaging for the CVE Record.
The CVE Program has greatly helped us streamline our communications and provide reliable vulnerability information to our customers, empowering them to make informed decisions about the security of their systems. If your organization is interested in gaining the benefits from the CVE Program, check out the CVE Program’s guide on How to Become a CNA. You will certainly be in a better position by adopting the CVE Program in your vulnerability disclosure practices, which will benefit not only your company, but also your customers and ecosystem, in making your products and systems more secure than before.
Milind R. Kulkarni
Sr. Program Manager, Product Security Incident Response Team (PSIRT)
NVIDIA
Comments or Questions?
If you have any questions about this article, please comment on the CVE Blog on Medium or use the CVE Request Web Form and select “Other” from the dropdown menu to contact the CVE Program. We look forward to hearing from you!
Read on CVE website or share on Medium:
https://cve.mitre.org/blog/December152020_Our_CVE_Story_Using_the_CVE_Program_to_Provide_Reliable_Vulnerability_Information.html
https://medium.com/@cve_program/our-cve-story-using-the-cve-program-to-provide-reliable-vulnerability-information-d92a6b7d45f3
JPCERT/CC Blog Announces Two New CNAs from Japan and Encourages Other Vendors to Participate
JPCERT/CC posted a blog article on December 4, 2020 that explained its role as a Root CVE Numbering Authority (CNA) and announced Mitsubishi Electric and LINE Corporation as CNAs with JPCERT/CC as their Root CNA.
In addition to announcing that two organizations have joined the CVE Program as CNAs, JPCERT/CC also encouraged other organizations in Japan to participate: “As a CNA, JPCERT/CC assigns CVE IDs to reported vulnerabilities, when publishing the advisories on JVN. However, considering the nature of CVE IDs, it would be more natural for the product developers who can acknowledge and verify the vulnerabilities to assign CVE IDs on their own, than by the organizations who coordinate and publish vulnerability information. The involvement of the 2 new CNAs is welcome by the CVE Program, as vendors’ participation to the program as CNAs is highly encouraged … If you are interested in becoming a CNA or have any opinions on this topic, please contact us at vuls@jpcert.or.jp.”
Read the complete blog article in English or Japanese.
Read on CVE website:
https://cve.mitre.org/news/archives/2020/news.html#December082020_JPCERT_CC_Blog_Announces_Two_New_CNAs_from_Japan_and_Encourages_Other_Vendors_to_Participate
CVE in the News
New Critical Flaws in Treck TCP/IP Stack Affect Millions of IoT Devices
https://thehackernews.com/2020/12/new-critical-flaws-in-treck-tcpip-stack.html
QNAP fixes high severity QTS, QES, and QuTS hero vulnerabilities
https://www.bleepingcomputer.com/news/security/qnap-fixes-high-severity-qts-qes-and-quts-hero-vulnerabilities/
HPE discloses critical zero-day in server management software
https://www.bleepingcomputer.com/news/security/hpe-discloses-critical-zero-day-in-server-management-software/
Google Project Zero has disclosed unpatched Windows 0-day vulnerability
https://news.thewindowsclub.com/google-project-zero-has-disclosed-unpatched-windows-0-day-vulnerability-104611/
The 5 Vulnerabilities Hackers Utilised Most in 2020
https://techround.co.uk/news/5-vulnerabilities-hackers-utilised-2020/
Keeping Up with CVE
Follow us for the latest from CVE:
@CVEnew - Twitter feed of the latest CVE Entries
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVE Blog on Medium - Medium
CVEProject - GitHub
CVE Documentation - GitHub
CVE Program Channel - YouTube
CVE Announce Newsletter - Email
If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).
Common Vulnerabilities and Exposures (CVE®) is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 2020, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board, CVE Working Groups, and CVE Numbering Authorities on all matters related to ongoing development of CVE.
No comments:
Post a Comment