1. Legacy CVE Download Formats Will Be Phased Out Beginning January 1, 2024
2. 26 Additional Organizations Added as CVE Numbering Authorities (CNAs)
3. CVE Podcast – Becoming A CNA: Myths versus Facts
4. 300+ Organizations Participating as CNAs as of June 21
Legacy CVE Download Formats Will Be Phased Out Beginning January 1, 2024
A major change is coming in how CVE content is provided that will affect products that consume CVE content.
CNA partners, tool vendors, and other parties that use CVE download files for automation or other purposes should pay particular attention to this upcoming change.
Legacy CVE Content Formats Your Products Are Using to Be Phased Out
The CVE Program has a new official format for CVE Records and downloads (see section below).
As a result, the legacy CVE content download formats currently provided by the CVE Program (i.e., CSV, HTML, XML, and CVRF) will be phased out in the first half of 2024.
To assist consumers with their transition to the new format, the frequency of updates to the legacy download formats will be reduced on the following schedule:
Any tools or automation that use these old formats may no longer work once the old formats have been deprecated, so organizations should take action now.
New CVE Content Format Is Available for Use
CVE Downloads in our new official data format for CVE Records, “CVE JSON 5.0,” are hosted in the cvelistV5 repository on GitHub.com. Update frequency and other details are available in the repository ReadMe.
CVE JSON 5.0 is a richer, more structured format for vulnerability identification and description and will provide enhanced information for your customers. The schema for this new format is also available on GitHub.
Take Action Now!
We are informing the community now so that product teams will have time to update their tools to the new CVE format prior to these legacy format download files no longer being updated after June 30, 2024.
If you have any comments or concerns, please use the CVE Program Request forms and select “Other” from the dropdown menu.
Share this article or comment on Medium:
CVE Blog on Medium - https://medium.com/@cve_program/legacy-cve-download-formats-will-be-phased-out-beginning-january-1-2024-13de552c9029
26 Additional Organizations Added as CVE Numbering Authorities (CNAs)
Since the beginning of April, 26 additional organizations from around the world have partnered with the program as CNAs:
- 42Gears Mobility Systems Pvt Ltd for 42Gears branded products and technologies only (India)
- AMI for vulnerabilities that affect AMI firmware and software products (USA)
- Arm Limited for Arm-branded products and technologies and Arm-managed open source projects (UK)
- Biohacking Village for vulnerabilities discovered by researchers in collaboration with Biohacking Village, with approval of Biohacking Village’s sponsors, that are not in another CNA’s scope (USA)
- Black Lantern Security (BLSOPS) for vulnerabilities in vendor products discovered by BLSOPS, or related parties, while performing vulnerability research or security assessments, unless covered by another CNA’s scope (USA)
- CrowdStrike Holdings, Inc. for CrowdStrike Sensor issues, excluding unsupported versions, and issues in third-party products or services identified by CrowdStrike research unless covered in the scope of another CNA (USA)
- Gitea Limited for Gitea issues only (China)
- Google Devices for Google Devices - Pixel, Nest, and Chromecast (USA)
- Hanwha Vision Co., Ltd. for Hanwha Vision (formerly Samsung Techwin and Hanwha Techwin) products and solutions only, including end-of-life (EOL) (South Korea)
- Halborn for all blockchain and Web3 products that rely on smart contracts written in Rust, Go, and Solidity, as well as blockchain associated Web2 and Web3 infrastructure not covered by another CNA (USA)
- ID Business Solutions for IDBS products as listed on https://www.idbs.com/products/ (UK)
- Illumio for Illumio issues only (USA)
- IoT83 Ltd for vulnerabilities in IoT83 product(s), services, and components only. Third-party, open-source components used in IoT83 product(s), services, and components are not in scope (USA)
- MIM Software Inc. for MIM software products, platforms, and services as well as vulnerabilities reported to MIM Software in third-party components or libraries used by MIM Software products, platforms, and services not covered by another CNA (USA)
- Moxa Inc. for Moxa products only (Taiwan)
- National Cyber Security Centre Finland (NCSC-FI) for vulnerabilities in software discovered by NCSC-FI, and vulnerabilities reported to NCSC-FI for coordinated disclosure, which are not in another CNA’s scope (Finland)
- Open Design Alliance for Open Design Alliance products only (USA)
- Payara for all Payara Platform product distributions (Payara Server, Micro, Embedded) for both Enterprise (commercial) and Community (OSS) distributions (UK)
- Ribose Limited for all Ribose products and services, including open-source projects, supported products, and end-of-life/end-of-service products (UK)
- Samsung TV & Appliance for Samsung TV & Appliance products, Samsung-owned open-source projects listed on https://github.com/Samsung/, as well as vulnerabilities in third-party software discovered by Samsung that are not in another CNA’s scope. Vulnerabilities affecting end-of-life/end-of-service products are in scope. The following categories of Samsung Products are in scope: Internet-connected home appliances, B2C products (smart TV, smart monitor, soundbar, and projector), and B2B products (digital signage, interactive display, and kiosk) (South Korea)
- Schweitzer Engineering Laboratories, Inc. for all Schweitzer Engineering Laboratories products (USA)
- Security Risk Advisors (SRA) for vulnerabilities discovered by SRA that are not within the scope of another ANA (USA)
- Solidigm for Solidigm branded products and technologies (USA)
- StrongDM for StrongDM issues only (USA)
- Temporal Technologies Inc. for all Temporal Technologies software (USA)
- VulnCheck for vulnerabilities discovered by, or reported to, VulnCheck that are not in another CNA’s scope (USA)
CNAs are organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
There are currently 307 partners from 36 countries participating in the CVE Program. View the entire list of CNA partners on the CVE website.
CVE Podcast –Becoming A CNA: Myths versus Facts
Truth and facts about the following myths are discussed:
Myth #1: Only a specific category of software vendors can become CNAs.
Myth #2: Organizations cannot leverage their existing vulnerability management and disclosure processes when they become a CNA.
Myth #3: The requirements for becoming a CNA are overwhelming and extensive.
Myth #4: A fee is required to become a CNA.
Myth #5: The CNA onboarding process is too complicated and time-consuming.
Myth #6: Organizations cannot choose the Top-Level Root or Root they want to work with.
In addition, the purpose and overall structure of the CVE Program and CISA’s role in recruiting and managing CNAs within its Top-Level Root scope of industrial control system (ICS) and operation technology (OT) are also discussed.
The “We Speak CVE” podcast focuses on cybersecurity, vulnerability management, and the CVE Program.
Share this article or comment on Medium:
CVE Podcast - https://www.cve.org/Media/News/item/podcast/2023/06/21/Becoming-A-CNA-Myths-versus-Facts
CVE on Medium - https://medium.com/@cve_program/we-speak-cve-podcast-becoming-a-cna-myths-versus-facts-bbf3234048bb
300+ Organizations Participating as CNAs as of June 21
On June 21, 2023, a major milestone was achieved with 301 organizations from around the world participating as CVE Numbering Authorities (CNAs) in the CVE Program: 299 CNAs and 2 CNAs of Last Resort (CNA-LR)
CNAs are vendor, researcher, open source, CERT, hosted service, and bug bounty provider organizations authorized by the CVE Program to assign CVE IDs to vulnerabilities and publish CVE Records within their own specific scopes of coverage.
Contact information and other partner details for CNAs are available on the List of Partners page on the CVE website.
Number of CNAs Continues to Grow
In 2016, the CVE Program (with only 23 CNAs) adopted a strategy to federate the publication of CVE Records by partnering with additional CNAs. Since then, 278 additional organizations have partnered with the CVE Program as CNAs and, as a result, the CVE List surpassed the 200,000+ CVE Records milestone in April 2023.
Participation is also global, with CNAs from 36 countries participating, as shown in the world map below.
Partners by country. View the exact numbers by country on the CNA Program Growth page on the CVE website.
Automation and Resources for CNAs Continuing to Expand
As the number of participating CNAs has grown, so have automation and other resources.
The CVE Services are web forms and open-source automation tools that enable CNAs to reserve a number of sequential or non-sequential CVE IDs in real time, as needed, and to publish CVE Records to the CVE List. Learn more here.
Other resources for CNAs include the CVE Numbering Authority (CNA) Rules, Version 3.0 guidance document; CVE Program policy documents such as End-of-Life (EOL) (PDF, 0.4MB) and CVE Record Dispute Policy (PDF, 0.3MB); CNA process and onboarding videos and slides for prospective and existing CNAs; and various podcast episodes and blog articles on topics relevant to CNAs. Finally, a quarterly newsletter helps to keep CNAs up to date with tips and news.
The greater CNA community is also a resource with discussions via email lists and a Slack channel, and the twice-per-year CVE Global Summit enables CNAs to regularly collaborate on specific topics in a focused manner.
Should Your Organization Become a CNA?
Numerous organizations from around the world are already participating as CNAs, while more and more organizations are deciding to become a CNA and join the CVE community to help build the CVE List.
Participation is voluntary, and the benefits of participation include the ability to publicly disclose a vulnerability with an already assigned CVE ID, the ability to control the disclosure of vulnerability information without pre-publishing, and notification of vulnerabilities in products within a CNA’s scope by researchers who request a CVE ID.
If your organization would like to become a CNA, please visit How to Become a CNA on the CVE website.
Share this article or comment on Medium:
CVE Blog - https://www.cve.org/Media/News/item/blog/2023/06/21/301-Organizations-Participating-as-CNAs
CVE on Medium - https://medium.com/@cve_program/300-organizations-now-participating-as-cve-numbering-authorities-cnas-377328ce9035
Citrix zero-day vulnerability under attack, iTnews
CVE-2023-38408 OpenSSH Flaw Allows Infecting Servers with Malicious Code Like Ransomware, Information Security Newspaper
Apple pushes out emergency fix for actively exploited zero-day (CVE-2023-37450), Help Net Security
Adobe Rolls Out New Patches for Actively Exploited ColdFusion Vulnerability, The Hacker News
Proof of Concept Developed for Ghostscript CVE-2023-36664 Code Execution Vulnerability, Kroll Blog
It's 2023 and memory overwrite bugs are not just a thing, they're still number one, The Register
MITRE releases new list of top 25 most dangerous software bugs, Bleeping Computer
Follow us for the latest from CVE:
@CVEnew - Twitter feed of the latest CVE Records
@CVEannounce - Twitter feed of news and announcements about CVE
CVE Program - LinkedIn page
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE website
CVE Blog on Medium - Medium
We Speak CVE - Podcast
CVEProject - GitHub
CVE Program Channel - YouTube
CVE Announce Newsletter - Email
If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).
No comments:
Post a Comment