1. Changes Coming to CVE Record Format JSON and CVE List Content Downloads
2. Fifteen Additional Organizations Added as CVE Numbering Authorities (CNAs)
4. We Speak CVE Podcast – Two New Episodes!
5. “CVE Global Summit – Fall 2021”
Changes Coming to CVE Record Format JSON and CVE List Content Downloads
The CVE Program is announcing two major changes that will take place in 2022:
- The main format for submission and publishing of CVE Records, CVE JSON 4.0, is being upgraded to a new, richer format: JSON 5.0.
- Legacy CVE List download file options are being replaced with a single supported download format: JSON.
These changes are being announced now to ensure CVE Numbering Authorities (CNAs), CVE consumers such as tool vendors, and other stakeholders, can begin preparing for this important transition.
CVE Record JSON Upgrading to Version 5.0 in 2022
To begin the transition, the CVE Program will introduce CVE JSON 5.0 in late spring 2022. During the transition period, the CVE Program will support both JSON 5.0 and JSON 4.0 CVE Record submission and download. The transition is scheduled to be completed by summer 2022.
CVE JSON 5.0 is a major upgrade to JSON 4.0 that further normalizes and enriches how CVE information is presented. It adds several new data fields to CVE Records. In addition to the required data of CVE ID number, affected product(s), affected version(s), and public references, JSON 5.0 CVE Records will now include optional data such as severity scores, credit for researchers, additional languages, affected product lists, additional references, ability for community contributions, etc. This optional data will enhance CVE Records for both downstream users and the overall vulnerability management community.
Learn more about How the New CVE Record Format Is a Game Changer.
Required Changes for CNAs
With support for CVE JSON 4.0 submission being discontinued in early summer 2022, CNAs should now be getting familiar with the new JSON 5.0 schema.
Early in 2022, CNAs should be looking for future communications on the JSON 5.0 Adoption Process from the CVE Secretariat and CVE Working Groups (e.g., the Automation Working Group and the Quality Working Group).
CNAs will have the opportunity to review legacy records and test/examine the new automation services that will allow them to publish and update JSON 5.0 CVE IDs in a more timely/automated manner.
What This Change Means for CVE Consumers
CVE consumers should also be getting familiar with the CVE JSON 5.0 format. They will begin seeing JSON 5.0 CVE Records published on the CVE website in the JSON 5.0 format by late spring 2022.
CVE List Download Options Changing to JSON-ONLY in 2022!
As a result of the transition to JSON 5.0, beginning in summer 2022, the CVE List download options currently provided by the CVE Program (i.e., CSV, HTML, XML and CVRF) will no longer be supported.
After the JSON 4.0 retirement date (which will be announced/confirmed in spring 2022), the CVE List (as of that date) in all JSON 4.0 supported formats will be available in an archive and the CVE List will be downloadable only in JSON 5.0 format.
This change is to ensure data in all required and optional data fields of CVE Records in JSON 5.0 are included in the CVE List downloads. The CVE website will also display CVE Records in JSON 5.0 format.
What This Change Means for CNAs and CVE Consumers
- There will be no direct impact to CNAs regarding the download format changes unless they are also downstream CVE consumers.
- CVE consumers such as tool vendors, researchers, and others will need to ensure that their internal processes are prepared for ingesting JSON-only content beginning in spring 2022.
You can also start getting up to speed on the new JSON 5.0 format with the following resources:
- JSON 5.0 CVE Record Structure Mind Map
- CVE Record Format JSON 5.0 Schema
- CVE Record in JSON 5.0 Format – Basic Example
- CVE Record in JSON 5.0 Format – Advanced Example
- Schema Documentation
Comments or Questions?
If you have any questions about this announcement, please respond to this email or use the CVE Request web form and select “Other” from the dropdown menu.
Fifteen Additional Organizations Added as CVE Numbering Authorities (CNAs)
Fifteen additional organizations are now CNAs:
- Acronis International GmbH for all Acronis products, including Acronis Cyber Protect, Acronis Cyber Protect Home Office, Acronis DeviceLock DLP, and Acronis Snap Deploy.
- AppCheck Ltd. for vulnerabilities discovered by AppCheck that are not within another CNA’s scope.
- Artica PFMS for Pandora FMS, Integria IMS, and eHorus issues only.
- Carrier Global Corporation for Carrier Global products only.
- Frappe Technologies Pvt. Ltd. for vulnerabilities relating to Frappe Framework, ERPNext product, erpnext.com, and frappecloud.com hosting services, as well as other vulnerabilities discovered by Frappe Technologies that are not under the scope of any other CNA.
- Mirantis for all Mirantis products (supported products and end-of-life/end-of-service products) and open-source offerings, as well as vulnerabilities in third-party software discovered by Mirantis that are not in another CNA’s scope.
- OpenBMC Project for vulnerabilities related to the repositories maintained by the OpenBMC project.
- Panasonic Corporation for all products and services developed and/or sold by Panasonic Group companies.
- Profelis IT Consultancy for products and services developed by Profelis IT Consultancy including enterprise directory solution SambaBox and password reset product PassBox.
- Rhino Mobility for Rhino Mobility issues only.
- Silicon Labs for Silicon Labs issues only.
- TeamViewer Germany GmbH for TeamViewer issues only.
- VulDB for vulnerabilities discovered by, or reported to the VulDB vulnerability database, and vulnerabilities that are not in another CNA’s scope.
- Vulnscope Technologies for customers as part of our bug bounty and vulnerability coordination platform.
- ZGR for ZGR manufactured products.
CNAs are organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
To date, 209 organizations from 33 countries participate in the CVE Program as CNAs. View the entire list of CNA partners on the new CVE website.
Guest author Jochen Becker is Information Security Manager at CERT@VDE, and CERT@VDE is a CVE Numbering Authority (CNA).
CERT@VDE is a neutral, independent platform for European vendors of industrial control systems (ICS)/operational technology (OT) devices and/or software. With 20 vendors as partners, CERT@VDE tries to lower the barriers of responsible disclosure processes and establish a community for cybersecurity knowledge exchange within the European ICS industry. CERT@VDE is part of the non-profit VDE focused on science and technology and is the German member of International Electrotechnical Commission (IEC) and European Committee for Electrotechnical Standardization (CENELEC).
ICS/OT Vulnerability Management Needs to Continue to Grow
It’s good to see an increase in the number of CNAs with an ICS background. While using CVEs in information technology (IT) is pretty usual, the OT world had to catch up on responsible disclosure and making advisories publicly available. Today we have the CISA ICS Top-Level Root specifically for ICS cases, and the number of CNAs under this root seems to grow every two or three weeks. While there was only a handful of ICS-related CNAs when CISA became the ICS Root, there are now twice as many, so the industry seems to be on a good path.
As a CERT founded by five vendors in 2017, we requested the few CVE IDs we needed directly from the CVE Program as everybody can do. At that time, with just a few partners and advisories, that w was not a problem. Of course, as ICS became the focus of more and more researchers, and with the growing number of vendors partnering with CERT@VDE, the number of advisories and the staff required to manage them also grew.
Role of CERT@VDE
The vendors that partner with CERT@VDE are all on a different maturity level. Some are excellent in processing vulnerability reports and preparing advisories and fixes, while others are new to this and try to implement the processes, e.g., to be prepared for IEC 62443. Some want us to be their communication single point of contact that talks to the researcher and the governmental institutions that are involved, while others just want us to counter-check their drafts. With all the different companies and their unique processes, we have totally different timetables for each advisory as at one vendor the Product Security Incident Response Team (PSIRT) may release an advisory on its own, while another vendor may require a review by the company’s executives for that task.
Benefits of Being a CNA
When we, together with our partners, decided to become a CNA in 2019, we were not aware of the fantastic documentation and the really good onboarding that the CVE Program offered. With that documentation and the few but detailed calls, we were able to prepare processes that match our partners’, as wells as our and the CVE Program’s, needs within a few weeks.
The big benefit for our partners is that they will always be informed as early as possible when someone requests a CVE ID for one of their products. The benefit for us as a CNA is having a direct communication to the PSIRTs of our partners. We get the verification of a vulnerability by the vendor as fast as possible and can verify the case or request updates from the researcher in a good pace. We decided to support the CVE Program, vendors, and researchers when we set our scope not only to our partners but also to every European-based vendor that is not a CNA on its own.
Share this article or comment on Medium:
CVE Blog - https://www.cve.org/Media/News/item/blog/2021/12/14/Our-CVE-Story-CERTVDE
CVE on Medium - https://medium.com/@cve_program/our-cve-story-cert-vde-85ce4c5f4afa
We Speak CVE Podcast – Two New Episodes!
The “We Speak CVE” podcast focuses on cybersecurity, vulnerability management, and the CVE Program.
Listen on YouTube, Buzzsprout, and on major podcast directories such as Spotify, Stitcher, Apple Podcasts, Google Podcasts, among others.
Enhancing CVE Records as an Authorized Data Publisher
Kent Landfield of McAfee and Art Manion of CERT/CC discuss how the CVE Program’s upcoming release of JSON 5.0 will allow for additional and related information to be added to CVE Records after they have been published by CVE Numbering Authorities (CNAs). These additions—such as risk scores, affected product lists, versions, references, translations, etc.—will be made by “Authorized Data Publishers (ADPs),” which will be organizations authorized within the CVE Program to enrich the records.
How Red Hat’s Active Participation Helps Improve the CVE Program
Shannon Sabens of CrowdStrike chats with Peter Allor, Fábio Olivé, and Martin Prpic of Red Hat, which is a long-time CVE Numbering Authority (CNA). The benefits of actively participating as a member of the CVE community are discussed, especially in the CVE Working Groups, which allows Red Hat to directly contribute to enhancing CVE automation and quality, as well as strategic planning for future improvements.
“CVE Global Summit – Fall 2021”
Members of the CVE community recently gathered together virtually for the “CVE Global Summit – Fall 2021” to discuss CVE and cybersecurity, best practices, lessons learned, new opportunities, and more.
The CVE Program holds global summits twice per year, in the spring and fall. Summit participants include representatives from CVE Numbering Authorities (CNAs), CVE Board members, and CVE Working Groups (WGs) participants. Members of the wider cybersecurity community are welcome to participate by requesting to join one or more of these three CVE Working Groups — Automation, Outreach and Communications, and Quality — to help shape CVE work flow and other processes, as well as to attend future global summits.
A Collaborative Community Event Focused on Improving CVE
The summit is a way for the community to regularly collaborate on specific topics in a focused manner. Discussions are always informative, and many sessions result in lively and interesting discussion among community members. Sessions focused on lessons learned benefit CNAs and all community members by providing useful takeaways, while sessions focused on real-world challenges often result in creative recommendations from community member that directly impact and enhance the CVE Program.
Topics the community discussed at the “CVE Global Summit – Fall 2021” included:
Day 1
- Introduction & State of the CVE Program – current status, improvements, and other advancements that the program has achieved this year
- CNA Workshop: “CVE Services 2.x for End Users” – using the new CVE Services 2.x, focusing on end users; using JSON 5.0; using the APIs; and more
- Enabling the Future for the CVE Program – a presentation about the longer-term goals of automation and how it enables the federated CVE model’s operations
- SSVC ADP Pilot – the purpose of this session is to describe the “CVE Authorized Data Publisher (ADP) Pilot” that is preparing to start, including describing the approach the overall pilot is taking, the use of stakeholder-specific vulnerability (SSVC), description of SSVC, and the intended outcomes
- CVE Program Listening Session: Right, Wrong, Up, & Down – an open, timed forum of topics relevant to the CVE Program
Day 2
- Root Roundup Discussion Panel – Top-Level Roots and Roots discuss what they have what have learned about, and needs they may, have from the program
- Working Group Highlights – highlights from the CVE Working Groups (WGs), what they do and how to get involved: Automation (AWG); CNA Coordination (CNACWG); Outreach and Communications (OCWG); Quality (QWG); Strategic Planning (SPWG); and the temporary Transition (TWG)
- Open Discussion on Program Topics – moderated discussions about a variety of topics of concern to the assembled CNAs
We thank everyone who participated in this two-day virtual event.
Interested in Joining the CVE Community?
You can become a member of the CVE community by joining a Working Group or by encouraging your organization to partner with the CVE Program as a CNA. CVE Working Groups that welcome members of the general public include Automation, Outreach and Communications, and Quality.
To start the process, please use the CVE Request Web Form and select “Other” from the dropdown menu to express how you’d like to be involved. We look forward to hearing from you!
Microsoft January 2022 Patch Tuesday: Six zero-days, over 90 vulnerabilities fixed, ZDNet
Microsoft: macOS 'Powerdir' Flaw Could Enable Access to User Data, Dark Reading
Partially Unpatched VMware Bug Opens Door to Hypervisor Takeover, Threatpost
SonicWall SMA 100 appliances beset by multiple vulnerabilities, TechTarget
Researchers find critical RCE security vulnerability in H2 database console, Security Magazine
WordPress vulnerabilities more than doubled last year, TechRadar
CISA, FBI and NSA Publish Joint Advisory and Scanner for Log4j Vulnerabilities, Hacker News
Follow us for the latest from CVE:
@CVEnew - Twitter feed of the latest CVE Records
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVE Blog on Medium - Medium
We Speak CVE - Podcast
CVEProject - GitHub
CVE Program Channel - YouTube
CVE Announce Newsletter - Email
If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).
CVE® is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 2022, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board, CVE Working Groups, and CVE Numbering Authorities on all matters related to ongoing development of CVE.
No comments:
Post a Comment