Featured
- Recognition for CNAs Actively Providing Vulnerability Data Enrichment for CVE Records
- CVE Records Add New CVE Program Container
- CVE and AI-related Vulnerabilities
CVE Numbering Authorities (CNAs)
- 23 Additional Organizations Added as CNAs
- “CNA Rules v4.0” in Effect as of August 8, 2024
- “Vulnogram User Guide” Available for CNAs
Community
· OPEN TO THE PUBLIC: Save the Date for CVE/FIRST VulnCon 2025 on April 7-10, 2025!
Featured
Recognition for CNAs Actively Providing Vulnerability Data Enrichment for CVE Records
The CVE Program now publishes a “CNA Enrichment Recognition List” every two weeks on the Metrics page on the CVE website to recognize CVE Numbering Authorities (CNAs) that are actively enriching their CVE Records by adding Common Vulnerability Scoring System (CVSS) and Common Weakness Enumeration (CWE™) information.
Background
Getting more precise and quality vulnerability information in the hands of defenders and downstream customers on a timelier basis helps the cybersecurity community better address risks. Additional vulnerability-related information provides increased transparency, enables vulnerability root cause understanding, and helps prioritize vulnerability and incident response. Information standards and knowledge repositories like CVSS and CWE, among others, help provide a common language for this additional information.
In April 2024, the CVE Program highlighted how its data format evolved to better facilitate automation and data enrichment. This means that CNAs, as the authoritative source of vulnerability information within their scopes, and those with access to the most reliable source for accurate determinations, can easily provide data enrichment directly to a CVE Record, as opposed to waiting for a third-party to do so in a less timely and potentially less accurate manner. As such, the CVE Program called on all CNAs to provide this enrichment to their CVE Records directly, and, in so doing, contribute more substantially to the vulnerability management process. Many CNAs answered that call.
CNA Enrichment Recognition List
In recognition of CNAs providing enhanced vulnerability data in their CVE Records, the CVE Program will now publish a “CNA Enrichment Recognition List” every two weeks.
CNAs will be added to the list if they provide CVSS and CWE information 98% of the time or more within the two-week period of their last published CVE Record. This being the first iteration of such a list, the criteria may be adjusted in the future. For more information about vulnerability information types like CVSS and CWE, see the CVE Record User Guide.
View the current CNA Enrichment Recognition List.
Share or comment on this CVE article on Medium:
CVE Records Add New CVE Program Container
The CVE® Program is pleased to announce the addition of a new CVE Program Container within CVE Records. It allows us to deliver additional information more effectively to downstream users, while making no changes to the CVE Record Format schema used by CVE Program partners. Today's addition supports CVE Program capabilities including providing additional references and Record state information. Over time, the new container will also store various “value added” Program data to further enhance individual CVE Records.
The CVE Program identifies references to CVE IDs across the Internet and then adds them to their respective CVE Records for additional valuable information. Previously, the only place to store these additional references was the CNA container. Placing them there, however, violated a principle established before the initial definition of the JSON data format which stated that CNA Containers are owned by the entity that reserved and published the CVE ID, and no one else should modify them. Recognizing the benefit of the additional references, the CVE Board granted an exception to temporarily place them into CNA Containers until a proper solution was able to be implemented.
The CVE Program is now rectifying this with the deployment of a CVE Program Container. As envisioned, we needed to assure the automation was able to support this capability. Over the last few months, we have been enhancing and testing the automation to do just that.
The CVE Program Container is implemented in an ADP container format in the CVE Record as initially intended.
Specific JSON/CVE Record format information for this container are as follows:
- adp:title field: “CVE Program Container”
- adp:providerMetadata:shortName field: “CVE”
- adp:references field as described here
To avoid overwhelming downstream users with a large volume of updated CVE Records, the deployment will occur over a two-week period starting on July 31, 2024. After deployment is complete, each CVE Record in the CVE Repository as of July 31, 2024, will have a CVE Program Container.
The CVE Program is using a two-part process to populate the “CVE Program Container”.
- First, the system has been updated to place Program-added references into this new container. Program-added references will no longer be placed in the CNA container.
- Second, the existing references previously placed into the CNA container will be copied to the CVE Program Container and marked with an x_transferred tag. This list of references is only a “snapshot in time” and will not be kept “in sync” with the CNA-provided references going forward. The x_transferred tagging is to support downstream users in determining which references have been “copied over,” and which references have been provided after the deployment date. Future references provided by the CVE Program will not have this tag.
During the two-week deployment, CNAs can, of course, update their CNA containers at any time to add or correct vulnerability information, or to add references. The CVE Program is not making any types of changes or deletions within any CNA container.
After the two-week deployment, all existing and new CVE Program-added references for a CVE Record will be stored in the CVE Program Container of that Record. In the case of new CVE Records created after this initial deployment, if no Program-provided data is added (e.g., no additional references, other Program metadata or Record state information), there will be no CVE Program Container associated with the CVE Record.
Upon deployment completion, the CNAs will be notified and permitted to remove unnecessary references from their CNA Containers while being sure to retain at least one Public Reference, as required by the CVE Numbering Authority (CNA) Operational Rules.
This milestone positions us to complete the foundation of a CVE Record, which now consists of:
- CNA Container
- CVE Program Container
- Optional third-party ADP-specific containers
While we anticipate adding more ADPs and their associated containers in the future, we do not expect to introduce additional container types at this time.
Implementation Considerations
Required Containers processing: Going forward, it is mandatory for tool vendors and community users to construct a CVE Record using at least the CNA Container and the CVE Program Container, if one exists. Those two containers are mandatory. All other ADP containers remain optional from a Program perspective.
Parsing the CVE Program Container: References in the CVE Program Container maintain the same format and properties as in the CVE Record's CNA container (see ADP references definition / description here).
Potential for Duplicate References: The possibility of reference duplication is an artifact of having more than one organization providing references in separate locations. On the deployment date, a copy of all references will be made, and each copied reference will be tagged x_transferred. In the end, downstream users will have to determine the appropriate way to resolve potential reference duplication between the CNA Container and the CVE Program Container for their use.
Share or comment on this CVE article on Medium:
https://medium.com/@cve_program/cve-records-add-new-cve-program-container-c6bd3241ca1d
CVE and AI-related Vulnerabilities
The first blog in a CVE Program AI Blog Series
With the rapid growth in large language model (LLM) capabilities and the increasing deployment of artificial intelligence (AI)-related technologies across enterprises, many are concerned with the potential proliferation and severity of related vulnerabilities. Vulnerability management and disclosure are simply the reality of the mature, modern enterprise, but what will AI-related vulnerability management and disclosure look like? And with small language model capabilities being actively integrated into your mobile devices, these issues are now coming home.
As the global foundation for vulnerability identification and naming, the CVE Program has been actively investigating the impact of AI on determining when AI-related CVE-ID assignments should be made. In the aftermath of VulnCon 2024, the CVE Board held a day long working session with some outside the CVE Program, working daily with AI security. All participating walked through recent case studies of AI-enabled system security issues. This helped to better understand the potential gaps between what CVE traditionally addresses and what the CVE scope should include to both determine and capture an AI-enabled system vulnerability in CVE.
This blog is the first in a series of CVE Program publications intended to document the CVE Board’s efforts to establish swim lanes for AI vulnerability disclosure within CVE. This series will discuss the concerns the Board is encountering in defining what is within the responsibilities of the CVE Program. Because not all AI issues are appropriate for a CVE assignment, it will also try to define when other AI security-related initiatives are needed to address concerns outside the CVE Program.
In the CVE Program context, a vulnerability is:
- An instance of one or more weaknesses in a product that can be exploited, causing a negative impact to confidentiality, integrity, or availability
- A set of conditions or behaviors that allows the violation of an explicit or implicit security policy
* Just because something has a security impact or a bad outcome, it does not necessarily mean it is a vulnerability in the CVE Program context and will be assigned a CVE-ID. *
The CVE Board’s AI working session demonstrated the scope of some types of AI-enabled system security issues extend beyond that of the CVE Program. For example, with PoisonGPT, researchers downloaded an LLM, trained it to return false facts, and then reuploaded the model back to a public repository where users may have downloaded the poisoned model. In this case the security policy of the LLM allowed researchers to provide additional training facts and reupload the model for others to use. If the security policy allows this, then this “bad security outcome” would not be considered a CVE, even if those modifications are malicious in nature. Other examples that would not receive CVE assignments would be cases of racial or gender bias in various LLM technologies. While these are undoubtedly bad outcomes, they are unlikely to have a negative impact on confidentiality, integrity, or availability and are out of scope for CVE.
It is important to note the recently announced CVE Numbering Authority (CNA) Rules no longer considers the type of technology (e.g., cloud, on-premises, hybrid, artificial intelligence, machine learning) when determining whether to assign a CVE-ID.
There are many different areas of concern with AI. Threats that target the AI systems directly such as teaching the ML model, quality of the training data, maintaining privacy of the data, poisoning operational environments, may or may not have areas where CVE is appropriate. Specific vulnerabilities that provide openings for malicious attacks on AI-based systems are definitely within scope. But where is that boundary and what are the definable aspects that pertain to CVE assignments?
Looking Ahead
The CVE Board recognizes clear swim lanes need to be established for AI-related CVE-assignable vulnerabilities as this impacts product security team operations. Further guidelines around vulnerabilities in AI systems enables a foundation for the best structuring of PSIRT flow and responsibilities, a key consumer group of CVE data.
In coming blogs, the CVE Program will provide further information on its directions, additional details and considerations concerning AI-related CVE-ID assignment, and where researchers and security professionals may find additional assistance with AI and assurance challenges. It is hoped this series helps spark a needed community conversation on AI-related security and the new classes of threats we all must deal with going forward.
Share or comment on this CVE article on Medium:
https://medium.com/@cve_program/cve-and-ai-related-vulnerabilities-3ae6ad8ae81b
CVE Numbering Authorities (CNAs)
23 Additional Organizations Added as CNAs
Since July 1st, twenty-three (23) additional organizations from around the world have partnered with the program as CNAs:
- Amazon – All Amazon and AWS products (including subsidiaries, supported, and EOL/EOS products), as well as vulnerabilities in third party software discovered by Amazon/AWS that are not in another CNA’s scope (USA)
- Arxscan, Inc. – Arxscan issues only (USA)
- ASUSTeK Computer Incorporation – ASUS issues only (Taiwan)
- Cytiva – Cytiva branded products only (USA)
- Cato Networks – All Cato Networks products and vulnerabilities in third-party products affecting Cato products unless covered by the scope of another CNA (Israel)
- Forescout Technologies – Forescout issues only (USA)
- Huntress Labs Inc. – All Huntress products, as well as vulnerabilities in third-party software discovered by Huntress that are not in another CNA’s scope (USA)
- Imagination Technologies – Imagination Technologies branded products and technologies and Imagination Technologies (IMG) managed open source projects (UK)
- Intigriti – Vulnerabilities in Intigriti products and vulnerabilities discovered by, or reported to, Intigriti that are not in another CNA’s scope (Belgium)
- Ivanti – Vulnerabilities in supported Ivanti products and infrastructure, excluding third-party components, and meeting severity thresholds defined in Ivanti’s Disclosure Policy here (USA)
- Kong Inc. – Kong products; Kong Konnect, Kong Enterprise, Kong Mesh, and Kong Insomnia, including Kong Opensource; Kong Gateway, Kuma, Insomnia (USA)
- Monash University - Cyber Security Incident Response Team – Vulnerabilities in any Monash University developed products, or vulnerabilities identified in third-party vendor products used by Monash University, unless covered by the scope of another CNA (Australia)
- Pall Corporation – Pall branded products only (USA)
- Proton AG – Proton AG issues only (Switzerland)
- PlexTrac, Inc. – Vulnerabilities within PlexTrac’s products (USA)
- RealPage – Vulnerabilities in RealPage products and services including but not limited to: Keyready, Knock CRM, HomeWiseDocs, REDS (Real Estate Data Solutions), G5, WhiteSky Communications, Chirp Systems, STRATIS IoT, Modern Message (Community Rewards), Hipercept, Investor Management Services, AIM, FUEL, Buildium, All Property Management, SimpleBills, DepositIQ, Rentlytics, ClickPay, LeaseLabs, PEX, On-Site, American Utility Management (AUM), Axiometrics, Lease Rent Optimization (LRO), AssetEye, NWP Services Corporation, Indatus, ActiveBuilding, RentMineOnline (RMO), MyNewPlace, Compliance Depot, SeniorLiving.net, eREI, Domin-8, Level One, Propertyware, Opstechnology, LeasingDesk, and YieldStar (USA)
- Seal Security – Vulnerabilities in Seal products or services and vulnerabilities discovered in open-source libraries unless covered by the scope of another CNA (USA)
- Stryker Corporation – All products of Stryker or a Stryker company including end-of-life/end-of-service products, and vulnerabilities in third-party software used in Stryker products that are not in another CNA’s scope (USA)
- Super Micro Computer, Inc. – Supermicro branded products, managed system, or software projects (USA)
- upKeeper Solutions – All upKeeper Solutions products, excluding end-of-life (EOL) as listed in the upKeeper Solutions End of Life Policy (Sweden)
- WatchDogDevelopment.com, LLC – All WatchDog products (USA)
- Wiz, Inc. – Vulnerabilities identified in Wiz products, and vulnerabilities discovered by, or reported to, Wiz that are not in another CNA’s scope (USA)
- 9front Systems – All software produced as part of the Plan9front open source operating system, as well as its applications and cyberinfrastructure. Vulnerabilities discovered by or reported to 9front Systems for all Plan 9 software not covered by the scope of another CNA (USA)
CNAs are organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
There are currently 408 CNAs (406 CNAs and 2 CNA-LRs) from 40 countries and 1 no country affiliation participating in the CVE Program. View the entire list of CNA partners on the CVE website.
“CNA Rules v4.0” in Effect as of August 8, 2024
The CVE Numbering Authority (CNA) Operational Rules Version 4.0 took effect on August 8, 2024. The previous version, CNA Rules v3.0, has been deprecated. CNAs are now required to comply with the CNA Rules v4.0.
After significant community participation and review, the CNA Rules v4.0 document was approved by the CVE Board on May 8, 2024, and published on the CVE website. CNAs were informed at that time that there would be a 90-day transition period to adjust their internal processes to integrate the new rules. That 90-day transition period ended on August 8, 2024. CNAs are now required to comply with the new rules.
To assist CNAs with the transition to the new rules, the CVE Program hosted a “CNA Rules v4.0 Q&A Webinar” on June 5, 2024, the video of which is available now on the CVE Program Channel on YouTube. The webinar provided information to CNAs about ways the new rules might affect CNA processes in the short term, the benefits for CNAs moving forward, and the expected positive impact on the vulnerability management ecosystem. Many of the “Significant Changes” were also discussed in detail in prior announcements such as the “CNA Rules Version 4.0 Update and Transition” blog and the webinar video.
Learn more about these topics and all of the changes in new and improved “CNA Rules, v4.0” document, which is available here.
Share or comment on this CVE article on Medium:
https://medium.com/@cve_program/cna-rules-v4-0-now-in-effect-39d63dcad897
“Vulnogram User Guide” Available for CNAs
A community-developed “Vulnogram User Guide” (PDF, 4.0MB) is available for CVE Numbering Authorities (CNAs) on the CVE website. A “live” version of this document is available for CNAs on Google Docs, which continues to be reviewed and updated over time.
The guide explains step-by-step how to use Vulnogram with CVE Services to manage users, CVE Identifiers (CVE IDs), and CVE Records. Vulnogram is a tool for creating and editing CVE information in the CVE Record Format, and for generating advisories. This guide is intended for CNAs who may operate at a comparatively smaller scale and who are not using custom integration with CVE Services.
Vulnogram is not owned or maintained by the CVE Program. Learn more about Vulnogram on GitHub.
Share this CVE article:
https://www.cve.org/Media/News/item/news/2024/07/16/Vulnogram-User-Guide-Now-Available-for-CNAs
Community
OPEN TO THE PUBLIC: Save the Date for CVE/FIRST VulnCon 2025 on April 7-10, 2025!
The CVE Program and FIRST will co-host VulnCon 2025 at the McKimmon Center in Raleigh, North Carolina, USA, on April 7–10, 2025. Registration, both virtual and in-person, will open in November 2024.
The purpose of the VulnCon — which is open to the public — is to collaborate with various vulnerability management and cybersecurity professionals to develop forward leaning ideas that can be taken back to individual programs for action to benefit the vulnerability management ecosystem. A key goal of the conference is to understand what important stakeholders and programs are doing within the vulnerability management ecosystem and best determine how to benefit the ecosystem broadly.
CVE Numbering Authorities (CNAs) — VulnCon 2025 takes the place of the 2025 Spring CVE Global Summit.
Mark Your Calendars for the Return of this Exciting Conference!
We have an action-packed docket of dynamic speakers and cross-industry topics that we feel will accelerate collaboration within the vulnerability management and standards/frameworks space! This will be a must-see event for anyone involved in researching, reporting, triaging, mitigating, and communicating about security vulnerabilities. Some highlights from the agenda include:
- 40+ sessions across 4 full days of content and networking/collaboration
- PSIRTs, Vulnerability SIGs, Working Groups, and other vulnerability ecosystem experts presenting about CVE, CVSS, EPSS, KEV, VEX, CVD, SBOM, Incident Response, and others!
- Speakers from the CVE Program, CISA, ENISA, global CERT teams, the OpenSSF, FIRST, and other renown industry experts
- Actionable advice on how to engage with CVD across ecosystem stakeholders and how to use and align the assorted vuln metadata tools, frameworks, and standards
Some showcase sessions will include:
- A “Day of VEX” from practitioners
- A “Day of Vuln Identifiers” from practitioners
- Previous Keynotes spoke on the topics of “Supply Chain Security: The Office of the National Cyber Director Perspective”, “Vulnerability Coordination in the EU”, “What it takes to lead America’s Vulnerability Management Team”, and sessions from global CERT teams
- Expert panels on Industry CVD, Vulnerability identifiers, VEX, Decentralized Root Cause analysis, the risks of requiring premature vuln disclosure, and more!
- Detailed sessions updating frameworks like CVSS, CWE, EPSS, and others
Virtual and In-Person Registration Options
Discounted rates are not being offered for this event regardless of membership or speaking status.
- Standard Admission (by March 9, 2025): US $300.00
- Late Rate Admission (after March 9, 2025): US $375.00
- Virtual Admission: US $100.00
Registration fees include four days of coffee breaks and buffet lunches, one networking reception hosted at the McKimmon Center, and applicable meeting materials.
An After Party will be tentatively hosted off-site with tickets to be sold separately. More information to come. Tickets will cost US $25.00.
Registration will open in November 2024.
Venue
McKimmon Center
North Carolina State University
1101 Gorman St.
Raleigh, North Carolina 27606
USA
Learn More About VulnCon 2025
For most up-to-date information, visit the CVE/FIRST VulnCon 2025 conference page hosted on the FIRST website. We look forward to seeing you at this annual community event!
Share or comment on this CVE article on Medium:
https://medium.com/@cve_program/save-the-date-for-cve-first-vulncon-2025-on-april-7-10-2025-915314960811
CVE in the News
Microsoft Warns of Windows Kernel Vulnerability Exploitation, Cyber Security News
Ivanti fixes maximum severity RCE bug in Endpoint Management software, Bleeping Computer
Critical VMware vCenter Server bugs fixed (CVE-2024-38812), Help Net Security
Apple iOS 18 Released with Fixes for 32 Security Vulnerabilities, Cyber Security News
CVE-2024-38856 and CVE-2024-45195 – Apache OFBiz Security Vulnerabilities, Security Boulevard
SonicWall firewall CVE exploits linked to ransomware attacks, Cybersecurity Dive
SolarWinds Issues Patch for Critical ARM Vulnerability Enabling RCE Attacks, The Hacker News
CISA Releases Six New Advisories for Industrial Control Systems, Cyber Security News
Keeping Up with CVE
Follow us for the latest from CVE:
@CVEnew – X-Twitter feed of the latest CVE Records
@CVEannounce – X-Twitter feed of news and announcements about CVE
@CVE_Program – Mastodon feed of news and announcements about CVE
CVE Program - LinkedIn page
CVE-CWE - LinkedIn showcase page
CVE Blog - CVE website
CVE Blog on Medium - Medium
We Speak CVE - Podcast
CVEProject - GitHub
CVE Program Channel - YouTube
CVE Announce Newsletter - Email
If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://www.cve.org/Media/News/NewsletterSignup. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).
