CVE Announce - September 29, 2023 (opt-in newsletter from the CVE website)

 

 

 

 

 

 

 

 

 

 

  1. Have an Innovative Idea or a New Feature Request to Enhance the CVE Program?

  2. 15 Additional Organizations Added as CVE Numbering Authorities (CNAs)

  3. CVE Podcast — How the New CVE Record Format Will Benefit Consumers

  4. REMINDER: Legacy CVE Download Formats Will Be Phased Out Beginning January 1, 2024

  5. CVE in the News

  6. Keeping Up with CVE

 

 

Have an Innovative Idea or a New Feature Request to Enhance the CVE Program?

 

The CVE Program welcomes innovative ideas and new feature requests from the community in our CVE Program Ideas repository on GitHub.com. We encourage you to submit any suggestions you may have to enhance the CVE Program and help us better serve the broader community.

 

Submissions could include programmatic rule/policy suggestions, innovative automation features to support more efficient CVE Record publication and use, or any other ideas you might have.

 

Please note that this new repository will be used exclusively to receive and manage innovative idea suggestions and new feature requests for the overall CVE Program. It is not meant to replace previously established bug and issue trackers for the CVE Website-, CVE Services-, or CVE JSON 5.0 schema-related issues.

 

Making a Submission

 

Follow the steps below to submit your innovative idea or new program feature request on GitHub. You will need a GitHub account to make a submission.

 

1. Navigate to the CVE Program Innovation Ideas and Feature Requests Issues page on GitHub.
2. Click the “New Issue” button in the upper-right corner of the page to launch the “CVE Program New Automation Feature Request” page.
3. Click the “Get started” button to launch the new issue template.
4. In the “Title” field, enter a title that briefly describes your innovative idea or suggested feature.
5. In the “Write” field, follow the instructions provided in the template to add more details.
6. Once your submission is complete, click the “Submit new issue” button at the bottom of the form.

 

CVE Program Issue Tracker Template

 

Important: Please do not select any of the options in the right-hand column next to the form (not shown in above image). Those options will be used by the CVE Program to manage the submissions.

 

Processing of Submissions

 

Once your submission is received by the CVE Program, it will be reviewed by the CVE Board (or its designated working group). The disposition of all innovative ideas and new program feature requests can be tracked on the CVE Program Innovative Ideas/Feature Tracker. Questions about this initiative should be sent to the CVE Automation Working Group (AWG) at awg@cve-cwe-programs.groups.io.

 

We look forward to hearing from you!

 

Share this article or comment on Medium:
CVE Website - https://www.cve.org/Media/News/item/news/2023/08/29/CVE-Program-Idea-Tracker
CVE on Medium - https://medium.com/@cve_program/have-an-innovative-idea-or-a-new-feature-request-to-enhance-the-cve-program-ead0b7c161e2  

 

15 Additional Organizations Added as CVE Numbering Authorities (CNAs)

 

Since our last issue, 15 additional organizations from around the world have partnered with the program as CNAs:

 

1. AlgoSec: AlgoSec products only (Israel)

 

2. Analog Devices, Inc. (ADI): Vulnerabilities in ADI firmware and software products (USA)

 

3. Canon EMEA: Canon EMEA internally developed services and solutions as well as NT-ware, IRIS, and Therefore (UK)

 

4. CERT.PL: Vulnerabilities in software discovered by CERT.PL, and vulnerabilities reported to CERT.PL for coordinated disclosure, which are not in another CNA’s scope (Poland)

 

5. Integrated Control Technology LTD (ICT): All ICT security products (New Zealand)

 

6. Nokia: All vulnerabilities in Nokia products (Finland)

 

7. Mandiant Inc.: Vulnerabilities in Mandiant products or discovered by Mandiant while performing vulnerability research or security assessments, unless covered by another CNA’s scope (USA)

 

8. Phoenix Technologies, Inc.: All Phoenix Technologies products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by Phoenix Technologies that are not in another CNA’s scope (USA)

 

9. Progress Software Corporation: Vulnerabilities in software published and maintained by Progress Software Corporation (USA)

 

10. Pure Storage, Inc.: Pure Storage products only (USA)

 

11. Python Software Foundation: Only supported and end-of-life Python versions available at https://python.org/downloads and pip versions available at https://pypi.org/project/pip, and excluding distributions of Python and pip maintained by third-party redistributors (USA)

 

12. Securin: Vulnerabilities found in Securin products and services (including end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by Securin that are not in another CNA’s scope (USA)

 

13. SoftIron: SoftIron HyperCloud branded products and technologies only (USA)

 

14. VULSec Labs: Vulnerabilities discovered by, or reported to, VULSec Labs that are not in another CNA’s scope (Israel)

 

15. Xerox Corporation: Xerox Corporation issues only (USA)

 

CNAs are organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

There are currently 321 CNAs (319 CNAs and 2 CNA-LRs) from 37 countries participating in the CVE Program. View the entire list of CNA partners on the CVE website.

 

CVE Podcast –How the New CVE Record Format Will Benefit Consumers

 

In this episode of the “We Speak CVE” podcast, Shannon Sabens of CrowdStrike and Kent Landfield of Trellix, both of whom are CVE Board members and CVE Working Group (WG) chairs, speak about how the new CVE Record format — with its new structured data format and optional information fields — will benefit and provide enhanced value to consumers of CVE content moving forward.

 

Specific topics discussed include how the new CVE Record format will enable more complete vulnerability information to be captured early on in the advisory process and how that will benefit consumers; the ability for CVE content consumers to streamline and more easily automate their use of CVE Records because the data format is standardized and machine-readable; the automated creation and publication of CVE Records by CVE Numbering Authorities, which means more quality CVE Records can be produced at a faster pace than ever before for use by the worldwide community; and, for the ability of official CVE Program “Authorized Data Publishers (ADPs)” to enrich the content of already published CVE Records with additional risk scores, affected product lists, versions, references, translations, and so on, (learn more about ADPs in this CVE podcast).

 

Vulnerability scoring methods for CVE Records are also discussed, including NVD’s use of CVSS, CISA’s Known Exploited Vulnerabilities (KEV) Catalog, and more.

 

The “We Speak CVE” podcast focuses on cybersecurity, vulnerability management, and the CVE Program.

 

Share this article or comment on Medium:
CVE Podcast - https://www.cve.org/Media/News/item/podcast/2023/09/26/How-New-CVE-Record-Format-Benefits-Consumers 
CVE on Medium - https://medium.com/@cve_program/we-speak-cve-podcast-how-the-new-cve-record-format-will-benefit-consumers-596b427f378a  

 

REMINDER: Legacy CVE Download Formats Will Be Phased Out Beginning January 1, 2024

 

On July 25, 2023, the CVE Program announced that major change is coming in how CVE content is provided that will affect products that consume CVE content.

 

As a reminder, CNA partners, tool vendors, and other parties that use CVE download files for automation or other purposes should pay particular attention to this upcoming change.

 

Legacy CVE Content Formats Your Products Are Using to Be Phased Out

 

The CVE Program has a new official format for CVE Records and downloads (see section below).

 

As a result, the legacy CVE content download formats currently provided by the CVE Program (i.e., CSV, HTML, XML, and CVRF) will be phased out in the first half of 2024.

 

To assist consumers with their transition to the new format, the frequency of updates to the legacy download formats will be reduced on the following schedule:

 

 

Any tools or automation that use these old formats may no longer work once the old formats have been deprecated, so organizations should take action now.

 

New CVE Content Format Is Available for Use

 

CVE Downloads in our new official data format for CVE Records, “CVE JSON 5.0,” are hosted in the cvelistV5 repository on GitHub.com. Update frequency and other details are available in the repository ReadMe.

 

CVE JSON 5.0 is a richer, more structured format for vulnerability identification and description and will provide enhanced information for your customers. The schema for this new format is also available on GitHub.

 

Take Action Now!

 

We are informing the community now so that product teams will have time to update their tools to the new CVE format prior to these legacy format download files no longer being updated after June 30, 2024.

 

If you have any comments or concerns, please use the CVE Program Request forms and select “Other” from the dropdown menu.

 

Share this article or comment on Medium:
CVE Blog - https://www.cve.org/Media/News/item/blog/2023/07/25/Legacy-Downloads-being-Phased-Out

CVE Blog on Medium - https://medium.com/@cve_program/legacy-cve-download-formats-will-be-phased-out-beginning-january-1-2024-13de552c9029

 

CVE in the News

 

Google assigns new maximum rated CVE to libwebp bug exploited in attacks, Bleeping Computer

 

Critical JetBrains TeamCity vulnerability could be exploited to launch supply chain attacks (CVE-2023-42793), Help Net Security

 

Cisco urges to patch actively exploited IOS 0-day CVE-2023-20109, Security Affairs

 

Trend Micro Releases Urgent Fix for Actively Exploited Critical Security Vulnerability, The Hacker News

 

GitLab fixes critical vulnerability, patch now! (CVE-2023-5009), Help Net Security

 

Progress Fixes Critical Pre-Auth RCE Flaws in WS_FTP Server, Cyber Kendra

 

Apple issues emergency patches for 3 zero-day bugs, TechTarget

 

 

Keeping Up with CVE

 

Follow us for the latest from CVE:

@CVEnew - Twitter feed of the latest CVE Records
@CVEannounce - Twitter feed of news and announcements about CVE
CVE Program - LinkedIn page
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE website
CVE Blog on Medium - Medium
We Speak CVE - Podcast
CVEProject - GitHub
CVE Program Channel - YouTube
CVE Announce Newsletter - Email

If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://www.cve.org/Media/News/NewsletterSignup. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).

 

CVE® is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 2023, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board, CVE Working Groups, and CVE Numbering Authorities on all matters related to ongoing development of CVE.