1. New CVE Record Format Enables Additional Data Fields at Time of Disclosure
2. CNA Rules Version 4.0 Update and Transition
3. Eleven Additional Organizations Added as CVE Numbering Authorities (CNAs)
4. CVE Record Format Version 5.1.0 and CVE Services Version 2.3.0 Now Available
5. Our CVE Story: Ericsson’s Journey as a CVE Numbering Authority (CNA)
6. Videos from CVE/FIRST VulnCon 2024 Now Available
7. CVE Podcast – Swimming in Vulns (or, Fun with CVE Data Analysis)
8. Support for Legacy CVE Download Formats to End on June 30, 2024
New CVE Record Format Enables Additional Data Fields at Time of Disclosure
When the CVE® Program was first established in 1999, a CVE Record consisted of only three elements: the CVE-ID itself, a brief vulnerability description, and a reference URL directing to further relevant information. This solved an important problem: that two or more people or tools could refer to a vulnerability and know they are talking about the same thing, thereby saving significant time and cost from a single reference.
Over the last 25 years, CVE has grown into the backbone of the vulnerability management ecosystem, with a federated governance model that includes partnering with CVE Numbering Authorities (CNAs) to grow CVE content and expand its use. At the same time, additional vulnerability-related information has become important to the cybersecurity community for increased transparency, enabling vulnerability root cause understanding, and prioritizing incident response, including CVSS, CWE, CPE, amongst others.
In recent months, significant shifts in the vulnerability management landscape have led to consumer frustrations in accessing these additional data fields related to CVE Records. Previously, downstream augmenters of CVE Record data (such as the NVD) have provided things like CVSS base scores and CWE mappings using public data, often causing contention with CNA product vendors who have access to the most reliable source for accurate determinations.
Now there is another way.
The CVE Board is proud to announce that the CVE Program has evolved its record format to enhance automation capabilities and data enrichment. This format, utilized by CVE Services, facilitates the reservation of CVE IDs and the inclusion of data elements like CVSS, CWE, CPE, and other data into the CVE Record at the time of issuing a security advisory. This means the authoritative source (within their CNA scope) of vulnerability information — those closest to the products themselves — can accurately report enriched data to CVE directly and contribute more substantially to the vulnerability management process.
Getting more accurate and precise information in the hands of the defenders and downstream customers on a timelier basis helps the vulnerability management ecosystem and the entire cybersecurity community in addressing risks.
Share this article or comment on Medium:
CVE Website - https://www.cve.org/Media/News/item/blog/2024/04/30/New-CVE-Record-Format-Enables-Additional-Data
CVE on Medium - https://medium.com/@cve_program/new-cve-record-format-enables-additional-data-fields-at-time-of-disclosure-82eef1d4035e
CNA Rules Version 4.0 Update and Transition
The CVE Program, Board members and CNA staff, have been working on rewriting the CVE Numbering Authority (CNA) Operational Rules Version 4.0 (PDF) that CNAs use to help them know how to assign CVE IDs. This work has been ongoing since mid-2022.
The team devoted many hours to this important task. We wanted to create a sustainable set of rules that were well organized and would be able to exist in a more agile world so that small, important changes could be made without starting over again. The new rules went through extensive comment periods within the CVE Program and ending with a two-week period of public comments. The Board was required to vote whether to accept the new CNA Rules on April 24, 2024. A majority of Board members voted YES by the next day.
There is a fundamental concept embedded throughout the rules, and also explicitly defined in section “4.2.1 First Refusal.” It goes like this:
The CNA with the most appropriate scope gets the first opportunity to assign. This is often the Supplier (vendor, developer) CNA. This CNA also gets the first opportunity to not assign. If the CNA does not assign, for any reason (including but not limited to EOL), then another CNA with appropriate scope can assign. For already Publicly Disclosed vulnerabilities, prefer CNA-LRs to assign, to reduce the chances of duplicate assignments.
Significant Changes
There were many changes to the previous set of rules. Identified below are seemingly three of the more significant changes.
- The rules are now agnostic to the type of technology:
- 4.2.2.4 CNAs MUST NOT consider the type of technology (e.g., cloud, on-premises, hybrid, artificial intelligence, machine learning) as the sole basis for determining assignment.
- The CNA of Last Resort (CNA-LR) can assign if the CNA declines:
- 4.2.2.1 CNAs SHOULD assign a CVE ID if:
- the CNA has reasonable evidence to determine the existence of a Vulnerability (4.1), and.
- the Vulnerability has been or is expected to be Publicly Disclosed, and
- the CNA has appropriate scope (3.1).
- The CNA still has discretion about what to assign for:
- 4.2.2.2 CNAs SHOULD Publicly Disclose and assign a CVE ID if the Vulnerability:
- has the potential to cause significant harm or,
- requires action or risk assessment by parties other than the CNA.
The Shorthand
- These rules should work for whatever technology comes along; nothing is automatically out of bounds. This includes Cloud and AI/ML.
- Every company could potentially have vulnerabilities in their products and should become a CNA so they can control the message. The CVE Program will not reach out to a company that is not a CNA to give them right of first refusal if a potential vulnerability is reported to the Program.
- The CNA should lean on the side of assigning a CVE for a vulnerability regardless of the need for action by the customer if it is a sufficiently harmful and might go public. The CNA still gets to decide what “significant harm” means.
Moving Forward
Now that the new rules have been adopted, CNAs have a 90-day grace period, starting on May 9, 2024, to figure out how to change their processes to make any necessary adjustments to comply with the new rules. On August 8, 2024, the old rules go away and the new rules will be enforced. At this point the new rules will be the official CNA Rules Version 4.0 (PDF) used throughout the CVE Program.
Share this article or comment on Medium:
CVE Website - https://www.cve.org/Media/News/item/blog/2024/05/07/CNA-Rules-v4-0-Update-and-Transition
CVE on Medium - https://medium.com/@cve_program/cna-rules-version-4-0-update-and-transition-8f9d11a59c02
Eleven Additional Organizations Added as CVE Numbering Authorities (CNAs)
Since our last issue, eleven (11) additional organizations from around the world have partnered with the program as CNAs:
- cirosec – Vulnerabilities discovered by or reported to cirosec researchers that are not in another CNA’s scope (Germany)
- Dremio Corporation – All Dremio Corporation products (USA)
- Edgewatch Security Intelligence – Vulnerabilities in third-party software discovered by Edgewatch that are not in another CNA’s scope (Spain)
- Jamf – Jamf issues and Jamf Open Source (USA)
- Microchip Technology – Microchip Technology products only (USA)
- N-able – N-able branded products and technologies only (USA)
- OpenSource Security GmbH – Vulnerabilities discovered by or reported to OpenSource Security, unless covered by another CNA’s scope (Germany)
- rami.io GmbH – All rami.io GmbH products and open-source projects, including pretix, official pretix plugins and apps, and Venueless (Germany)
- SCIEX – SCIEX branded products only (USA)
- Tego Cyber, Inc. – Tego Cyber issues and vulnerabilities discovered by Tego in third-party products, unless covered under the scope of another CNA (USA)
- TXOne Networks, Inc. – Vulnerabilities in TXOne Networks products, including end-of-life products, or third-party operational technology (OT) and industrial control systems (ICS) products, unless covered by the scope of another CNA (Taiwan)
In addition, the GoogleOSS CNA, which became a CVE Program partner in 2022, merged with the Google LLC CNA on April 9, 2024. The Google LLC CNA’s new scope resulting from the merger is: “Google products, including open-source software published and maintained by Google, and vulnerabilities in third-party software discovered by Google that are not in another CNA’s scope.” (USA)
CNAs are organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
There are currently 377 CNAs (375 CNAs and 2 CNA-LRs) from 40 countries and 1 no country affiliation participating in the CVE Program. View the entire list of CNA partners on the CVE website.
CVE Record Format Version 5.1.0 and CVE Services Version 2.3.0 Now Available
The CVE Program is pleased to announce the release of CVE Record Format 5.1.0 (view release notes) and CVE Services 2.3.0 (view release notes). This newest version release of the CVE Record Format further enables additional vulnerability-related information to be included by CVE Numbering Authorities (CNAs) in CVE Records at the time of disclosure. CVE Services was updated to support this new version of the CVE Record Format.
As noted in the CVE Blog article “New CVE Record Format Enables Additional Data Fields at Time of Disclosure,” the CVE Program has “evolved its record format to enhance automation capabilities and data enrichment. This format, utilized by CVE Services, facilitates the reservation of CVE IDs and the inclusion of data elements like CVSS, CWE, CPE, and other data into the CVE Record at the time of issuing a security advisory. This means the authoritative source (within their CNA scope) of vulnerability information — those closest to the products themselves — can accurately report enriched data to CVE directly and contribute more substantially to the vulnerability management process.”
CVE Record Format 5.1.0 furthers that effort with key enhancements.
Updates for CVE Record Format 5.1.0
The key updates for the new release include:
- Support for the Forum of Incident Response and Security Teams’ (FIRST) Common Vulnerability Scoring System (CVSS) Version 4.0. CVE Records can be defined using the CVSS v2, v3, v3.1, and now v4 scoring standards
- The versionType field now allows:
- Single product identification (not just ranges)
- Support for additional product identifiers including UPC, GTIN, GMN, Package URLs, and SKUs
- Bug fixes including stricter validation to prevent typos in required and optional fields, as well as to prevent unexpected fields in various locations within the schema
A complete list of updates is available in the release notes.
Terminology Change
This release also marks a change in how the CVE Program will refer to the CVE JSON 5.x record format in all CVE-related communications, on the website, etc., moving forward. Beginning with this release, “CVE JSON 5.x” will now be referred to as the “CVE Record Format” even though it will continue to be based upon CVE JSON.
The full title of this release is: “CVE Record Format Version 5.1.0”.
Updates for CVE Services 2.3.0
CVE Services was updated to version 2.3.0 to support the release of CVE Record Format 5.1.0. A complete list of updates is available in the release notes.
Detailed Release Notes
For more information on the features, bugs, etc., noted above, and additional compatibility considerations, please see the following on GitHub:
Share this article or comment on Medium:
CVE Website - https://www.cve.org/Media/News/item/blog/2024/05/09/CVE-Record-Format-CVE-Services-Updated
CVE on Medium - https://medium.com/@cve_program/cve-record-format-version-5-1-0-and-cve-services-version-2-3-0-now-available-c34839777adc
Our CVE Story: Ericsson’s Journey as a CVE Numbering Authority (CNA)
Guest authors Milind R. Kulkarni and Umair Bukhari are both from the Ericsson Product Security Incident Response Team (PSIRT). Milind is Master Security Specialist and Umair is Head of the PSIRT. Ericsson is a CVE Numbering Authority (CNA) partner.
Ericsson, a global leader in telecommunications technology, achieved CVE Numbering Authority (CNA) status in January 2024. Over the past two decades, Ericsson Product Security has diligently been working to enhance product security, benefiting telecom networks worldwide. This milestone marks a significant advancement in Ericsson’s vulnerability management program maturity, reinforcing the security and reliability of our telecom products.
What made us take the decision to become a CNA and what are the benefits in adopting the CVE Program process? Let’s explore.
Previously, Ericsson’s vulnerability management process, overseen by the Ericsson PSIRT Team, primarily targeted vulnerabilities in third-party software integrated into our telecom products. Before achieving CNA status, our process for handling 0-day vulnerabilities in Ericsson’s product code lacked formal definition. We collaborated with external security researchers and customers upon receiving reports, but CVEs were assigned only when requested by the finder. Additionally, each time we needed to assign a CVE Identifier (CVE ID), we had to contact the CVE Program team, which added time to our operational process.
To address these challenges strategically, we enhanced our existing PSIRT processes to better serve our telco ecosystem. As a CNA, we introduced new beneficial procedures, including the adoption of the CVE Program framework within our existing workflows.
As a CNA, Ericsson now has the authority to assign and publish CVE Records for new vulnerability reports in our own source code. This designation grants us access to CVE Services tools and APIs streamlining automation. Additionally, we benefit from a user-friendly Vulnogram web application interface, enabling instant procurement of CVE IDs and seamless submission of CVE Records to the public database 24x7, without the need for separate request tickets.
Being a CNA also enhances our coordination in the vulnerability disclosure process, allowing us to take ownership of messaging and provide reliable communication to customers. While Ericsson already had most of the processes in place, they have now been updated and enriched to align with the CVE Program guidelines. Leveraging our existing workflows, we ensured a smooth adoption of these enhancements. As part of our ongoing process improvement, we’ve clearly defined roles and responsibilities within our cross-functional teams for executing tasks related to CVEs.
We would like to highlight comments by Ericsson’s Chief Product Security Officer and Head of Product Security, Mikko Karikytö, which were first published in Ericsson’s news announcement, regarding CNA accreditation by the CVE Program:
“Our authorization as a CVE Numbering Authority (CNA) is a proof point in our ongoing commitment to cybersecurity excellence. We are honored to join the CVE community and contribute to addressing cybersecurity vulnerabilities. This is in line with our efforts to provide resilient high-performing secure digital infrastructure and meet demanding requirements.”
As part of the CNA requirement and preparation process, Ericsson PSIRT recently published an updated product vulnerability disclosure policy. This policy outlines instructions for external users to report vulnerability issues, defines Ericsson’s scope for assigning CVEs, outlines the remediation and communication process, and establishes a researcher acknowledgment policy. Additionally, we have created a dedicated security bulletin webpage where CVEs assigned by Ericsson will be posted. For more details, please visit the Ericsson PSIRT webpage.
Becoming a CNA reflects our strong commitment to product security throughout its lifecycle. By adhering to industry best practices, we can provide structured and reliable information to our customers. As we join the CNA program, we eagerly anticipate interacting with the global CNA community to learn and exchange industry best practices in vulnerability management. This opportunity also allows us to demonstrate leadership within the telco ecosystem and the security community.
Share this article or comment on Medium:
CVE Website - https://www.cve.org/Media/News/item/blog/2024/04/02/Our-CVE-Story-Ericssons-Journey-as-CNA
CVE on Medium - https://medium.com/@cve_program/our-cve-story-ericssons-journey-as-a-cve-numbering-authority-cna-e8fb44041990
Videos from CVE/FIRST VulnCon 2024 Now Available
The following conference videos are available:
DAY 1
- Welcome Remarks
- Supply Chain Security: The Office of the National Cyber Director Perspective
- A Legislation Guide for Keeping pace with Cybersecurity Paradigm Shift toward Vulnerability
- The Trials and Tribulations of Bulk Converting CVEs to OSV
- Crossing the Streams - How Downstream Can Understand Upstream Vulns
- A Roadmap for Your OSS Security Lifecyle Journey to Protect Customers
- Seeing the Vulnerable Forest Through the Exploited Trees
- SBOMs – The Missing Link
- Understanding Red Hat's SBOM - The Future of Software Transparency
- CVE Is The Worst Vulnerability Framework (Except For All The Others)
- Revising the CVE CNA Operational Rules: AMA
- Why Can't We All Just Get Along? Bridging the Gap in Vulnerability Prioritization Standards
- CVSS SIG Past, Present & Future + CVSS v4.0 Beyond the Numbers
- Panel Discussion: This One Time at CVD Camp
- Firmware Supply Chain Security BoF
- Panel Discussion: Enabling Accurate, Decentralized Root Cause Mapping at Scale
- Day 1: Wrap Up & Lessons Learned
DAY 2
- Daily Updates & Announcements
- Building a Better Database: How GitHub Structures Their Advisory Database to Drive Developer
- Vulnerability Coordination in the EU
- Nestlé Unified Vulnerability Management Approach
- Finding, Managing, Preventing Vulnerabilities: An Automotive Perspective
- China's New Vuln System
- The CWE Program: Current State and Road Ahead
- Panel Discussion: Don’t be Vexed by VEX - VEXperts Panel
- Adventures in Vulnerability Coordination
- Effective Vulnerability Management for Over 400 Projects at the Eclipse Foundation
- Day 2: Wrap Up & Lessons Learned
DAY 3
- Democratizing Exploitability Data with OpenVEX
- CSAF/VEX: Improved Security Data
- What It Takes to Lead America’s Vulnerability Management Team
- CNA Challenges From a National CERT Perspective
- From SBOM to VEX - Discovering What's in the Box and How Badly it Can Hurt You
- CISA’s Known Exploited Vulnerabilities (KEV) Catalog
- Information Sharing to Mitigate Emerging Vulnerabilities
- Reducing Ratio of Reserved But Public CVEs
- Black and Blue, or White and Gold? Minimizing Vulnerability Scoring...
- Panel Discussion - The Risks of Requiring Premature Vulnerability Disclosures
- Elevating Security Standards: Intel's Integration of Common Security Advisory Framework into Tooling Processes and Future Roadmap
- CNA Feedback Session to the CVE Program
- Panel Discussion: It is a Tale as Old as Time…. a CNA, the NVD, and a CVE Consumer Walk Into a Bar. Hilarity Ensues, Right?
- EPSS: Challenges and Opportunities Going Forward + EPSS AMA
- Pushing Coordinated Vulnerability Disclosure forward in Asia Pacific
- Conference Closing Remarks
Please like or comment on the videos on the CVE Program Channel on YouTube or comment on the CVE Blog on Medium.
Share this article or comment on Medium:
CVE Website - https://www.cve.org/Media/News/item/blog/2024/05/14/Videos-from-VulnCon-2024-Now-Available
CVE on Medium - https://medium.com/@cve_program/videos-from-cve-first-vulncon-2024-now-available-f86a3f09ce6b
We Speak CVE Podcast — Swimming in Vulns (or, Fun with CVE Data Analysis)
The “We Speak CVE” podcast focuses on cybersecurity, vulnerability management, and the CVE Program.
In this episode, host Shannon Sabens of CrowdStrike chats with Benjamin Edwards and Sander Vinberg, both of Bitsight, about analyzing vulnerability data in the CVE List. This is a follow-on to their “CVE Is The Worst Vulnerability Framework (Except For All The Others)” talk at CVE/FIRST VulnCon 2024.
Topics discussed include the types of vulnerabilities and vulnerability intelligence they reviewed and the different ways they approached the data; how CVE is a really good framework for compiling information about, and communicating effectively about, vulnerabilities; how increasing the number of CVE Numbering Authorities (CNAs) through federation has improved the quantity and quality of data produced by the program over time; how the overall quality of CVE List data improves for the entire vulnerability management ecosystem when CNAs include CVSS, CWE, CPE, etc., information when their CVE Records are published; and much, much, more!
The “We Speak CVE” podcast is available for free on the CVE Program Channel on YouTube, on the We Speak CVE page on Buzzsprout, and on major podcast directories such as Spotify, Stitcher, Apple Podcasts, iHeartRadio, Podcast Addict, Podchaser, Pocket Casts, Deezer, Listen Notes, Player FM, and Podcast Index, among others.
Please give the podcast a listen and let us know what you think!
Share this article or comment on Medium:
CVE Website - https://www.cve.org/Media/News/item/podcast/2024/04/30/Swimming-in-Vulns
CVE on Medium - https://medium.com/@cve_program/we-speak-cve-podcast-swimming-in-vulns-or-fun-with-cve-data-analysis-7837afeca27b
Support for Legacy CVE Download Formats to End on June 30, 2024
All support for the legacy CVE content download formats (i.e., CSV, HTML, XML, and CVRF) will end on June 30, 2024. These legacy download formats, which are currently being updated once per month during the phase out process, will only be updated two more times, once in May 2024 and once in June 2024.
Product teams and others need to update their tools and processes to the new supported format prior to these legacy format download files no longer being updated.
The legacy download formats have been replaced by CVE JSON as the only supported format for CVE Records and downloads. See below.
Phase-Out Process
Phase 3, the final phase of the phased deprecation of legacy CVE content download formats that began in January 2024 and will end on June 30, 2024, is almost complete per the phase-out schedule. Only two once-per-month updates for May and June remain until the legacy CVE download formats are officially deprecated.
This change was first announced in July 2023 in a CVE Blog article entitled “Legacy CVE Download Formats Will Be Phased Out Beginning January 1, 2024” on the CVE.ORG website and promoted throughout the remainder of 2023 in the CVE Announce email newsletter and on CVE social media. A second blog article, entitled “Deprecation of Legacy CVE Download Formats Now Underway,” was published in January 2024, a third, “Phase 2 of Legacy CVE Download Formats Deprecation Now Underway,” was published in February 2024, and a fourth, “Phase 3 of Legacy CVE Download Formats Deprecation Now Underway,” was published in March 2024. All of the blogs were promoted on the CVE.ORG website, in the CVE Announce email newsletter, and on CVE social media.
Phase-Out Schedule
Phased deprecation means that the frequency of updates to the legacy download formats will be reduced over the coming months until they are no longer updated at the end of June 2024.
To assist consumers with their transition to the new format, the frequency of updates to the legacy download formats were being reduced from daily updates that ended on December 31, 2023, to updates on the following schedule:
- January 2024: Once per week updates.
- February 2024: Every other week updates.
- March–June 2024: Once per month updates.
- June 30, 2024: Legacy downloads formats no longer updated with new CVE Records.
New Format for CVE Records and Downloads
CVE Downloads in our new official data format for CVE Records, “CVE JSON,” are hosted in the cvelistV5 repository on GitHub.com. Update frequency and other details are available in the repository ReadMe.
CVE JSON is a richer, more structured format for vulnerability identification and description and will provide enhanced information for your customers. The schema for this new format is also available on GitHub.
Take Action Now!
Product teams and others need to update their tools and processes to the new supported format prior to these legacy format download files no longer being updated after June 30, 2024.
Share this article or comment on Medium:
CVE Website - https://www.cve.org/Media/News/item/blog/2024/04/30/Legacy-Downloads-Formats-Support-Ends-June-30
CVE on Medium - https://medium.com/@cve_program/support-for-legacy-cve-download-formats-to-end-on-june-30-2024-2befc72199d6
Follow us for the latest from CVE:
@CVEnew – X-Twitter feed of the latest CVE Records
@CVEannounce – X-Twitter feed of news and announcements about CVE
@CVE_Program – Mastodon feed of news and announcements about CVE
CVE Program - LinkedIn page
CVE-CWE - LinkedIn showcase page
CVE Blog - CVE website
CVE Blog on Medium - Medium
We Speak CVE - Podcast
CVEProject - GitHub
CVE Program Channel - YouTube
CVE Announce Newsletter - Email
If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://www.cve.org/Media/News/NewsletterSignup. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).
No comments:
Post a Comment