CVE Announce - November 10, 2022 (opt-in newsletter from the CVE website)

 

 

 

 

 

 

 

 

 

 

  1. 31 Additional Organizations Added as CVE Numbering Authorities (CNAs)

  2. CVE Community Members Publish Articles About the CVE Program

  3. Dispelling the Myth: CVE ID Assignment and Record Publication for Vulnerabilities Affecting Cloud Services

  4. CVE Program Expands Partnership with Red Hat

  5. New CVE Board Member from Red Hat

  6. Introducing the CNA Mentoring Program

  7. The Value of Assigning CVEs

  8. Keeping Up with CVE

 

 

31 Additional Organizations Added as CVE Numbering Authorities (CNAs)

 

Thirty-one additional organizations are now CNAs:

 

1)            Baicells Technologies Co., Ltd. is now a CVE Numbering Authority (CNA) for all Baicells products (China)

2)            Bugcrowd Inc. for vulnerabilities discovered by researchers in collaboration with Bugcrowd, with approval of Bugcrowd’s clients, and not in the scope of another CNA (USA)

3)            Crestron Electronics, Inc. for Crestron products (USA)

4)            CyberArk Labs for CyberArk products and vulnerabilities discovered by CyberArk Labs that are not within another CNA’s scope (Israel)

5)            Dragos, Inc. for Dragos products and third-party products it researches related to operational technology (OT)/industrial control systems (ICS) not covered by another CNA (USA)

6)            Dual Vipers LLC for Dual Vipers projects and products (both open and closed source), as well as vulnerabilities in third-party software discovered by Dual Vipers that are not in another CNA’s scope (USA)

7)            FULL INTERNET for all FULL products, as well as vulnerabilities in third-party software discovered by FULL that are not in another CNA’s scope (Brazil)

8)            GE Healthcare for GE Healthcare products (USA)

9)            Green Rocket Security Inc. for Green Rocket Security products including EOL unless covered by another CNA’s scope (USA

10)        Hallo Welt! GmbH for BlueSpice vulnerabilities only (Germany)

11)        Hitachi Vantara for all Hitachi Vantara products and technologies (USA)

12)        HashiCorp Inc. for all HashiCorp products and projects unless covered by another CNA’s scope (USA)

13)        Honeywell International Inc. for all Honeywell products (USA)

14)        Honor Device Co., Ltd. for vulnerabilities in Honor products and services unless covered by the scope of another CNA (China)

15)        KrakenD, S.L. for KrakenD EE, KrakenD CE, and Lura issues only (Spain)

16)        KNIME AG for all vulnerabilities on software products that our company provides, including KNIME Analytics Platform, KNIME Server, and KNIME Hub (Switzerland)

17)        The Missing Link Australia (TML) for the TML vulnerability disclosure policy that applies to any third-party vendor products to whom TML will assign the CVEs for vulnerabilities, if the product is not a part of another CNA scope (Australia)

18)        National Cyber Security Centre - Netherlands (NCSC-NL) for vulnerabilities in software discovered by NCSC-NL, and vulnerabilities reported to NCSC-NL for coordinated disclosure, which are not in another CNA’s scope (Netherlands)

19)        National Cyber Security Centre SK-CERT for vulnerabilities in software discovered by National Cyber Security Centre SK-CERT, and vulnerabilities reported to National Cyber Security Centre SK-CERT for coordinated disclosure, which are not in another CNA’s scope (Slovak Republic)

20)        NetRise for vulnerabilities in third-party Extended Internet of Things (XIoT) devices and firmware NetRise researches that are not covered by another CNA (USA)

21)        OpenCloudOS Community for OpenCloud OS issues only, not including EOL products, unless covered by another CNA’s scope (China)

22)        OpenHarmony for OpenHarmony issues only (China)

23)        openGauss Community for openGauss issues only (China)

24)        ONEKEY GmbH for all ONEKEY products and vulnerabilities in third-party software discovered by ONEKEY that are not in another CNA’s scope (Germany)

25)        The OpenNMS Group for OpenNMS issues only (USA)

26)        Rockwell Automation for all Rockwell Automation products (USA)

27)        SailPoint Technologies for SailPoint issues only (USA)

28)        Seagate Technology for any Seagate or LaCie software or hardware, open or closed source, supported and end of life, as well as any vulnerabilities in third-party software discovered by Seagate that are not in another CNA’s scope (USA)

29)        senhasegura for vulnerabilities in senhasegura products, and other vulnerabilities discovered by senhasegura that are not in another CNA’s scope (Brazil)

30)        Unisoc (Shanghai) Technologies Co., Ltd. for Unisoc issues only (China)

31)        Zowe for vulnerabilities in Zowe.org open-source projects (USA)

 

CNAs are organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

There are currently 254 partners from 35 countries participating in the CVE Program. View the entire list of CNA partners on the CVE website.

 

CVE Community Members Publish Articles About CVE

 

Members of the CVE community have recently published articles about the CVE Program:

 

“Ancient CVEs Can Cause You Problems” by CVE Board Member Kent Landfield

In this article on the Trellix Blog, Kent discusses the problems that can result from relying on vulnerability severity scores to determine prioritization for patching CVEs.

 

“5 Myths about CVEs” by CVE Automation Working Group (AWG) Member Madison Oliver

In this article on The New Stack, Madison discusses a “series of myths have emerged around CVEs that give them a bad reputation, which spawns hesitation to report and increases the odds that vulnerabilities will go undetected.”

 

“An Inside Look at What Makes the CVE Program Tick” by CVE Board Member and CNA Coordination Working Group Chair (CNACWG) Tod Beardsley

In this article on SCMagazine, Tod “offers an overview of the CVE Program and its importance to security organizations” from his unique position as CVE Program insider.

 

“Removing the stigma of a CVE” by CVE Automation Working Group (AWG) Member Madison Oliver

In this article on the GitHub Security Blog, Madison answers the question: “Do you worry that a CVE will hurt the reputation of your project? In reality, CVEs are a tracking number, and nothing more. Here's how we think of them at GitHub.”

 

 

Dispelling the Myth: CVE ID Assignment and Record Publication for Vulnerabilities Affecting Cloud Services

 

here exists a myth that the CVE® Program does not assign CVE IDs and publish CVE Records for vulnerabilities affecting cloud services. This myth has propagated on social media, repeated over and over again by those who really believe it. In fact, the CVE Program has and does assign CVE IDs and publish CVE Records for vulnerabilities affecting cloud services.

 

The CVE Rules are publicly available. Rule 7.4.4 states:

 

7.4.4 CNAs MAY assign a CVE ID to a vulnerability if:

1. The product or service is owned by the CVE Numbering Authority (CNA)
2. The product or service is not customer controlled, and
3. The vulnerability requires customer or peer action to resolve

 

The CVE Board is responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. Both the CVE Board’s and the CVE Program’s goal is to ensure that users can take action to protect themselves against vulnerabilities. When a vulnerability does not require customer action, issuing a CVE generates a high volume of unactionable noise for users instead of a high-fidelity signal that they can act upon. At the request of participating cloud service providers (CSPs), the Board changed the CVE Program rules over two years ago, to enable CVE ID assignment and record publication for vulnerabilities affecting cloud services.

 

For example, consider a SQL injection discovered in a content management system hosted as a cloud service. The CSP can completely remediate the SQL injection and determine, based on analysis, that the issue was never exploited and hence no customer action is required. Assigning a CVE ID to such an issue offers little or no value.

 

On the other hand, the CSP may decide to recommend all consumers change the API keys that could have leaked as a result of the vulnerability and issue an advisory. Assigning a CVE ID helps the CSP and the consumers with a unique identifier that can be used in all communication and to track the remediative action of changing API keys.

 

While the rules allow CVE Numbering Authorities of Last Resort (CNA-LRs) to assign CVE IDs and publish CVE Records for other kinds of vulnerabilities, they require that any CVE ID and associated record for vulnerabilities affecting cloud services be initiated only by CSPs that participate in the CVE Program. CNA-LRs are organizations authorized within the CVE Program to assign CVE IDs and to create and publish CVE Records for vulnerabilities not covered by the scope of another CNA. A CNA-LR may assume responsibility for assigning a CVE ID and publishing the associated CVE Record based on policies defined by the CVE Program.

 

The Board chose to define the rules for vulnerabilities affecting cloud services because cloud solutions are intrinsically different from on-prem solutions.

 

CVE IDs assigned to vulnerabilities in traditional or on-prem software can be scrutinized by the community based on the information about affected versions and public references available. Public references to the vulnerability are a prerequisite for CVE Record publication. This prevents mistaken or incorrect assignments from adding noise to the vulnerability management and remediation ecosystem.

 

Vulnerabilities in cloud services do not easily lend themselves to such public scrutiny unless the CSP is transparent about them. If a cloud vulnerability has not yet been fixed, there may often be no way for a third party to test for its existence without risking disruption of production services or violating terms of use of the service. Similarly, if a cloud vulnerability has been fully fixed, then there also may be no way for a third party to verify it existed.

 

Due to these reasons, the CVE Board decided to strike a balance to leave the assignment of CVE IDs to cloud vulnerabilities to the judgment of the CSP. CNA-LRs cannot assign CVE IDs to cloud vulnerabilities because they lack visibility into many aspects that are required to identify the vulnerability.

 

In addition, a CVE ID assigned to a cloud service must be tagged as being assigned to an “exclusively-hosted-service” to help users easily recognize CVE IDs assigned to vulnerabilities affecting cloud services.

 

The CVE Board is continually evaluating how to best address the issue of vulnerabilities affecting cloud services. The current approach is imperfect. Creating many additional thousands of inactionable CVE Records is also imperfect. Stay tuned for additional blogs and potential rule changes related to cloud and other issues.

Share this article or comment on Medium:
CVE Blog - https://www.cve.org/Media/News/item/blog/2022/09/13/Dispelling-the-Myth-CVE-ID
CVE on Medium - https://medium.com/@cve_program/dispelling-the-myth-cve-id-assignment-and-record-publication-for-vulnerabilities-affecting-cloud-6d1937a34f1c

 

CVE Program Expands Partnership with Red Hat

 

The CVE® Program is expanding its partnership with Red Hat, Inc. for managing the assignment of CVE Identifiers (CVE IDs) for the CVE Program for open source.

 

Red Hat is now designated as a Root for any open-source organizations that choose Red Hat as their Root. However, organizations are free to choose another Root if it suits them better.

 

As a Root, Red Hat is responsible for ensuring the effective assignment of CVE IDs, implementing the CVE Program rules and guidelines, and managing the CVE Numbering Authorities (CNAs) under its care. It is also responsible for recruitment and onboarding of new CNAs and resolving disputes within its scope.

 

A CNA is an organization responsible for the regular assignment of CVE IDs to vulnerabilities, and for creating and publishing information about the vulnerability in the associated CVE Record. Each CNA has a specific scope of responsibility for vulnerability identification and publishing. Currently, Google, JPCERT/CC, Red Hat, and Spanish National Cybersecurity Institute (INCIBE) are Roots under the MITRE Top-Level Root. There are currently 254 organizations from 35 countries actively participating in the CVE Program.

 

Red Hat’s Root designation expands the CVE Program options for open-source organizations and projects when selecting a Root.

 

Read the Red Hat press release.

 

Share this article or comment on Medium:
CVE Blog - https://www.cve.org/Media/News/item/blog/2022/09/07/CVE-Program-Expands-Partnership-with
CVE on Medium - https://medium.com/@cve_program/cve-program-expands-partnership-with-red-hat-c1e14a67001f

 

New CVE Board Member from Red Hat

 

Peter Allor of Red Hat, Inc. has joined the CVE Board.

 

The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information.

 

 

Introducing the CNA Mentoring Program

 

The CNA Coordination Working Group (CNACWG) has introduced a mentoring program for new CVE Numbering Authorities (CNAs). Participants signup using a simple Google form (no login required) and the CNACWG makes the match, at which point all communications are then solely between the mentor and mentee. The mentoring program is as little or as much work as those participating would like it to be and can focus on whatever questions or guidance a new CNA wants or needs.

 

If you’re interested in learning more:

 

• Read “The CNA Mentoring Program” by CNACWG chair Tod Beardsley on the CVE Blog
• Listen to Tod on the We Speak CVE podcast in “CNA Mentoring Program: Members Helping Members” as he chats about how CVE is a community, the many ways in which mentoring can help new CNAs be successful, and much more

 

 

The Value of Assigning CVEs

 

In this episode of the “We Speak CVE” podcast, host Shannon Sabens of CrowdStrike chats with Madison Oliver of GitHub Security Lab about how and why CVEs are assigned, the value of CVEs in vulnerability management, responsible coordination of vulnerability disclosures, the importance of comprehensiveness in security advisories, and why there is no stigma in a CVE.

 

In addition, CVE Numbering Authority (CNA) scopes, disclosure policies, turnaround times, and more are discussed in general, as are GitHub’s specific CNA processes and how it helps open-source projects hosted on GitHub with their CVEs and advisories.

 

Madison also writes about many of these topics in her blog article, Removing the Stigma of a CVE, on the GitHub Blog.

The “We Speak CVE” podcast focuses on cybersecurity, vulnerability management, and the CVE Program.

 

Keeping Up with CVE

 

Follow us for the latest from CVE:

@CVEnew - Twitter feed of the latest CVE Records
@CVEannounce - Twitter feed of news and announcements about CVE
CVE Program - LinkedIn page
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE website
CVE Blog on Medium - Medium
We Speak CVE - Podcast
CVEProject - GitHub

CVE Services 2.1/CVE JSON 5.0 Transition Website - GitHub.io
CVE Program Channel - YouTube
CVE Announce Newsletter - Email

If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).

 

CVE® is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 2022, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board, CVE Working Groups, and CVE Numbering Authorities on all matters related to ongoing development of CVE.

 

 

 

 

CVE Announce - June 8, 2022 (opt-in newsletter from the CVE website)

 

 

 

 

 

 

 

 

 

 

  1. Eight Additional Organizations Added as CVE Numbering Authorities (CNAs)

  2. CVE Program Report for Quarter 1 Calendar Year (Q1 CY) 2022

  3.  Our CVE Story: VulDB

  4. We Speak CVE Podcast – "Researchers and PSIRTs Working Well Together"

  5. For CNAs – Submitting CVE Records after CVE Service 2.x/JSON 5.0 Roll-Out

  6. CVE in the News

  7. Keeping Up with CVE

 

 

Eight Additional Organizations Added as CVE Numbering Authorities (CNAs)

 

Eight additional organizations are now CNAs:

 

1. General Electric (Gas Power) for GE (Gas Power) issues only (USA)
2. Go Project for vulnerabilities in software published by the Go Project, including the Go standard library, Go toolchain, and the golang.org modules (USA)
3. Hitachi for Hitachi products excluding Hitachi Energy and Hitachi Vantara products (Japan)
4. HYPR Corp for all HYPR products only (USA)
5. Netskope for all Netskope products and services (USA)
6. OpenAnolis for OpenAnolis issues only (China)
7. Philips for Philips issues only (Netherlands)
8. ZUSO Advanced Research Team (ZUSO ART) for vulnerabilities in third-party products discovered by ZUSO ART (Taiwan)

 

CNAs are organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

There are currently 222 partners from 34 countries participating in the CVE Program. View the entire list of CNA partners on the CVE website.

 

CVE Program Report for Quarter 1 Calendar Year (Q1 CY) 2022

 

Q1 CY 2022 Milestones

 

6 CVE Numbering Authorities (CNAs) Added

 

Six new CNAs were added by the two Top-Level Roots (TL-Roots), Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS) and The MITRE Corporation Top-Level Root.

 

CISA ICS TL-Root:

• Baxter Healthcare for Baxter’s commercially available products only (USA)
• Medtronic for all products of Medtronic or a Medtronic company including supported products and end-of-life/end-of-service products, as well as vulnerabilities in third-party software discovered in Medtronic products that are not in another CNA’s scope (USA)

 

MITRE TL-Root:

• Citrix for Citrix issues only (USA)
• Dutch Institute for Vulnerability Disclosure (DIVD) for vulnerabilities in software discovered by DIVD, and vulnerabilities reported to DIVD for coordinated disclosure, which are not in another CNA’s scope (Netherlands)
• JetBrains for JetBrains products only (Czech Republic)
• The OpenBMC Project for vulnerabilities related to the repositories maintained by the OpenBMC project (USA)

 

CVE Program Expands Partnership with Google

 

The CVE Program announced on January 25 that it was expanding its partnership with Google for managing the assignment of CVE IDs for the CVE Program. Google is now designated as a Root for all of the Alphabet organizations that have already partnered with the CVE Program— Android, Chrome, and Google LLC—as well as any future Alphabet organizations. As a Root for Alphabet’s organizations, Google is responsible for ensuring the effective assignment of CVE IDs, implementing the CVE Program rules and guidelines, and managing the CNAs under its care. It is also responsible for recruitment and onboarding of new CNAs and resolving disputes within its scope. Go Project was added as CNA under the Google Root on April 26.

 

Community Updated About Upcoming Changes to CVE Record Format JSON and CVE List Content Downloads

 

In early January, the CVE Program announced two major changes that will take place in 2022: The main format for submission and publishing of CVE Records, CVE JSON 4.0, is being upgraded to a new, richer format: JSON 5.0. Legacy CVE List download file options are being replaced with a single supported download format: JSON. The changes were announced early to ensure CNAs, CVE consumers such as tool vendors, and other stakeholders, could begin preparing for this important transition. Updates and follow-on announcements are available here.

 

The Latest on Transitioning to CVE Services 2.1 and CVE JSON 5.0

 

A new “We Speak CVE” podcast episode was released in March to update CNAs and the community about the transition that is currently underway for CNAs to CVE Services 2.1 and CVE JSON 5.0. The discussion included how the new services and data format will enable effective and secure automation, improve workflows, and reduce the transaction costs of program participation for CNAs, as well as provide enhanced information in CVE Records for use by downstream consumers.

 

New CVE Program Automation Resource Now Available for CNAs

 

A new CVE Program Automation Website was launched on March 22 to provide CNAs with a one-stop resource to stay informed about CVE Program automation efforts, especially the upcoming transition to CVE Services 2.1 and CVE JSON 5.0. The initial launch version of the website includes a CVE Services Overview, JSON 5.0 Overview, and links to resources for both efforts. Also included are a Latest Announcements page and a CVE Automation Transition Details page for CNAs that includes transition details and deployment timelines, both of which will be regularly updated.

 

Q1 CY 2022 Metrics

 

Metrics for Q1 CY 2022 Published CVE Records and Reserved CVE IDs are included below. Annual metrics are also included in the charts for year-to-year comparisons.

Terminology

• Published – When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published. The associated data must contain an identification number (CVE ID), a prose description, and at least one public reference.
• Reserved – The initial state for a CVE Record; when the associated CVE ID is Reserved by a CNA.

 

Published CVE Records

 

As shown in the table below, CVE Program production was 6,015 CVE Records for CY Q1 2022. This is a 14% increase over the previous quarter of 5,200 records published in CY Q4 2021. This includes all CVE Records published by all CNAs and the two CNAs of Last Resort (CNA-LRs).

 

Year	2022
Quarter	Q1
CVE Records Published by All CNAs	6,015

 

Reserved CVE IDs

 

The CVE Program tracks reserved CVE IDs. As shown in the table below, 8,030 CVE IDs were in the “Reserved” state in Q1 CY 2022, a 15% increase over the previous quarter of 6,802 IDs reserved in CY Q4 2021. This includes all CVE IDs reserved by all CNAs and the two CNA-LRs.

 

Year	2022
Quarter	Q1
CVE IDs Reserved by All CNAs	8,030

 

 

CVE IDs Reserved/CVE Records Published – Quarterly Trend by CY

 

Quarterly trend of reserved CVE IDs and published CVE Records by all CNAs and CNA-LRs. View as tables on the CVE Program website Metrics page.

 

CNA Partners Grow the CVE List

 

All of the CVE IDs and CVE Records cited in the metrics above are assigned and published by CNAs and the two CNA-LRs, within their own specific scopes.

 

CNAs join the program from a variety of business sectors; there are minimal requirements, and there is no monetary fee or contract to sign. Currently, 222 organizations from 34 countries have partnered with the CVE Program.

 

Learn how to become a CNA or contact one of the following to start the partnering process today:

 

• CISA ICS for Industrial control systems and medical devices (Top-Level Root)
• MITRE for all vulnerabilities, and Open-Source software product vulnerabilities, not already covered by a CNA listed on this website (Top-Level Root)
• Google for Alphabet organizations (Root)
• INCIBE for Spain organizations (Root)
• JPCERT/CC for Japan organizations (Root)

 

Share this article or comment on Medium:
CVE Blog - https://www.cve.org/Media/News/item/blog/2022/05/26/CVE-Program-Report-for-Quarter
CVE on Medium - https://medium.com/@cve_program/cve-program-report-for-quarter-1-calendar-year-q1-cy-2022-422c1174d223

 

Our CVE Story: VulDB

 

Guest author Marc Ruef is the founder of VulDB, which is a CVE Numbering Authority (CNA).

 

Our story as a CNA is a bit different than others. But let us start at the true beginning: VulDB launched in 1997. It was a different time back then. When people were talking about vulnerabilities or exploits, they were talking about products: “Did you hear about the new wu-ftpd exploit?” Identifying issues was somehow easier because there were not that many of them, especially not the ones that really drew interest by attackers. If there was potential confusion, people were referring to version numbers of affected products or mentioned technical details such as vulnerable files or exploited functions.

 

When CVE was introduced in 1999, I was personally very skeptical. It sounded like a good idea, but I was doubtful that the program would be able to reach the level of technical flexibility and professionalism that would be required to add a sustainable benefit to the industry. I must admit, I was wrong to a large degree.

 

Extended Coverage

 

Over the years, CVE made a lot of things easier for us. We are a vulnerability database with a scope that is different than vendor CNAs or vulnerability catalogs covering specific product types. We add everything that can be exploited in software or hardware. We are very close to hosting 200,000 entries in our database.

Even though we share a very similar philosophy to the CVE Program, our approach slightly differs. For example, we also accept submissions for vulnerabilities in malware. That is because we think that on top of the malicious code, additional attack surfaces are introduced, which increases the risk and people should know about this. You would be surprised how much malware comes with buffer overflows, directory traversal possibilities, and permission issues.

 

Duplicate Handling

 

Due to our extended coverage, our main challenge is handling and preventing duplicates. We are very proud to have had just a handful of such duplicates in the last 25 years. In these rare cases, we use merge and forward capabilities to redirect users to the right entries. All edits are documented in a commit history, rendering changes very transparent.

 

Dealing with potential duplicates requires a lot of effort to verify, synchronize, and align vulnerability details. Our data team monitors thousands of sources 24/7. As soon as a new vulnerability disclosure is suspected, it is analyzed for eligibility.

 

At the beginning, CVE used the now obsolete CNA tag (“candidate”) to deal with new entries. We do not use such a tagging, but we do add a confidence level to every commit to help users put data into quality context. Duplicate detection became harder, again, because there are a lot of new vulnerabilities published nowadays (approximately 76 per day in 2022, compared to 40 in 2016) and many more communication channels available. In earlier days, reading mailing lists and collecting vendor advisories was enough. Today, monitoring code repositories, social media, and darknet marketplaces are even more important, especially if you want to cover zero-day vulnerabilities.

 

Why We Joined the CVE Program

 

For many years, colleagues and customers were approaching us and asked why we are not supporting the CVE Program or even becoming a CNA ourselves. We are working with CVE data daily and are aware of the importance of the program for the cybersecurity industry, as well as the demanding requirements that come with such importance.

 

In 2021, we decided to contact the CVE Program to discuss possibilities of a collaboration. It was very important for us to remain independent while also being a CNA. As defined in the CNA Rules, every CNA requires a specific scope. For VulDB to become a CNA, our scope needed to be broader than the CNA Rules currently defines. We discussed this issue with the CVE Program and were able to agree upon a product-independent scope. Primarily, we will assign CVEs for products not covered by other CNAs, but we are also allowed to negotiate vulnerability processing with other CNAs. If a vendor does not want to handle a vulnerability, but it is a vulnerability as defined by the CNA Rules, we may cover it. Security researchers appreciate this possibility.

 

The Importance of Vulnerability Management

 

CNA Rule 7.2, “How Many Vulnerabilities?”, defines a clear requirement for splitting and merging entries. Our own philosophy differs slightly. Not much, but enough to add another level of complexity for our data team. If there is one CVE, we might have to split it into multiple entries in VulDB or there are several CVEs available for a single entry.

 

Occasionally, customers want to understand the reason why we split or merge entries. We enjoy these exchanges of the philosophical nature of vulnerabilities. There is a lot of room for ideas that can enrich and improve our industry. Some examples are product assignments, version handling, risk ratings, and vulnerability class definitions, to just name a few. Projects like CPE, CVSS, CWE, and ATT&CK took the role of CVE in their respective fields. They are often not perfect solutions, but do help to introduce a common language.

 

Unfortunately, it is often forgotten that vulnerability management is one of the main pillars of cyber security. Perhaps because for some, it might not spark the glamorous appeal of new topics like artificial intelligence and blockchain, but for us it does. Without vulnerability management, there will be no new secure technologies.

 

Conclusion

 

Our dedicated CNA team supports our data team in processing new submissions and coordinating CVE disclosures. This re-introduced the early challenges of duplicate detection before the CVE era. But we profit from a lot of experience and optimized processes compiled over decades. We are very confident and happy to be a part of something important like the CVE Program.

Share this article or comment on Medium:
CVE Blog - https://www.cve.org/Media/News/item/blog/2022/5/17/Our-CVE-Story-VulDB
CVE on Medium - https://medium.com/@cve_program/our-cve-story-vuldb-5100dbe00834

 

We Speak CVE Podcast – Researchers and PSIRTs Working Well Together

 

The “We Speak CVE” podcast focuses on cybersecurity, vulnerability management, and the CVE Program.

 

Listen on YouTube, Buzzsprout, and on major podcast directories such as Spotify, Stitcher, Apple Podcasts, Google Podcasts, among others.

Researchers and PSIRTs Working Well Together

 

Shannon Sabens of CrowdStrike and Milind Kulkarni of NVIDIA discuss what security researchers should expect when reporting vulnerabilities to a Product Security Incident Response Team (PSIRT); how to best to collaborate with them; how to interpret responses from the PSIRT; how to get the best outcome when making a report; supported versus end-of-life (EOL) products; CVE Numbering Authority (CNA) scopes; timing of a patch versus the publication of a CVE Record; and more

For CNAs – Submitting CVE Records after CVE Service 2.x/JSON 5.0 Roll-Out

 

The message below was originally communicated to CNAs by the CVE Program on May 20, 2022.

 

As we prepare for CVE Services 2.x/JSON 5.0 roll-out in the coming weeks, there have been a number of questions about the various methods CNAs currently use to make CVE ID reservations and publish CVE Records and which methods will continue to be supported post deployment.

 

This bulletin clarifies the CVE Program specific methods that will be available to CNAs for reserving CVE IDs and submitting CVE Records after CVE Services/JSON 5.0 deployment. For non-CNAs, the existing method for requesting CVE IDs will not be affected.

 

Non-CNA Submission Methods

 

Non-CNAs will continue to contact the appropriate CNA to request CVE IDs, as described on the Report/Request page on the CVE Program website. The CNA that assigns the ID will publish the CVE Record.

 

In addition, the CVE Program Secretariat will continue to maintain the CVE Program Request web form for non-CNAs to submit vulnerability reports.

 

CNA Submission Methods

 

For CNAs, there will be five methods to reserve CVE IDs and submit CVE Records. Some methods will be retired over time while others will have constraints, but all five methods described below will be available for use immediately after CVE Services 2.x/JSON 5.0 is deployed.

 

CNAs that don’t yet have a CVE Services account may contact their Root to receive account credentials ahead of deployment.

 

Method 1: The current CVE Program Secretariat Web Forms

 

This method allows CNAs to submit CVE Records in multiple formats: JSON 4.0, CSV, and flat file. For a limited time, CNAs will continue to be able to request CVE ID Reservations and publish CVE Records as they do today using the CVE Program Secretariat CVE Program Request web forms. All currently supported input formats will continue to be supported, but this method will not process JSON 5.0 formatted input.

 

 

 

 

Method 2: CVE List GitHub Submission Pilot

 

This method allows CNAs to submit CVE Records in JSON 4.0 using GitHub pull requests. For a limited time, CNAs will continue to be able to use the CVE List GitHub Submission Pilot to submit CVE Records in JSON 4.0, which will then be upconverted to JSON 5.0 records.

 

 

 

 

 

Method 3: Vulnogram

 

This method is an existing web-based tool for reserving CVE IDs and creating and submitting CVE Records that is currently in use by CNAs. JSON 4.0 will continue to be supported in this method for 90 days post deployment. After CVE Services/JSON 5.0 is deployed, this method will only accept direct user input (i.e., no attached files) and will submit JSON 5.0 CVE Records directly to CVE Services on the CNA’s behalf for publication on the CVE List.

 

To use this method, CNAs will need to present their CVE Services User ID and authentication token through Vulnogram to identify/authenticate to CVE Services. New users, please request CVE Services credentials from your Root.

 

 

Method 4: Adopt an available CVE Services Client

 

CVE Services is implemented as a Client/Server architecture. This method enables CNAs to adopt an already existing client and install and execute it in their own environment to assign CVE IDs and create and submit CVE Records.

 

Three clients are currently available for use as part of CVE Services/JSON 5.0 deployment:

 

·       Vulnogram web-based interface (described above as Method 3)

·       Red Hat command line interface – cvelib

·       CERT/CC simple HTML interface – cveClient

 

 

Method 5: CNAs can develop their own clients

 

CNAs may develop their own CVE Services clients. The CVE Program is currently preparing documentation to support that development, which will be announced in a future bulletin.

 

 

 

 

Please visit the Transition Details page on the CVE Program Automation website regularly for updates. You may also contact us with any comments or concerns.

 

 

CVE in the News

 

Zero-day bug exploited by attackers via macro-less Office documents (CVE-2022-30190), Help Net Security

 

Ubuntu Users Get a Massive Linux Kernel Update, 35 Security Vulnerabilities Patched, 9 to 5 Linux

 

GitLab Issues Security Patch for Critical Account Takeover Vulnerability, The Hacker News

 

Owl Labs Patches Severe Vulnerability in Video Conferencing Devices, Security Week

 

CISA Warns of Medical Device Security Vulnerabilities in BD Synapsys, Pyxis Devices, Health IT Security

 

 

Keeping Up with CVE

 

Follow us for the latest from CVE:

@CVEnew - Twitter feed of the latest CVE Records
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE website
CVE Blog on Medium - Medium
We Speak CVE - Podcast
CVEProject - GitHub
CVE Program Channel - YouTube
CVE Announce Newsletter - Email

If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).

 

CVE® is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 2022, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board, CVE Working Groups, and CVE Numbering Authorities on all matters related to ongoing development of CVE.