Friday, September 29, 2023

CVE Announce - September 29, 2023 (opt-in newsletter from the CVE website)

 

 

 

 

 

 

 

 

 

 


  1. Have an Innovative Idea or a New Feature Request to Enhance the CVE Program?

  2. 15 Additional Organizations Added as CVE Numbering Authorities (CNAs)

  3. CVE Podcast — How the New CVE Record Format Will Benefit Consumers

  4. REMINDER: Legacy CVE Download Formats Will Be Phased Out Beginning January 1, 2024

  5. CVE in the News

  6. Keeping Up with CVE

 

 

Have an Innovative Idea or a New Feature Request to Enhance the CVE Program?

 

The CVE Program welcomes innovative ideas and new feature requests from the community in our CVE Program Ideas repository on GitHub.com. We encourage you to submit any suggestions you may have to enhance the CVE Program and help us better serve the broader community.

 

Submissions could include programmatic rule/policy suggestions, innovative automation features to support more efficient CVE Record publication and use, or any other ideas you might have.

 

Please note that this new repository will be used exclusively to receive and manage innovative idea suggestions and new feature requests for the overall CVE Program. It is not meant to replace previously established bug and issue trackers for the CVE Website-, CVE Services-, or CVE JSON 5.0 schema-related issues.

 

Making a Submission

 

Follow the steps below to submit your innovative idea or new program feature request on GitHub. You will need a GitHub account to make a submission.

 

  1. Navigate to the CVE Program Innovation Ideas and Feature Requests Issues page on GitHub.
  2. Click the “New Issue” button in the upper-right corner of the page to launch the “CVE Program New Automation Feature Request” page.
  3. Click the “Get started” button to launch the new issue template.
  4. In the “Title” field, enter a title that briefly describes your innovative idea or suggested feature.
  5. In the “Write” field, follow the instructions provided in the template to add more details.
  6. Once your submission is complete, click the “Submit new issue” button at the bottom of the form.

 

CVE Program Issue Tracker Template

 

Important: Please do not select any of the options in the right-hand column next to the form (not shown in above image). Those options will be used by the CVE Program to manage the submissions.

 

Processing of Submissions

 

Once your submission is received by the CVE Program, it will be reviewed by the CVE Board (or its designated working group). The disposition of all innovative ideas and new program feature requests can be tracked on the CVE Program Innovative Ideas/Feature Tracker. Questions about this initiative should be sent to the CVE Automation Working Group (AWG) at awg@cve-cwe-programs.groups.io.

 

We look forward to hearing from you!

 

Share this article or comment on Medium:
CVE Website - https://www.cve.org/Media/News/item/news/2023/08/29/CVE-Program-Idea-Tracker
CVE on Medium - https://medium.com/@cve_program/have-an-innovative-idea-or-a-new-feature-request-to-enhance-the-cve-program-ead0b7c161e2  

 

15 Additional Organizations Added as CVE Numbering Authorities (CNAs)

 

Since our last issue, 15 additional organizations from around the world have partnered with the program as CNAs:

 

  1. AlgoSec: AlgoSec products only (Israel)

 

  1. Analog Devices, Inc. (ADI): Vulnerabilities in ADI firmware and software products (USA)

 

  1. Canon EMEA: Canon EMEA internally developed services and solutions as well as NT-ware, IRIS, and Therefore (UK)

 

  1. CERT.PL: Vulnerabilities in software discovered by CERT.PL, and vulnerabilities reported to CERT.PL for coordinated disclosure, which are not in another CNA’s scope (Poland)

 

  1. Integrated Control Technology LTD (ICT): All ICT security products (New Zealand)

 

  1. Nokia: All vulnerabilities in Nokia products (Finland)

 

  1. Mandiant Inc.: Vulnerabilities in Mandiant products or discovered by Mandiant while performing vulnerability research or security assessments, unless covered by another CNA’s scope (USA)

 

  1. Phoenix Technologies, Inc.: All Phoenix Technologies products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by Phoenix Technologies that are not in another CNA’s scope (USA)

 

  1. Progress Software Corporation: Vulnerabilities in software published and maintained by Progress Software Corporation (USA)

 

  1. Pure Storage, Inc.: Pure Storage products only (USA)

 

  1. Python Software Foundation: Only supported and end-of-life Python versions available at https://python.org/downloads and pip versions available at https://pypi.org/project/pip, and excluding distributions of Python and pip maintained by third-party redistributors (USA)

 

  1. Securin: Vulnerabilities found in Securin products and services (including end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by Securin that are not in another CNA’s scope (USA)

 

  1. SoftIron: SoftIron HyperCloud branded products and technologies only (USA)

 

  1. VULSec Labs: Vulnerabilities discovered by, or reported to, VULSec Labs that are not in another CNA’s scope (Israel)

 

  1. Xerox Corporation: Xerox Corporation issues only (USA)

 

CNAs are organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

There are currently 321 CNAs (319 CNAs and 2 CNA-LRs) from 37 countries participating in the CVE Program. View the entire list of CNA partners on the CVE website.

 

CVE Podcast –How the New CVE Record Format Will Benefit Consumers

 

In this episode of the “We Speak CVE” podcast, Shannon Sabens of CrowdStrike and Kent Landfield of Trellix, both of whom are CVE Board members and CVE Working Group (WG) chairs, speak about how the new CVE Record format — with its new structured data format and optional information fields — will benefit and provide enhanced value to consumers of CVE content moving forward.

 

Specific topics discussed include how the new CVE Record format will enable more complete vulnerability information to be captured early on in the advisory process and how that will benefit consumers; the ability for CVE content consumers to streamline and more easily automate their use of CVE Records because the data format is standardized and machine-readable; the automated creation and publication of CVE Records by CVE Numbering Authorities, which means more quality CVE Records can be produced at a faster pace than ever before for use by the worldwide community; and, for the ability of official CVE Program “Authorized Data Publishers (ADPs)” to enrich the content of already published CVE Records with additional risk scores, affected product lists, versions, references, translations, and so on, (learn more about ADPs in this CVE podcast).

 

Vulnerability scoring methods for CVE Records are also discussed, including NVD’s use of CVSS, CISA’s Known Exploited Vulnerabilities (KEV) Catalog, and more.

 

The “We Speak CVE” podcast focuses on cybersecurity, vulnerability management, and the CVE Program.

 

Share this article or comment on Medium:
CVE Podcast - https://www.cve.org/Media/News/item/podcast/2023/09/26/How-New-CVE-Record-Format-Benefits-Consumers 
CVE on Medium - https://medium.com/@cve_program/we-speak-cve-podcast-how-the-new-cve-record-format-will-benefit-consumers-596b427f378a  

 

REMINDER: Legacy CVE Download Formats Will Be Phased Out Beginning January 1, 2024

 

On July 25, 2023, the CVE Program announced that major change is coming in how CVE content is provided that will affect products that consume CVE content.

 

As a reminder, CNA partners, tool vendors, and other parties that use CVE download files for automation or other purposes should pay particular attention to this upcoming change.

 

Legacy CVE Content Formats Your Products Are Using to Be Phased Out

 

The CVE Program has a new official format for CVE Records and downloads (see section below).

 

As a result, the legacy CVE content download formats currently provided by the CVE Program (i.e., CSV, HTML, XML, and CVRF) will be phased out in the first half of 2024.

 

To assist consumers with their transition to the new format, the frequency of updates to the legacy download formats will be reduced on the following schedule:

 

 

Any tools or automation that use these old formats may no longer work once the old formats have been deprecated, so organizations should take action now.

 

New CVE Content Format Is Available for Use

 

CVE Downloads in our new official data format for CVE Records, “CVE JSON 5.0,” are hosted in the cvelistV5 repository on GitHub.com. Update frequency and other details are available in the repository ReadMe.

 

CVE JSON 5.0 is a richer, more structured format for vulnerability identification and description and will provide enhanced information for your customers. The schema for this new format is also available on GitHub.

 

Take Action Now!

 

We are informing the community now so that product teams will have time to update their tools to the new CVE format prior to these legacy format download files no longer being updated after June 30, 2024.

 

If you have any comments or concerns, please use the CVE Program Request forms and select “Other” from the dropdown menu.

 

Share this article or comment on Medium:
CVE Blog - https://www.cve.org/Media/News/item/blog/2023/07/25/Legacy-Downloads-being-Phased-Out

CVE Blog on Medium - https://medium.com/@cve_program/legacy-cve-download-formats-will-be-phased-out-beginning-january-1-2024-13de552c9029

 

CVE in the News

 

Google assigns new maximum rated CVE to libwebp bug exploited in attacks, Bleeping Computer

 

Critical JetBrains TeamCity vulnerability could be exploited to launch supply chain attacks (CVE-2023-42793), Help Net Security

 

Cisco urges to patch actively exploited IOS 0-day CVE-2023-20109, Security Affairs

 

Trend Micro Releases Urgent Fix for Actively Exploited Critical Security Vulnerability, The Hacker News

 

GitLab fixes critical vulnerability, patch now! (CVE-2023-5009), Help Net Security

 

Progress Fixes Critical Pre-Auth RCE Flaws in WS_FTP Server, Cyber Kendra

 

Apple issues emergency patches for 3 zero-day bugs, TechTarget

 

 

Keeping Up with CVE

 

Follow us for the latest from CVE:

@CVEnew - Twitter feed of the latest CVE Records
@CVEannounce - Twitter feed of news and announcements about CVE
CVE Program - LinkedIn page
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE website
CVE Blog on Medium - Medium
We Speak CVE - Podcast
CVEProject - GitHub
CVE Program Channel - YouTube
CVE Announce Newsletter - Email

If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://www.cve.org/Media/News/NewsletterSignup. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).

 

CVE® is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 2023, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board, CVE Working Groups, and CVE Numbering Authorities on all matters related to ongoing development of CVE.

 

Posted by at No comments:

Thursday, July 20, 2023

CVE Announce - July 20, 2023 (opt-in newsletter from the CVE website)

 

 

 

 

 

 

 

 

 

 


  1. Legacy CVE Download Formats Will Be Phased Out Beginning January 1, 2024

  2. 26 Additional Organizations Added as CVE Numbering Authorities (CNAs)

  3. CVE Podcast – Becoming A CNA: Myths versus Facts

  4. 300+ Organizations Participating as CNAs as of June 21

  5. CVE in the News

  6. Keeping Up with CVE

 

 

Legacy CVE Download Formats Will Be Phased Out Beginning January 1, 2024

 

A major change is coming in how CVE content is provided that will affect products that consume CVE content.

 

CNA partners, tool vendors, and other parties that use CVE download files for automation or other purposes should pay particular attention to this upcoming change.

 

Legacy CVE Content Formats Your Products Are Using to Be Phased Out

 

The CVE Program has a new official format for CVE Records and downloads (see section below).

 

As a result, the legacy CVE content download formats currently provided by the CVE Program (i.e., CSV, HTML, XML, and CVRF) will be phased out in the first half of 2024.

 

To assist consumers with their transition to the new format, the frequency of updates to the legacy download formats will be reduced on the following schedule:

 

 

Any tools or automation that use these old formats may no longer work once the old formats have been deprecated, so organizations should take action now.

 

New CVE Content Format Is Available for Use

 

CVE Downloads in our new official data format for CVE Records, “CVE JSON 5.0,” are hosted in the cvelistV5 repository on GitHub.com. Update frequency and other details are available in the repository ReadMe.

 

CVE JSON 5.0 is a richer, more structured format for vulnerability identification and description and will provide enhanced information for your customers. The schema for this new format is also available on GitHub.

 

Take Action Now!

 

We are informing the community now so that product teams will have time to update their tools to the new CVE format prior to these legacy format download files no longer being updated after June 30, 2024.

 

If you have any comments or concerns, please use the CVE Program Request forms and select “Other” from the dropdown menu.

 

Share this article or comment on Medium:
CVE Blog on Medium - https://medium.com/@cve_program/legacy-cve-download-formats-will-be-phased-out-beginning-january-1-2024-13de552c9029

 

26 Additional Organizations Added as CVE Numbering Authorities (CNAs)

 

Since the beginning of April, 26 additional organizations from around the world have partnered with the program as CNAs:

 

  1. 42Gears Mobility Systems Pvt Ltd for 42Gears branded products and technologies only (India)

 

  1. AMI for vulnerabilities that affect AMI firmware and software products (USA)

 

  1. Arm Limited for Arm-branded products and technologies and Arm-managed open source projects (UK)

 

  1. Biohacking Village for vulnerabilities discovered by researchers in collaboration with Biohacking Village, with approval of Biohacking Village’s sponsors, that are not in another CNA’s scope (USA)

 

  1. Black Lantern Security (BLSOPS) for vulnerabilities in vendor products discovered by BLSOPS, or related parties, while performing vulnerability research or security assessments, unless covered by another CNA’s scope (USA)

 

  1. CrowdStrike Holdings, Inc. for CrowdStrike Sensor issues, excluding unsupported versions, and issues in third-party products or services identified by CrowdStrike research unless covered in the scope of another CNA (USA)

 

  1. Gitea Limited for Gitea issues only (China)

 

  1. Google Devices for Google Devices - Pixel, Nest, and Chromecast (USA)

 

  1. Hanwha Vision Co., Ltd. for Hanwha Vision (formerly Samsung Techwin and Hanwha Techwin) products and solutions only, including end-of-life (EOL) (South Korea)

 

  1. Halborn for all blockchain and Web3 products that rely on smart contracts written in Rust, Go, and Solidity, as well as blockchain associated Web2 and Web3 infrastructure not covered by another CNA (USA)

 

  1. ID Business Solutions for IDBS products as listed on https://www.idbs.com/products/ (UK)

 

  1. Illumio for Illumio issues only (USA)

 

  1. IoT83 Ltd for vulnerabilities in IoT83 product(s), services, and components only. Third-party, open-source components used in IoT83 product(s), services, and components are not in scope (USA)

 

  1. MIM Software Inc. for MIM software products, platforms, and services as well as vulnerabilities reported to MIM Software in third-party components or libraries used by MIM Software products, platforms, and services not covered by another CNA (USA)

 

  1. Moxa Inc. for Moxa products only (Taiwan)

 

  1. National Cyber Security Centre Finland (NCSC-FI) for vulnerabilities in software discovered by NCSC-FI, and vulnerabilities reported to NCSC-FI for coordinated disclosure, which are not in another CNA’s scope (Finland)

 

  1. Open Design Alliance for Open Design Alliance products only (USA)

 

  1. Payara for all Payara Platform product distributions (Payara Server, Micro, Embedded) for both Enterprise (commercial) and Community (OSS) distributions (UK)

 

  1. Ribose Limited for all Ribose products and services, including open-source projects, supported products, and end-of-life/end-of-service products (UK)

 

  1. Samsung TV & Appliance for Samsung TV & Appliance products, Samsung-owned open-source projects listed on https://github.com/Samsung/, as well as vulnerabilities in third-party software discovered by Samsung that are not in another CNA’s scope. Vulnerabilities affecting end-of-life/end-of-service products are in scope. The following categories of Samsung Products are in scope: Internet-connected home appliances, B2C products (smart TV, smart monitor, soundbar, and projector), and B2B products (digital signage, interactive display, and kiosk) (South Korea)

 

  1. Schweitzer Engineering Laboratories, Inc. for all Schweitzer Engineering Laboratories products (USA)

 

  1. Security Risk Advisors (SRA) for vulnerabilities discovered by SRA that are not within the scope of another ANA (USA)

 

  1. Solidigm for Solidigm branded products and technologies (USA)

 

  1. StrongDM for StrongDM issues only (USA)

 

  1. Temporal Technologies Inc. for all Temporal Technologies software (USA)

 

  1. VulnCheck for vulnerabilities discovered by, or reported to, VulnCheck that are not in another CNA’s scope (USA)

 

CNAs are organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

There are currently 307 partners from 36 countries participating in the CVE Program. View the entire list of CNA partners on the CVE website.


CVE Podcast –Becoming A CNA: Myths versus Facts

 

In this episode of the “We Speak CVE” podcast, host Shannon Sabens of CrowdStrike chats with Julia Turkevich of U.S. Cybersecurity and Infrastructure Security Agency (CISA) about the myths and facts of partnering with the CVE Program as a CVE Numbering Authority (CNA).

 

Truth and facts about the following myths are discussed:

 

Myth #1: Only a specific category of software vendors can become CNAs.

Myth #2: Organizations cannot leverage their existing vulnerability management and disclosure processes when they become a CNA.

Myth #3: The requirements for becoming a CNA are overwhelming and extensive.

Myth #4: A fee is required to become a CNA.

Myth #5: The CNA onboarding process is too complicated and time-consuming.

Myth #6: Organizations cannot choose the Top-Level Root or Root they want to work with.

 

In addition, the purpose and overall structure of the CVE Program and CISA’s role in recruiting and managing CNAs within its Top-Level Root scope of industrial control system (ICS) and operation technology (OT) are also discussed.

 

The “We Speak CVE” podcast focuses on cybersecurity, vulnerability management, and the CVE Program.

 

Share this article or comment on Medium:
CVE Podcast - https://www.cve.org/Media/News/item/podcast/2023/06/21/Becoming-A-CNA-Myths-versus-Facts
CVE on Medium - https://medium.com/@cve_program/we-speak-cve-podcast-becoming-a-cna-myths-versus-facts-bbf3234048bb

 

300+ Organizations Participating as CNAs as of June 21

 

On June 21, 2023, a major milestone was achieved with 301 organizations from around the world participating as CVE Numbering Authorities (CNAs) in the CVE Program: 299 CNAs and 2 CNAs of Last Resort (CNA-LR)

 

CNAs are vendor, researcher, open source, CERT, hosted service, and bug bounty provider organizations authorized by the CVE Program to assign CVE IDs to vulnerabilities and publish CVE Records within their own specific scopes of coverage.

 

Contact information and other partner details for CNAs are available on the List of Partners page on the CVE website.

 

Number of CNAs Continues to Grow

 

In 2016, the CVE Program (with only 23 CNAs) adopted a strategy to federate the publication of CVE Records by partnering with additional CNAs. Since then, 278 additional organizations have partnered with the CVE Program as CNAs and, as a result, the CVE List surpassed the 200,000+ CVE Records milestone in April 2023.

 

Participation is also global, with CNAs from 36 countries participating, as shown in the world map below.

 

Partners by country. View the exact numbers by country on the CNA Program Growth page on the CVE website.

 

Automation and Resources for CNAs Continuing to Expand

 

As the number of participating CNAs has grown, so have automation and other resources.

 

The CVE Services are web forms and open-source automation tools that enable CNAs to reserve a number of sequential or non-sequential CVE IDs in real time, as needed, and to publish CVE Records to the CVE List. Learn more here.

 

Other resources for CNAs include the CVE Numbering Authority (CNA) Rules, Version 3.0 guidance document; CVE Program policy documents such as End-of-Life (EOL) (PDF, 0.4MB) and CVE Record Dispute Policy (PDF, 0.3MB); CNA process and onboarding videos and slides for prospective and existing CNAs; and various podcast episodes and blog articles on topics relevant to CNAs. Finally, a quarterly newsletter helps to keep CNAs up to date with tips and news.

 

The greater CNA community is also a resource with discussions via email lists and a Slack channel, and the twice-per-year CVE Global Summit enables CNAs to regularly collaborate on specific topics in a focused manner.

 

Should Your Organization Become a CNA?

 

Numerous organizations from around the world are already participating as CNAs, while more and more organizations are deciding to become a CNA and join the CVE community to help build the CVE List.

 

Participation is voluntary, and the benefits of participation include the ability to publicly disclose a vulnerability with an already assigned CVE ID, the ability to control the disclosure of vulnerability information without pre-publishing, and notification of vulnerabilities in products within a CNA’s scope by researchers who request a CVE ID.

 

If your organization would like to become a CNA, please visit How to Become a CNA on the CVE website.


Share this article or comment on Medium:
CVE Blog - https://www.cve.org/Media/News/item/blog/2023/06/21/301-Organizations-Participating-as-CNAs
CVE on Medium - https://medium.com/@cve_program/300-organizations-now-participating-as-cve-numbering-authorities-cnas-377328ce9035


CVE in the News

 

Citrix zero-day vulnerability under attack, iTnews

 

CVE-2023-38408 OpenSSH Flaw Allows Infecting Servers with Malicious Code Like Ransomware, Information Security Newspaper

 

Apple pushes out emergency fix for actively exploited zero-day (CVE-2023-37450), Help Net Security

 

Adobe Rolls Out New Patches for Actively Exploited ColdFusion Vulnerability, The Hacker News

 

Proof of Concept Developed for Ghostscript CVE-2023-36664 Code Execution Vulnerability, Kroll Blog

 

It's 2023 and memory overwrite bugs are not just a thing, they're still number one, The Register

 

MITRE releases new list of top 25 most dangerous software bugs, Bleeping Computer

 

 

Keeping Up with CVE

 

Follow us for the latest from CVE:

@CVEnew - Twitter feed of the latest CVE Records
@CVEannounce - Twitter feed of news and announcements about CVE
CVE Program - LinkedIn page
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE website
CVE Blog on Medium - Medium
We Speak CVE - Podcast
CVEProject - GitHub
CVE Program Channel - YouTube
CVE Announce Newsletter - Email

If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).

 

CVE® is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 2023, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board, CVE Working Groups, and CVE Numbering Authorities on all matters related to ongoing development of CVE.

 

 

Posted by at No comments:
Subscribe to: Comments (Atom)