CVE - News & Events (Archive)

2013 News & Events (Archive)

December 27, 2013

1 Product from Beijing Topsec Now Registered as Officially "CVE-Compatible"

cve compatible image One additional information security product has achieved the final stage of MITRE's formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 159 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CVE-Compatible":

Beijing Topsec Co., Ltd.'s

TopScanner

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

December 9, 2013

CVE Adopts Common Vulnerability Reporting Framework (CVRF) Format

The CVE List is now publishing CVE content using the Common Vulnerability Reporting Framework (CVRF). Developed by the Industry Consortium for Advancement of Security on the Internet (ICASI), CVRF is an XML-based standard that enables software vulnerability information to be shared in a machine-parsable format between vulnerability information providers and consumers. Having vulnerability information in a single, standardized format speeds up information exchange and digestion, while also enabling automation.

"Presenting the CVE List in CVRF format will make it easier for people to access CVE content instead of having to use our custom format," said Steve Christey Coley, principal information security engineer at MITRE and editor of the CVE List. "We hope this will encourage others in the security community to share vulnerability information using a standardized machine-readable format."

CVRF is currently used by major vendors, including Red Hat, Inc., Microsoft Corporation, Cisco Systems, Inc., and Oracle Corporation, which issue their security advisories in CVRF format:

Mark Cox, senior director of Product Security at Red Hat: "Red Hat provides CVRF representations of our security advisories and we make heavy use of data provided by the MITRE CVE project. Having their data in a common standard format will help us and others consume it."
Dustin Childs, group manager of Microsoft Trustworthy Computing: "Customer protection is a priority for Microsoft, and adoption of the new standardized CVRF format extends customer access to crucial information about CVEs. We are pleased to support an advance that makes it easier to understand and address vulnerabilities."
Mike Schiffman, applied researcher, Cisco Systems and ICASI CVRF Working Group chair: "Cisco, a founding member of ICASI and CVRF working group chair, is happy to help MITRE deploy the de-facto standard for the automated creation and consumption of machine-readable vulnerability documentation."
Mary Ann Davidson, chief security officer for Oracle Corporation: "Oracle has been publishing CVRF since early 2012 for all vulnerability communications. We are delighted that MITRE will be providing CVE information in CVRF format, as it will further enable the sharing of security information in a machine-readable format, thus allowing organizations to more quickly and efficiently react when security vulnerability information is published."

The CVE dictionary, sponsored by the office of Cybersecurity and Communications at the U.S. Department of Homeland Security (DHS), contains more than 58,000 unique entries and is considered an international standard. Products, services and organizations around the world use CVE-IDs to help enhance information security, and CVE is formally recommended by the International Telecommunication Union (ITU-T) standards body for worldwide use.

"Because vulnerability information comes from many diverse sources, a common format makes it easier to analyze and import data without having to create custom tools or to do so manually," added Christey. "Encouraging the use of CVRF means CVE and other vulnerability information consumers can reduce the effort needed to support the wide variety of formats currently in use. And because of its adoption by major vendors, CVRF has a better chance of success compared to earlier efforts, particularly as the need grows for automated exchange of vulnerability data."

Visit the CVE Usage of CVRF page for additional information, and/or the Download CVE page to access CVE content in CVRF format.

December 5, 2013

3 Products from 2 Organizations Now Registered as Officially "CVE-Compatible"

cve compatible image Three additional information security products from two organizations have achieved the final stage of MITRE’s formal CVE Compatibility Process and are now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization’s listing on the the CVE-Compatible Products and Services page on the CVE Web site. A total of 142 products to-date have been recognized as officially compatible.

The following products are now registered as officially "CVE-Compatible":

Cr0security	-	Cr0security Penetration Testing and Consultant Services
Cr0security	-	Cr0security Certified Security Testing (CCST)
NetentSec, Inc.	-	NetentSec Next Generation Firewall

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

ADTsys Software Makes Declaration of CVE Compatibility

ADTsys Software declared that that its ADTsys Cloud Security service will be CVE-Compatible. For additional information about this and other CVE-Compatible products, visit the CVE-Compatible Products and Services section.

November 25, 2013

New CVE Editorial Board Member

Elizabeth Scott of Microsoft Corporation has joined the CVE Editorial Board.

New CVE Editorial Board Member

Panos Kampanakis of Cisco Systems, Inc. has joined the CVE Editorial Board.

New CVE Editorial Board Member

David Waltermire of the National Institute of Standards and Technology has joined the CVE Editorial Board.

"CVE Data Sources and Product Coverage" Page Added to CVE Web Site

A new CVE Data Sources and Product Coverage page has been added to the CVE List section. The page details the sources that provide data to help MITRE build the CVE List, and the "must have" product coverage as determined by the CVE Editorial Board.

October 2, 2013

IBM Makes Declaration of CVE Compatibility

IBM declared that its vulnerability management product, IBM QRadar Vulnerability Manager, is CVE-Compatible. For additional information about this and other CVE-Compatible products, visit the CVE-Compatible Products and Services section.

Cr0security Makes Declaration of CVE Compatibility

Cr0security declared that its Cr0security Penetration Testing and Consultant Services are CVE-Compatible. For additional information about this and other CVE-Compatible products, visit the CVE-Compatible Products and Services section.

September 6, 2013

CVE-ID Syntax Changing on January 1, 2014

The ID syntax for Common Vulnerabilities and Exposures (CVE) vulnerability identifiers, or "CVE-IDs", will change on January 1, 2014.

All CVE consumers – vendors, end users, researchers, CVE Numbering Authorities (CNAs), etc. – will be affected by the CVE-ID syntax change.

Learn more on the CVE-ID Syntax Change page.

August 16, 2013

4 Products from SecPoint Now Registered as Officially "CVE-Compatible"

cve compatible image Four additional information security products have achieved the final stage of MITRE’s formal CVE Compatibility Process and are now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 155 products to-date have been recognized as officially compatible.

The following products are now registered as officially "CVE-Compatible":

SecPoint ApS	-	SecPoint Penetrator
	-	SecPoint Cloud Penetrator
	-	SecPoint Portable Penetrator
	-	SecPoint Protector UTM Firewall

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

Unreliability of Vulnerability Data and Statistics Briefing at Black Hat Briefings 2013

CVE Technical Lead Steven M. Christey co-presented a briefing with Open Source Vulnerability Database (OSVDB) content manager Brian Martin entitled "Buying into the Bias: Why Vulnerability Statistics Suck" on July 31, 2013 at Black Hat Briefings 2013 at Caesar’s Palace in Las Vegas, Nevada, USA.

Visit the CVE Calendar for information on this and other events.

MITRE Hosts CVE Booth at Black Hat Briefings 2013

MITRE hosted a "Strengthening Cyber Defense" booth that included CVE at Black Hat Briefings 2013 at Caesar’s Palace in Las Vegas, Nevada, USA, on July 27 – August 1, 2013.

Visit the CVE Calendar for information on this and other events

July 17, 2013

CVE-ID Syntax Change Voting Results

Voting on the CVE Identifier (CVE-ID) Syntax Change is now complete and the CVE Editorial Board has determined that the new CVE-ID syntax taking effect on January 1, 2014 will be variable length arbitrary digits.

This announcement is being made now so that users will have enough time to change their processes and software to handle the new ID syntax.

NEW CVE-ID SYNTAX

The new CVE-ID Syntax is "CVE prefix + Year + Arbitrary Digits" and will begin at four (4) fixed digits and expand with arbitrary digits only when needed in a calendar year, for example, CVE-YYYY-NNNN with 4 digits, and if needed CVE-YYYY-NNNNN with 5 digits, and so on. The year, or YYYY, indicates the year the CVE-ID is issued to a CVE Numbering Authority (CNA) or when the issue is first disclosed to the public.

This syntax selection also means there will be no changes needed to previously assigned CVE-IDs, which all include 4 digits.

Examples of the New CVE-ID Syntax with 4, 5, and 7 digits are included below:

CVE-2014-0001
CVE-2014-12345
CVE-2014-7654321

See the July 17, 2013 "CVE-ID Syntax Change Infographic Now Available" article below for an infographic explaining the current (i.e., "old") CVE-ID Syntax versus the New CVE-ID Syntax.

BACKGROUND

As initially announced in the January 24, 2013 article "Call for Public Feedback on Upcoming CVE ID Syntax Change," due to the increasing volume of public vulnerability reports, the CVE Editorial Board determined that the Common Vulnerabilities and Exposures (CVE) project needed to change the syntax of its standard vulnerability identifiers so that the CVE List can track more than 10,000 vulnerabilities in a single year. The current syntax of four fixed digits, CVE-YYYY-NNNN, only supports a maximum of 9,999 unique identifiers per year.

The initial plan called for a period of public feedback, followed by a formal vote by members of the CVE Editorial Board. However, as explained in the May 3, 2013 article "Status Update on the CVE ID Syntax Change," two rounds of voting were required as the initial vote held by the Board in April 2013 resulted in a tie. The initial vote was among three proposed options, with the tie occurring between Option A that extended the available numbering space to 6 digits, and Option B that extended the available numbering space to an arbitrary number of digits (learn more about the original three options). After discussion with the CVE Editorial Board, MITRE proposed dropping Option C from consideration and holding a second vote with only two options, the current Option B and a slightly modified Option A that extended the available numbering space to 8 digits (learn more about the final two options). The second vote was held in May 2013 and resulted in "Option B, CVE prefix + Year + Arbitrary Digits" winning the vote by receiving 15 of the 18 votes cast.

Detailed discussions and votes by the CVE Editorial Board are included in the CVE Editorial Board Discussion Archive — June 2013, CVE Editorial Board Discussion Archive — April 2013, and CVE Editorial Board Discussion Archive — May 2013 discussion archives.

ADDITIONAL STATUS UPDATES

Additional information about the upcoming CVE-ID Syntax Change will be posted on the CVE Web site in the coming months. In the meantime, please address any comments or concerns to cve-id-change@mitre.org.

CVE-ID Syntax Change Infographic Now Available

An infographic explaining the Current (i.e., "old") CVE-ID Syntax versus the New CVE-ID Syntax being implemented on January 1, 2014 is included below.

CVE-ID Syntax Change

Please feel free to re-post this infographic. We would like the syntax change announcement to reach the widest possible audience.

July 12, 2013

MITRE to Host CVE Booth at Black Hat Briefings 2013 on July 27 – August 1

MITRE will host a "Strengthening Cyber Defense" booth that includes CVE at Black Hat Briefings 2013 at Caesar’s Palace in Las Vegas, Nevada, USA, on July 27 – August 1, 2013. Attendees will learn how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Members of the CVE Team will be in attendance. Please stop by Booth 242 and say hello!

In addition, CVE Technical Lead Steven M. Christey will co-present a briefing with Open Source Vulnerability Database (OSVDB) content manager Brian Martin entitled "Buying into the Bias: Why Vulnerability Statistics Suck" on July 31.

Visit the CVE Calendar for information on this and other events.

Unreliability of Vulnerability Data and Statistics Briefing at Black Hat Briefings 2013 on July 31

CVE Technical Lead Steven M. Christey will co-present a briefing with Open Source Vulnerability Database (OSVDB) content manager Brian Martin entitled "Buying into the Bias: Why Vulnerability Statistics Suck" on July 31, 2013 at Black Hat Briefings 2013 at Caesar’s Palace in Las Vegas, Nevada, USA.

Visit the CVE Calendar for information on this and other events.

CVE Mentioned in Article about Unreliable Vulnerability Data and Statistics on DarkReading.com

CVE was mentioned in a June 13, 2013 article entitled "Don't Take Vulnerability Counts At Face Value" on DarkReading.com about unreliable vulnerability data and statistics. The article is a preview of a briefing entitled "Buying into the Bias: Why Vulnerability Statistics Suck" by Open Source Vulnerability Database (OSVDB) content manager Brian Martin and MITRE CVE Technical Lead Steve Christey currently scheduled for presentation on July 31, 2013 at Black Hat Briefings 2013.

CVE is mentioned in a section about the impact of the uncertainty in vulnerability statistics, when the author states: "A major source of confusion is the wide range of flaw counts. Recent reports from Sourcefire and Symantec, for example, were based on vulnerabilities tallied from the National Vulnerability Database and its collection of flaws that have a Common Vulnerability and Exposures (CVE) identifier. Thus, the two reports had very similar numbers: 5,281 and 5,291, respectively. On the other hand, the Open-Source Vulnerability Database (OSVDB) seeks out a large number of additional vulnerability reports and posts the highest bug counts -- 9,184 for 2012, 75 percent higher than that reported by Sourcefire. Other vendors that have their own sources of vulnerability data typically land between the two extremes. Hewlett-Packard’s Zero-Day Initiative, which buys information on serious software security issues, claimed to have found 8,137."

The article also quotes Steve Christey, who states: "At the very least, it is important that people understand the limitations of the data that [is] being used and be able to read reports based on that data with a sufficient dose of skepticism."

CVE Mentioned in Article about Self-Defending Networks on NetworkWorld.com

CVE, Trusted Automated eXchange of Indicator Information (TAXII™), and Structured Threat Information Expression (STIX™) are mentioned in a May 28, 2013 article entitled "Feds Take A Leadership Role Toward Self-Defending Networks: Push for standards, continuous monitoring, and security automation may encourage industry and commercial sector collaboration and support" on NetworkWorld.com.

CVE, TAXII, and STIX are mentioned with regards to standards when the author discusses what he says are the three steps that are needed to realize "self-defending networks," including embracing standards, continuous monitoring, and acceptance of security automation: "Embracing standards. The secure cyber ecosystem concept is built on top of the Secure Content Automation Protocol (SCAP) leveraging a number of standards like Common Vulnerabilities and Exposures (CVE, Common Configuration Enumeration (CCE), and Common Platform Enumeration (CPE). These provide a foundation on the vulnerability and configuration side but self-defending networks need standard data formats and transport protocols for threats like the MITRE Trusted Automated eXchange of Indicator Information (TAXII) and Structured Threat Information eXpression (STIX). It’s likely that some of the Trusted Computing Group (TCG) standards for chain-of-trust, platform authentication, and data exchange will also come into play."

The author concludes the article by stating: "It’s nice to see that the Federal government recognizes this and is willing to push for technology innovation and change. This effort has the potential to bear fruit if the Feds can build security community awareness and push vendors and the commercial market to join the effort."

CVE Mentioned in Article about the OWASP Top 10 Security Flaws for 2013 on NetworkWorld.com

CVE and Common Weakness Enumeration (CWE™) were mentioned in a June 14, 2013 article entitled "Breaking down the OWASP Top 10 security flaws for 2013: What’s changed from OWASP’s 2010 list and why" on NetworkWorld.com’s "Security Blanket" blog.

CVE and CWE were mentioned in a section about why web application denial-of-service attacks (DoS) attacks were not included on the OWASP list in quotes by CVE/CWE Technical Lead Steve Christey, as follows: "Regarding application DoS – I don’t know if we should be so dismissive of it. The (negative) commentary I’ve seen on application DoS is concentrating on network-based attacks. (However,) there are other resource-consumption vulnerabilities that are gaining popularity in CVE, such as unrestricted XML entity expansion, a.k.a. "billion laughs" (CWE-776) (that causes a DoS due to) memory consumption. Another example is algorithmic complexity involving hash collisions that slow down hash-table lookups, which was all the rage about a year ago, (that causes a DoS due to) CPU consumption. More recently, Ruby and/or Ruby-based applications have been getting hit with a number of other resource-consumption issues, such as a memory DoS by forcing the creation of a large number of symbols."

Christey continued, "While I don’t know how often these are exploited, and they may be difficult to detect, or how often they’ll be exploited in the future, these kinds of application DoS issues are becoming popular. As code-execution vulnerabilities get harder to find, I suspect we will see more of these. This might not be enough to merit inclusion in the OWASP Top Ten, but is definitely something to watch out for."

CVE Mentioned in Article about Security Automation on GovernmentComputerNews.com

CVE and Open Vulnerability and Assessment Language (OVAL®) are mentioned in a June 17, 2013 article entitled "NIST, DHS push security automation to the next stage" on GovermentComputerNews.com. The main topic of the article is that automation is the future of network security and how "Agencies face challenges in getting to an automated environment, however, whether because of tight budgets, complex systems or automated tools that don’t necessarily work together. The federal government is supporting the effort by developing the standards that are necessary for interoperable tools and offering intrusion detection and prevention as a service to agencies."

CVE and OVAL are mentioned in a section listing the components of the U.S. National Institute of Standards and Technology's (NIST) "Security Content Automation Protocol (SCAP), a suite of interoperable specifications developed at the National Institute of Standards and Technology in collaboration with the public- and private-sector security community. Although NIST’s agenda for security automation goes beyond vulnerability management, SCAP in its present form, Version 1.2, deals primarily with endpoint compliance for configuration requirements. The specifications, contained in Special Publication 800-126, support automated configuration, vulnerability and patch checking, technical control compliance and security measurement." CVE is mentioned in the article as one of the enumerations used by SCAP as "standard nomenclatures and an official dictionary of items expressed using that nomenclature" and OVAL is mentioned as one of the languages used by SCAP for "expressing security policy, technical check mechanisms and assessment results."

CVE Compatibility Main Topic of Press Release by High-Tech Bridge SA

CVE and Common Weakness Enumeration (CWE™) were the main topics of a July 2, 2013 press release by High-Tech Bridge SA entitled "ImmuniWeb Web Security Assessment SaaS is certified CVE and CWE Compatible" about their ImmuniWeb product achieving both Official CVE-Compatible status and Official CWE-Compatible status.

The release also includes a quote by CVE Compatibility Lead Robert A. Martin, who states: "We are always excited about having the CVE and CWE efforts adopted and used within commercial offerings but it is especially gratifying when it is by companies in other countries and markets, like High-Tech Bridge. Leveraging CVE and CWE in ImmuniWeb clearly makes business sense and it is directly helping their customers improve the speed and directness as they address vulnerabilities and weaknesses that are putting their organization’s at risk."

High-Tech Bridge’s CVE Compatibility Questionnaire for ImmuniWeb is available as part of the organization's listing on the CVE-Compatible Products and Services page on the CVE Web site.

June 21, 2013

1 Product from High Tech Bridge Now Registered as Officially "CVE-Compatible"

cve compatible image One additional information security product has achieved the final stage of MITRE’s formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 136 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CVE-Compatible":

High-Tech Bridge SA's

ImmuniWeb

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

May 3, 2013

Status Update on the CVE ID Syntax Change

As initially announced in the January 24, 2013 article "Call for Public Feedback on Upcoming CVE ID Syntax Change," due to the increasing volume of public vulnerability reports, the Common Vulnerabilities and Exposures (CVE) project will change the syntax of its standard vulnerability identifiers so that the CVE List can track more than 10,000 vulnerabilities in a single year as the current syntax, CVE-YYYY-NNNN, only supports a maximum of 9,999 unique identifiers per year.

The initial plan called for a period of public feedback, followed by a formal vote by members of the CVE Editorial Board. That voting period has closed and resulted in a tie between Option A and Option B (for details on the three original options, please see https://cve.mitre.org/data/board/archives/2013-01/msg00011.html).

SECOND VOTE NEEDED

After discussion with the CVE Editorial Board, MITRE proposed dropping Option C from consideration, and offering a new selection between a slightly modified Option A and the current Option B.

The proposed (new) Option A extends the available numbering space to 8 digits, as opposed to the current 4 digits, or the earlier proposed 6 digits. Together with the unchanged Option B, the new options for consideration are:

Option A (Year + 8 digits, fixed length, with leading zeros)

Examples: CVE-2014-00000001, CVE-2014-00009999, CVE-2014-12345678

Option B (Year + arbitrary digits, no leading zeros except for IDs 1-999)

Examples: CVE-2014-0001, CVE-2014-0999, CVE-2014-1234567

If you are interested in following the discussion, you may subscribe to the CVE-ID-Syntax-Discuss mailing list, if you have not already done so, by following the instructions below:

To subscribe, send an email to listserv@lists.mitre.org. In the body of the email, type: subscribe CVE-ID-SYNTAX-DISCUSS-LIST

If you wish to have your name included in your subscription, or if you have trouble subscribing using the above, please use this alternate "Subscribe" line:

To subscribe using the alternate method, send an email to listserv@lists.mitre.org. In the body of the email, type: subscribe CVE-ID-SYNTAX-DISCUSS-LIST <your name>

SCHEDULE FOR SECOND VOTE

Public Discussion

Wednesday, 1 May 2013, 12:01 AM (EDT) — Discussion period opens to the CVE Editorial Board and CVE ID Syntax Discuss mailing lists.
Tuesday, 7 May 2013, 11:59 PM (EDT) — Discussion period closes.

CVE Editorial Board Voting

Wednesday, 8 May 2013, 12:01 AM (EDT) — Second official voting period begins.
Wednesday, 22 May 2013, 11:59 PM (EDT) — Second official voting period ends.

We will announce the results of the vote here as well as on the CVE Announce and other email lists as soon as the vote is complete and verified.

Please send any comments or concerns to cve@mitre.org.

MITRE Hosts CVE Booth at InfoSec World 2013

MITRE hosted a "Strengthening Cyber Defense" booth that included CVE at InfoSec World Conference & Expo 2013 at Walt Disney World Swan and Dolphin in Orlando, Florida, USA, on April 15-17, 2013.

Visit the CVE Calendar for information on this and other events.

CVE Mentioned in "Automating Security Compliance & Operations to Protect Critical Infrastructure" Webinar

MITRE Senior Information Assurance Engineer Luis Nunez was a guest speaker on the topic of Industry Collaboration in a webinar entitled "Automating Security Compliance & Operations to Protect Critical Infrastructure" on April 9, 2013. Senior Director of Systems Engineering, Federal, at Juniper Networks Tim LeMaster was also a speaker, and Bob Ackerman, SIGNAL Magazine Editor-in-Chief was the moderator. The event was sponsored by Juniper Networks.

Discussion topics for the webinar included: why automation is essential to protect critical network and computing infrastructures, cost-effective strategies for improved secure information-sharing, how to start simplifying network operations, and how network automation and orchestration are essential for seamless workflow management. Common Vulnerabilities and Exposures (CVE®) and Open Vulnerability and Assessment Language (OVAL®) were also mentioned.

April 4, 2013

Photos from CVE Booth at RSA 2013

MITRE hosted a "Strengthening Cyber Defense" booth that included CVE at RSA Conference 2013 at the Moscone Center in San Francisco, California, USA, on February 25 – March 1, 2013.

Strengthening Cyber Defense booth photos:

Visit the CVE Calendar for information on this and other events.

March 21, 2013

CVE List Surpasses 55,000 CVE Identifiers

The CVE Web site now contains 55,027 unique information security issues with publicly known names. CVE, which began in 1999 with just 321 common names on the CVE List, is considered the international standard for public software vulnerability names. Information security professionals and product vendors from around the world use CVE Identifiers (CVE-IDs) as a standard method for identifying vulnerabilities, and for cross-linking among products, services, and other repositories that use the identifiers.

The widespread adoption of CVE in enterprise security is illustrated by the numerous CVE-Compatible Products and Services in use throughout industry, government, and academia for vulnerability management, vulnerability alerting, intrusion detection, and patch management. Major OS vendors and other organizations from around the world also include CVE-IDs in their security alerts to ensure that the international community benefits by having the identifiers as soon as a problem is announced. In addition, CVE-IDs have been used to identify vulnerabilities in the SANS Top Cyber Security Risks threat list since its inception in 2000.

CVE has also inspired new efforts. MITRE’s Common Weakness Enumeration (CWE™) dictionary of software weakness types is based in part on the CVE List, and its Open Vulnerability and Assessment Language (OVAL®) effort uses CVE-IDs for its standardized OVAL Vulnerability Definitions that test systems for the presence of CVEs. In addition, the U.S. National Vulnerability Database (NVD) of CVE fix information that is synchronized with and based on the CVE List also includes Security Content Automation Protocol (SCAP) content. SCAP employs community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and CVE is one of the existing open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results.

And in 2011, the International Telecommunication Union’s (ITU-T) Cybersecurity Rapporteur Group, which is the telecom/information system standards body within the treaty-based 150-year-old intergovernmental organization, adopted CVE as a part of its new "Global Cybersecurity Information Exchange techniques (X.CYBEX)" by issuing Recommendation ITU-T X.1520 Common Vulnerabilities and Exposures (CVE), that is based upon CVE’s current Compatibility Requirements, and any future changes to the document will be reflected in subsequent updates to X.CVE.

Each of the 55,000+ identifiers on the CVE List includes the following: CVE Identifier number (read about the upcoming CVE Identifier Syntax Change); brief description of the security vulnerability; and pertinent references such as vulnerability reports and advisories or OVAL-ID. Visit the CVE List page to download the complete list in various formats or to look-up an individual identifier. Fix information and enhanced searching of CVE is available from NVD.

CVE Editor’s Commentary Page Updated

One new item has been added to the CVE-Specific section of the CVE Editor’s Commentary page in the CVE List section: "Context-dependent" and "User-assisted" Terminology in CVE.

The CVE Editor’s Commentary page includes opinion and commentary about vulnerabilities, software assurance, and related topics by CVE List Editor Steve Christey. Posts are either Community Issues or CVE-Specific.

"Automating Security Compliance & Operations to Protect Critical Infrastructure" Webinar, April 9

MITRE Information Assurance Sr. Luis Nunez will be a guest speaker on the topic of Industry Collaboration in a webinar entitled "Automating Security Compliance & Operations to Protect Critical Infrastructure" on April 9, 2013 from 1:00 pm - 2:00 pm, Eastern Daylight Time. Senior Director of Systems Engineering, Federal, at Juniper Networks Tim LeMaster will also be a speaker, and Bob Ackerman, SIGNAL Magazine Editor-in-Chief will be the moderator. The event is sponsored by Juniper Networks.

Discussion topics for the webinar will include: why automation is essential to protect critical network and computing infrastructures, cost-effective strategies for improved secure information-sharing, how to start simplifying network operations, and how network automation and orchestration are essential for seamless workflow management.

For more information and to register visit http://www.afcea.org/signal/webinar.

March 13, 2013

MITRE to Host CVE Booth at InfoSec World 2013, April 15-17

MITRE will host a "Strengthening Cyber Defense" booth that includes CVE at InfoSec World Conference & Expo 2013 at Walt Disney World Swan and Dolphin in Orlando, Florida, USA, on April 15-17, 2013. Attendees will learn how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Members of the CVE Team will be in attendance. Please stop by Booth 313 and say hello!

Visit the CVE Calendar for information on this and other events.

CVE Editorial Board Meeting Minutes Now Available

Meeting minutes from the CVE Editorial Board teleconference meeting held on January 8, 2013 are now available on the CVE Editorial Board Email Discussion List & Meetings Archive page in the CVE Community section.

CVE Editor’s Commentary Page Updated

Three new items have been added to the CVE-Specific section of the CVE Editor’s Commentary page in the CVE List section: "CVE and ‘weak’ crypto," "CVE abstraction choices and the Linux kernel," and "CVE Guidance for Libraries and Resource-Consumption DoS."

MITRE Hosts CVE Booth at RSA 2013

MITRE hosted a "Strengthening Cyber Defense" booth that included CVE at RSA Conference 2013 at the Moscone Center in San Francisco, California, USA, on February 25 – March 1, 2013.

Visit the CVE Calendar for information on this and other events.

February 28, 2013

ALTX-SOFT Makes Declaration of CVE Compatibility

ALTX-SOFT declared that its repository of Open Vulnerability and Assessment Language (OVAL®) content, ALTX-SOFT Ovaldb, is CVE-Compatible. For additional information about this and other CVE-Compatible products, visit the CVE-Compatible Products and Services section.

NetentSec, Inc. Makes Declaration of CVE Compatibility

NetentSec, Inc. declared that its network application security product, Next Generation Firewall (NGFW), will be CVE-Compatible. For additional information about this and other CVE-Compatible products, visit the CVE-Compatible Products and Services section.

February 7, 2013

CVE Booth at RSA 2013, February 25 – March 1

MITRE will host a "Strengthening Cyber Defense" booth that includes CVE at RSA Conference 2013 at the Moscone Center in San Francisco, California, USA, on February 25 – March 1, 2013. Attendees will learn how CVE and other information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Members of the CVE Team will be in attendance. Please stop by Booth 2617 and say hello!

Visit the CVE Calendar for information on this and other events.

CVE Editorial Board Holds Teleconference Meeting

The CVE Editorial Board held a teleconference meeting on January 8, 2013 to discuss the Future of Global Vulnerability Reporting Summit at the Kyoto 2012 FIRST Technical Colloquium and the upcoming CVE Identifier syntax change.

January 24, 2013

Call for Public Feedback on Upcoming CVE ID Syntax Change

Due to the increasing volume of public vulnerability reports, the Common Vulnerabilities and Exposures (CVE) project will change the syntax of its standard vulnerability identifiers so that CVE can track more than 10,000 vulnerabilities in a single year. The current syntax, CVE-YYYY-NNNN, only supports a maximum of 9,999 unique identifiers per year.

Since a change in the ID syntax will affect many parties including end users and vendors, the CVE project is soliciting feedback from the public before making this change.

The public feedback period will continue through the RSA Conference 2013, being held February 25 - March 1, 2013, where attendees will be able to speak with CVE personnel from MITRE and members of the CVE Editorial Board. After a formal Editorial Board vote, the final selection will be made and the public will be notified, currently planned for March 2013.

The syntax change is scheduled to go into effect on January 1, 2014, so that users will have enough time to change their processes and software to handle the new ID syntax.

With guidance from the CVE Editorial Board, we have identified three options for a new ID syntax, summarized as follows:

Option A (Year + 6 digits, with leading 0’s)

Examples: CVE-2014-000001, CVE-2014-009999, CVE-2014-123456

Option B (Year + arbitrary digits, no leading 0’s except IDs 1 to 999)

Examples: CVE-2014-0001, CVE-2014-54321, CVE-2014-123456

Option C (Year + arbitrary digits + check digit)

Examples: CVE-2014-1-8, CVE-2014-9999-3, CVE-2014-123456-5

One of these options will be selected as the new syntax for CVE Identifiers. More details are available here: https://cve.mitre.org/data/board/archives/2013-01/msg00011.html.

If you wish to comment on any of these options, you can:

Email your comment to cve-id-change@mitre.org, which is monitored by MITRE’s CVE Team members.
Post to a new, public discussion list that is focused on the CVE ID change. To subscribe, send an email to listserv@lists.mitre.org. In the body of the email, type:
subscribe CVE-ID-SYNTAX-DISCUSS-LIST
Reply on any of the public mailing lists to which this announcement has been posted (e.g., Bugtraq mailing list, oss-security mailing list, CVE-Announce, etc.).

Due to the high volume of replies that we expect to receive, we will not be able to respond to every email message; however, we will publish a summary of responses.

January 11, 2013

MITRE Announces Initial "Making Security Measurable" Calendar of Events for 2013

MITRE has announced its initial Making Security Measurable calendar of events for 2013. Details regarding MITRE’s scheduled participation at these events are noted on the CVE Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.

RSA Conference 2013, February 21-March 1, 2013
InfoSec World Conference & Expo 2013, April 15-17, 2013
Black Hat Briefings 2013, July 27-August 1, 2013

Other events may be added throughout the year. Visit the CVE Calendar for information or contact cve@mitre.org to have MITRE present a briefing or participate in a panel discussion about CVE®, OVAL®, CCE™, CPE™, CEE™, CWE™, CWSS™, CAPEC™, MAEC™, CybOX™, STIX™, TAXII™, and/or Making Security Measurable at your event.