News & Events

Right-click and copy a URL to share an article. Send feedback about this page to cve@mitre.org.

CVE IDs Assigned for Public Vulnerabilities Related to “The Shadow Brokers" Disclosures

August 23, 2016 | Share this article

A list of previously unpublished vulnerabilities was released last week by a group calling themselves “The Shadow Brokers.” This list includes references to Cisco, Juniper, Fortinet, WatchGuard, and TOPSEC products. As these vendors and vulnerability researchers confirm vulnerabilities, CVEs are being assigned for those products within scope of the program.

Cisco and Juniper, as CVE Numbering Authorities (CNAs), assign CVEs related to their products as appropriate. To date, Cisco assigned CVE IDs CVE-2016-6366 and CVE-2016-6367 to vulnerabilities they confirmed. Additionally, MITRE, as the primary CNA, assigned CVE IDs for the Fortinet and WatchGuard products based on publicly available information from the covered sources list. CVE-2016-6909 was assigned to the Fortinet vulnerability and CVE-2016-7089 was assigned to the WatchGuard vulnerability. As information about these vulnerabilities becomes available, the CVEs will be updated.

Visit CVE-2016-6366, CVE-2016-6367, CVE-2016-6909, and CVE-2016-7089 to learn more about these issues.

IMPORTANT NOTICE: Method to Request CVE IDs from MITRE Changing Soon

August 23, 2016 | Share this article

The method to request CVE IDs from MITRE will change on August 29, 2016.

Using the new method, CVE ID requestors will complete a "CVE Request" web form when requesting a CVE ID from MITRE. The previous practice of submitting requests via cve-assign@mitre.org will be discontinued.

The new web form will make it easier for requestors to know what information to include in their initial request, and will enhance MITRE's ability to respond to those requests in a timely manner. User instructions will be available on the CVE website and on the form itself. Upon completion of the form, the requestor will receive a confirmation message that the request was received and a reference number.

Please send any comments or concerns to cve@mitre.org.

Apache Software Foundation and Intel Corporation Added as CVE Numbering Authority (CNA)

August 19, 2016 | Share this article

The Intel Corporation and The Apache Software Foundation are now CVE Numbering Authorities (CNAs). CNAs are OS and product vendors, developers, security researchers, and research organizations that assign CVE IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE ID numbers in the first public disclosure of the vulnerabilities.

CNAs are the main method for requesting a CVE ID number. The following 27 organizations currently participate as CNAs: Adobe; Apache; Apple; BlackBerry; CERT/CC; Cisco; Debian GNU/Linux; Distributed Weakness Filing Project; EMC; FreeBSD; Google; HP; Hewlett Packard Enterprise; IBM; ICS-CERT; Intel; JPCERT/CC; Juniper; Micro Focus; Microsoft; MITRE (primary CNA); Mozilla; Oracle; Red Hat; Silicon Graphics; Symantec; and Ubuntu Linux.

For more information about requesting CVE-ID numbers from CNAs, visit the CVE Numbering Authorities page.

CVE Mentioned in Article about Apple Patching OS X and iOS Vulnerabilities that Could Allow Remote Execution via Image Files on ZDNet

August 2, 2016 | Share this article

CVE is mentioned in a July 22, 2016 article entitled "iOS, Mac vulnerabilities allow remote code execution through a single image" on ZDNet. The main topic of the article is that "Security flaws which affect both Apple iOS and Mac devices permit attackers to grab your passwords and data, researchers claim. … a set of five vulnerabilities, if exploited, could lead to data theft and remote code execution -- which in its worst state may result in device hijacking."

CVE is mentioned when the author states: "The set of bugs, CVE-2016-4631, CVE-2016-4629, CVE-2016-4630, CVE-2016-1850, and CVE-2016-4637, are all caused by how Apple processes image formats. Apple offers APIs as interfaces for accessing image data, and … there are five remote code execution flaws related to this system. The image files which place Mac and iOS users at risk are .tiff, often used in publishing, OpenEXR, Digital Asset Exchange file format XML files, and BMP images." "The malware avoids detection due to the processing weaknesses, and if exploited, this leads to a heap buffer flow issue which extends to remote code execution."

In addition, Apple is a CVE Numbering Authority (CNA), assigning CVE IDs for Apple issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-4631, CVE-2016-4629, CVE-2016-4630, CVE-2016-1850, and CVE-2016-4637 to learn more about these issues.

CVE Mentioned in Article about Oracle's Quarterly Critical Patch Update for 276 Vulnerabilities on ADTMag

August 2, 2016 | Share this article

CVE is mentioned in a July 21, 2016 article entitled "Oracle's Quarterly CPU Fixes Record Number of Vulnerabilities" on ADTMag. The main topic of the article is that "Oracle Corp.'s latest Critical Patch Update (CPU), issued this week, fixed a record 276 vulnerabilities in a range of the company's products, including 13 in Java SE, some of which received high-severity scores."

CVE is mentioned when the author states: "Each vulnerability is issued a unique CVE number. Two of the Java vulnerabilities (CVE-2016-3587 and CVE-2016-3606) earned a CVSS score of 9.6 (the highest is 10.0), and both allow remote attackers to affect confidentiality, integrity, and availability via vectors related to Hotspot VM … these vulnerabilities relate to Java features introduced in versions Java SE 7 and above, which support the "invokedynami" "feature that enables dynamic code execution and scripting. [The] less severe CVE-2016-3550 (CVSS score of 4.3) also applies to the HotSpot JVM internals for Java SE versions 6, 7, and 8."

In addition, Oracle is a CVE Numbering Authority (CNA), assigning CVE IDs for Oracle issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-3587, CVE-2016-3606, and CVE-2016-3550 to learn more about these issues.

Minutes from CVE Editorial Board Teleconference Meeting on July 14 Now Available

August 2, 2016 | Share this article

The CVE Editorial Board held a teleconference meeting on July 14, 2016. Read the meeting minutes.

CVE Mentioned in Article about High Percentage of Vulnerabilities Found Unpatched in Industrial Control Systems (ICS) on Softpedia

July 13, 2016 | Share this article

CVE is mentioned in a July 11, 2016 article entitled "92 Percent of Internet-Available ICS Hosts Have Vulnerabilities" on Softpedia.

The main topic of the article is discussion of a July 2016 report by Kapersky Lab that "…following an Internet-wide scan, [Kapersky] found 188,019 hosts connected to ICS equipment, in 170 countries around the globe. Over 170,000 Internet-available ICS devices have vulnerabilities. Of these, 92 percent, or 172,982, contained vulnerabilities that can be exploited to attack, take over, or even harm devices and their normal mode of operation."

CVE is mentioned when the author states: "According to Kaspersky, most of the vulnerable devices are located in the US (57,417), followed at a long distance by Germany (26,142), Spain (11,264), France (10,578), and Canada (5,413). Most of these devices are available to external connections via the HTTP protocol (116,900), Telnet (29,586), Niagara Fox (20,622), SNMP (16,752), or Modbux (16,233) … The vulnerability encountered by far in ICS/SCADA equipment was Sunny WebBox Hard-Coded Credentials (CVE-2015-3964), found in 11,904 devices."

Visit CVE-2015-3964 to learn more about this issue.

CVE Mentioned in Article about Two Critical Windows Printer Spooler Vulnerabilities on Threatpost

July 13, 2016 | Share this article

CVE is mentioned in a July 12, 2016 article entitled "Windows Print Spooler Flaws Lead to Code Execution" on ThreatPost.

The main topic of the article is that Microsoft's July Patch Tuesday "patched a legitimate [networked printer] vulnerability that an attacker could abuse to attack corporate and home networks. MS16-087, one of a half-dozen critical security bulletins published today by Microsoft, patches a pair of flaws in Windows Print Spooler components. The most serious of the vulnerabilities patched today can be attacked either with local access to the printer, via drive-by download, or a by spoofing a shared network print server that is then broadcast with auto-discovery."

CVE is mentioned when the author states: "The flaw, CVE-2016-3238, affects all supported versions of Windows, and allows an attacker to install and execute a driver that acts essentially as a wrapper for malicious code…"

In addition, Microsoft is a CVE Numbering Authority (CNA), assigning CVE-IDs for Microsoft issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-3238 to learn more about this issue.

CVE Mentioned in Article about Adobe Issuing 52 Patches for Flash Player for July on Softpedia

July 13, 2016 | Share this article

CVE is mentioned in a July 12, 2016 article entitled "Adobe Flash Player Receives 52 Security Patches" on Softpedia. The main topic of the article is that Adobe Systems, Inc." released security fixes for Flash Player that addressed a total of 52 security issues" in its patch Tuesday updates for July.

The CVE-IDs cited in this article include the following: CVE-2016-4247, CVE-2016-4223, CVE-2016-4224, CVE-2016-4225, CVE-2016-4249, CVE-2016-4232, CVE-2016-4178, CVE-2016-4176, CVE-2016-4177, and CVE-2016-4216.

In addition, Adobe is a CVE Numbering Authority (CNA), assigning CVE-IDs for Adobe issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

CVE Mentioned in Article about Google Issuing 108 Patches for Android for July on eWeek

July 13, 2016 | Share this article

CVE is mentioned in a July 7, 2016 article entitled "Google Issues Largest Android Security Update" on eWeek. The main topic of the article is that Google, Inc.'s July Android update "far exceeds any past Android update in terms of the total number of vulnerabilities, and it introduces a new two bundle patch set approach to help accelerate the overall patching process."

The CVE-IDs cited in this article include the following: CVE-2016-2108, CVE-2016-2503, CVE-2016-2067, CVE-2016-3768, CVE-2016-2068, CVE-2016-3797, CVE-2016-3769, CVE-2015-8816, and CVE-2016-3775.

In addition, Google is a CVE Numbering Authority (CNA), assigning CVE-IDs for Chrome, Chrome OS, and Android Open Source Project issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Minutes from CVE Editorial Board Teleconference Meeting on June 30 Now Available

July 13, 2016 | Share this article

The CVE Editorial Board held a teleconference meeting on June 30, 2016. Read the meeting minutes.

Hewlett Packard Enterprise Added as CVE Numbering Authority (CNA)

June 29, 2016 | Share this article

Hewlett Packard Enterprise (HPE) is now a CVE Numbering Authority (CNA) for HPE issues. In 2015, Hewlett-Packard Company, which was formerly a CNA, split into two separate organizations—Hewlett Packard Enterprise and HP Inc.—both of which are now CNAs for their own issues.

CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

CNAs are the main method for requesting a CVE-ID number. The following 25 organizations currently participate as CNAs: Adobe; Apple; Attachmate; BlackBerry; CERT/CC; Cisco; Debian GNU/Linux; Distributed Weakness Filing Project; EMC; FreeBSD; Google; HP; HPE; IBM; ICS-CERT; JPCERT/CC; Juniper; Microsoft; MITRE (primary CNA); Mozilla; Oracle; Red Hat; Silicon Graphics; Symantec; and Ubuntu Linux.

For more information about requesting CVE-ID numbers from CNAs, visit the CVE Numbering Authorities page.

HP Inc. Added as CVE Numbering Authority (CNA)

June 29, 2016 | Share this article

HP Inc. is now a CVE Numbering Authority (CNA) for HP Inc. issues. In 2015, Hewlett-Packard Company, which was formerly a CNA, split into two separate organizations—HP Inc. and Hewlett Packard Enterprise—both of which are now CNAs for their own issues.

CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

CNAs are the main method for requesting a CVE-ID number. The following 25 organizations currently participate as CNAs: Adobe; Apple; Attachmate; BlackBerry; CERT/CC; Cisco; Debian GNU/Linux; Distributed Weakness Filing Project; EMC; FreeBSD; Google; HP; HPE; IBM; ICS-CERT; JPCERT/CC; Juniper; Microsoft; MITRE (primary CNA); Mozilla; Oracle; Red Hat; Silicon Graphics; Symantec; and Ubuntu Linux.

For more information about requesting CVE-ID numbers from CNAs, visit the CVE Numbering Authorities page.

Minutes from CVE Editorial Board Teleconference Meeting on June 2 Now Available

June 29, 2016 | Share this article

The CVE Editorial Board held a teleconference meeting on June 2, 2016. Read the meeting minutes.

CVE Mentioned in Article about the Android "Godless" Malware on Top Tech News

June 29, 2016 | Share this article

CVE is mentioned in a June 22, 2016 article entitled "New 'Godless' Malware Targets Android Mobile Devices" on Top Tech News. The main topic of the article is discovery of the "Godless" family of malware targeting Android mobile devices that uses multiple exploits to root users' devices and can root 90% of Android phones.

CVE is mentioned in a section of the article entitled "Bypassing Security Checks," when the author states: "Godless is similar to an exploit kit … [with a framework that] has various exploits in its arsenal that it can use to root a number of different Android-based devices. The two most prominent vulnerabilities targeted by the rooting kit are CVE-2015-3636 (used by the PingPongRoot exploit) and CVE-2014-3153 (used by the Towelroot exploit). By gaining root privilege, Godless can connect to a command-and-control (C&C) server capable of delivering remote instructions that force the device to download and install additional apps without the user's knowledge. At best, a user receives unwanted apps on the phones. At worst, the same technique can be used to install a backdoor or spy on the user."

In addition, Google is a CVE Numbering Authority (CNA), assigning CVE-IDs for Chrome, Chrome OS, and Android Open Source Project issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2015-3636 and CVE-2014-3153 to learn more about these issues.

CVE Mentioned in Article about Microsoft's Patch Tuesday Fixes for June on SC Magazine

June 29, 2016 | Share this article

CVE is mentioned in a June 14, 2016 article entitled "Microsoft's June Patch Tuesday features 16 bulletins, five rated critical" on SC Magazine. The main topic of the article is "Microsoft's June Patch Tuesday offering served up 16 update bulletins with five rated critical covering 44 CVEs, which equaled the number posted in May, but with three fewer critical issues." "The impacted applications are: Windows, Internet Explorer, Edge and Office and Office services and web apps. The remaining 11 bulletins all had an "important" rating."

The CVE-IDs cited in this article include the following: CVE-2016-0025, CVE-2016-3225, CVE-2016-3236, and CVE-2016-3230.

In addition, Microsoft is a CVE Numbering Authority (CNA), assigning CVE-IDs for Microsoft issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

cve compatible image

1 Product from NileSOFT Now Registered as Officially "CVE-Compatible"

June 29, 2016 | Share this article

One additional information security product has achieved the final stage of MITRE's formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CVE-Compatible Products and Services page on the CVE website. A total of 152 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CVE-Compatible":

NileSOFT Ltd. - Secuguard Web Security Explorer (WSE) Webscan

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

Huawei Technologies Makes Declaration of CVE Compatibility

June 29, 2016 | Share this article

Huawei Technologies Co., Ltd. declared that its firewall and application security gateway, Huawei Next Generation Firewall, is CVE-Compatible. For additional information about this and other CVE-Compatible products, visit the CVE-Compatible Products and Services section.

CVE Mentioned in Article about a Zero-Day Adobe Flash Vulnerability on SC Magazine

June 20, 2016 | Share this article

CVE is mentioned in a June 16, 2016 article entitled "Adobe patches critical zero-day vulnerability in Flash Player" on SC Magazine.

CVE is mentioned at the beginning of the article when the author states: "Adobe released a Flash Player "update containing patches for 36 vulnerabilities, including the zero-day CVE-2016-4171, a critical issue that was called out earlier this week as having been spotted hitting targets in the wild. CVE-2016-4171 affects Flash Player version 21.0.0.242 and earlier in Adobe Desktop Runtime, Extended Support Release, Google Chrome, Microsoft Edge and Internet Explorer 11 and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system …"

In addition, Adobe is a CVE Numbering Authority (CNA), assigning CVE-IDs for Adobe issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-4171 to learn more about this issue.

CVE Mentioned in Article about Google Issuing 40 Patches for Android in June on eWeek

June 20, 2016 | Share this article

CVE is mentioned in a June 7, 2016 article entitled "Google Patches 40 Android Flaws in June Update" on eWeek. The main topic of the article is that in its June Android update Google "fixed 40 vulnerabilities, eight of which are rated critical. Once again, the security update includes a familiar set of flaws, with media server issues and Qualcomm drivers topping the list."

The CVE-IDs cited in this article include the following: CVE-2016-2062, CVE-2016-2464, CVE-2016-2465, CVE-2016-2466, CVE-2016-2467, CVE-2016-2468, CVE-2016-2060, CVE-2016-2463, CVE-2016-2495, and CVE-2016-2500.

In addition, Google is a CVE Numbering Authority (CNA), assigning CVE-IDs for Chrome, Chrome OS, and Android Open Source Project issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

CVE Mentioned in Article about Vulnerabilities in Samsung Knox on Tech Republic

June 1, 2016 | Share this article

CVE is mentioned in a May 31, 2016 article entitled "Samsung Knox isn't as secure as you think it is" on Tech Republic. The main topic of the article is that Samsung's "Samsung Knox, the security system that runs on a plethora of the company's Android smartphones, was recently found to be suffering from a host of security problems."

CVE is first mentioned when the author states: "The first of the three big vulnerabilities that were found was described as "Weak eCryptFS Key generation from user password on Knox 1.0 / Android 4.3," known officially as CVE-2016-1919 … The eCryptFS key is supposed to mix the user's password and a 32-bit key to provide encryption, but the vulnerability "allows an attacker to decrypt Knox encrypted data without knowing the user's password." CVE is mentioned a second time, as follows: "Next up was the vulnerability CVE-2016-1920, which allows an app running outside of Knox to run a man-in-the-middle (MITM) attack against Knox SSL traffic. With this vulnerability, a third-party app running VPN-related permissions can run traffic through it." CVE is mentioned a third time when the author states: "Last, but not least, was CVE-2016-3996, which "allows an attacker to steal the contents of the Knox clipboard."

Visit CVE-2016-1919, CVE-2016-1920, and CVE-2016-3996 to learn more about these issues.

CVE Mentioned in Article about Two Critical Vulnerabilities in LG Mobile Devices on ZDNet

June 1, 2016 | Share this article

CVE is mentioned in a May 31, 2016 article entitled "Device hijacking security flaws discovered in LG handsets" on ZDNet. The main topic of the article is the discovery of two critical security flaws "impacting LG devices [that] could be exploited to compromise user devices, leading to device hijacking and data theft".

CVE is mentioned when the author states: "CVE-2016-3117, was discovered in LG's privileged service. Dubbed LGATCMDService, the service is not protected by bind permissions, which means that any application — regardless of its origins — can communicate with it … If exploited, this could lead to privilege escalation and device hijacking, rebooting, disabling USB connections, wiping, identifying private IDs such as a device's MAC address or completely bricking the device itself. The second security flaw, CVE-2016-2035, lies within LG's implementation of the WAP Push protocol. This protocol is used to send URLs to mobile devices through SMS messages, but due to LG's implementation of the system, an SQL vulnerability is present.

Visit CVE-2016-3117 and CVE-2016-2035 to learn more about these issues.

CVE Mentioned in Article about an Alert from ICS-CERT about Two SCADA Vulnerabilities on Info Security

June 1, 2016 | Share this article

CVE is mentioned in a May 31, 2016 article entitled "US ICS-CERT Urges Admins to Mitigate New SCADA Risk" on Info Security. The main topic of the article is that the U.S. Department of Homeland Security "issued an alert urging IT administrators in the energy sector to take steps to mitigate two serious vulnerabilities in SCADA products … from the department's ICS-CERT, and concerns two bugs discovered in … [Environmental Systems Corporation's (ESC) ESC 8832 Version 3.02 and earlier versions]."

CVE is mentioned when the author states: "Both bugs have been given a CVSS v3 base score of 7.5. The first – CVE-2016-4501 – is an authentication bypass vulnerability which could allow an attacker to make unauthorized modifications to the device's configuration. The second – CVE-2016-4502 – is a privilege management bug which could allow a hacker to "gain access to functions, which are not displayed in the menu for the user by means of brute force of a parameter." An attacker with only low skill could exploit these two vulnerabilities remotely, ICS-CERT warned. To mitigate the risk of such an exploit, ESC recommends admins either upgrade the device, block Port 80 with a firewall, or manage the device not through the web interface but alternative means."

In addition, ICS-CERT is a CVE Numbering Authority (CNA). CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-4501 and CVE-2016-4502 to learn more about these issues.

CVE Mentioned in Article about a Vulnerability in Patient Medical Data Tracking Software on The Register

June 1, 2016 | Share this article

CVE is mentioned in a May 30, 2016 article entitled "CERT warns of hardcoded creds in medical app" on The Register. The main topic of the article is that US-CERT "issued a warning after admin credentials were found in a popular medical application used for acquiring patient data" that is used in about "1,000 healthcare facilities".

CVE is mentioned when the author states: "The MEDHOST application is designed for handling the perioperative three stages of surgery including patient tracking, and patient conditions. It can be hosted and managed remotely … The flaw meant attackers could key in the details and access patient data on servers that did not restrict logins from unknown locations … the hardcoded credential flaw (CVE-2016-4328) in MEDHOST Perioperative Information Management System in versions older than 2015R1."

Visit CVE-2016-4328 to learn more about this issue.

Minutes from CVE Editorial Board Teleconference Meeting on May 19 Now Available

June 1, 2016 | Share this article

The CVE Editorial Board held a teleconference meeting on May 19, 2016. Read the meeting minutes.

Distributed Weakness Filing Project Added as CVE Numbering Authority (CNA)

May 24, 2016 | Share this article

The Distributed Weakness Filing (DWF) Project is now a CVE Numbering Authority (CNA) for open source software issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

CNAs are the main method for requesting a CVE-ID number. The following 24 organizations currently participate as CNAs: Adobe; Apple; Attachmate; BlackBerry; CERT/CC; Cisco; Debian GNU/Linux; Distributed Weakness Filing Project; EMC; FreeBSD; Google; HP; IBM; ICS-CERT; JPCERT/CC; Juniper; Microsoft; MITRE (primary CNA); Mozilla; Oracle; Red Hat; Silicon Graphics; Symantec; and Ubuntu Linux.

For more information about requesting CVE-ID numbers from CNAs, visit the CVE Numbering Authorities page.

CVE Mentioned in Article about a Critical Symantec Vulnerability on SC Magazine

May 18, 2016 | Share this article

CVE is mentioned in a May 17, 2016 article entitled "Symantec's anti-virus engine updated, flaw could cause Blue Screen of Death" on SC Magazine. The main topic of the article is that Symantec Corporation "released an update to its anti-virus engine (AVE) to repair a kernel-level flaw making the software susceptible to a memory access violation when parsing a specifically-crafted portable-executable (PE) header file."

CVE is mentioned when the author states: "Symantec said the critical vulnerability, CVE-2016-2208, affected Symantec anti-virus engine version 20151.1.0.32. These malformed PE files do not require any user interaction to trigger the parsing of the malformed files, but they can be received through email, downloading a document or application or by visiting a malicious web site."

In addition, Symantec is a CVE Numbering Authority (CNA), assigning CVE-IDs for Symantec issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-2208 to learn more about this issue.

CVE Mentioned in Article about Apple Issuing Numerous Patches for iOS and OS X on eWeek

May 18, 2016 | Share this article

CVE is mentioned in a May 17, 2016 article entitled "Apple Makes Security Improvements to iOS and OS X" on eWeek. The main topic of the article is that "Apple, Inc.'s "iOS alone is being patched for 39 vulnerabilities, but it's not just about fixing existing flaws; the update is also providing new features to harden security."

The CVE-IDs cited in this article include the following: CVE-2016-1793, CVE-2016-1794, CVE-2016-1801, CVE-2016-1803, CVE-2016-1807, CVE-2016-1813, CVE-2016-1819, CVE-2016-1821, CVE-2016-1823, and [CVE-2016-1846].

In addition, Apple is a CVE Numbering Authority (CNA), assigning CVE-IDs for Apple issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

CVE Identifier "CVE-2016-4117" Cited in Numerous Security Advisories and News Media References about a Zero-Day Adobe Flash Vulnerability

May 18, 2016 | Share this article

"CVE-2016-4117" is cited in numerous major advisories, posts, and news media references related to the recent zero-day Adobe Flash vulnerability, including the following examples:

Other news articles may be found by searching on "CVE-2016-4117" using your preferred search engine. Also, the CVE Identifier page https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4117 includes a list of advisories used as references.

Minutes from CVE Editorial Board Teleconference Meeting on May 5 Now Available

May 18, 2016 | Share this article

The CVE Editorial Board held a teleconference meeting on May 5, 2016. Read the meeting minutes.

Nurun IT Consulting Services Makes Declaration of CVE Compatibility

May 18, 2016 | Share this article

Nurun IT Consulting Services declared that its Neo Threat Management Solution (NTMS) is CVE-Compatible. For additional information about this and other CVE-Compatible products, visit the CVE-Compatible Products and Services section.

NileSOFT Makes Declaration of CVE Compatibility

May 18, 2016 | Share this article

NileSOFT Ltd. declared that its Secuguard Web Security Explorer (WSE) Webscan is CVE-Compatible. For additional information about this and other CVE-Compatible products, visit the CVE-Compatible Products and Services section.

FOCUS ON: CVE Program Status Update

May 4, 2016 | Share this article

We continue to work diligently on expanding CVE assignment in ways that meet the needs of all the various use cases of CVE. Towards that end, we have begun increasing the number of organizations participating as CVE Numbering Authorities (CNAs). We are also working closely with the CVE Editorial Board to define additional ways for CNAs to enable CVE to expand its coverage. Updates on our progress will continue to be posted here as soon as they occur.

CVE Mentioned in Article about a Zero-Day Vulnerability in ImageMagick's Image Processing Library on Softpedia

May 4, 2016 | Share this article

CVE is mentioned in a May 3, 2016 article entitled "ImageTragick Exploit Used in Attacks to Compromise Sites via ImageMagick 0-Day" on Softpedia. The main topic of the article is the May 3 announcement of "a vulnerability in the ImageMagick image processing library deployed with countless Web servers, a zero-day which [the researchers who discovered the issue] say has been used in live attacks."

CVE is mentioned when the author states: "Nicknamed ImageTragick and identified via the CVE-2016–3714 vulnerability ID, the issue has a massive attack surface, since, alongside the GD library, ImageMagick is one of the most used image processing toolkits around … Mitigation instructions are available on ImageTragick's website."

Visit CVE-2016-3714 to learn more about this issue.

CVE Mentioned in Article about 40 Android Vulnerabilities on SC Magazine

May 4, 2016 | Share this article

CVE is mentioned in a May 3, 2016 article entitled "Google patches 40 Android security flaws" on SC Magazine. The main topic of the article is that Google Inc. "released patches for 40 security vulnerabilities affecting Android devices. Vulnerabilities include remote code execution, elevated privilege, and remote denial of service (DoS) flaws. Six of the vulnerabilities are rated as critical flaws and 10 vulnerabilities are rated as high severity."

CVE is first mentioned when the author states: "The most severe vulnerability (CVE-2016-2428 and CVE-2016-2429) affects media files processing, a recurring issue for Android devices. The flaw allows remote code execution when devices receive a malicious email or MMS message, or through viewing an infected webpage."

CVE is mentioned a second time, as follows: "The elevated privilege vulnerabilities affecting Android's integrated debugger (CVE-2016-2430) and Qualcomm TrustZone (CVE-2016-2432) allow malicious applications to execute arbitrary code within the debugger and the TrustZone kernel, respectively. The flaws may permanently compromise devices and may require an operating system reflash."

In addition, Google is a CVE Numbering Authority (CNA), assigning CVE-IDs for Chrome, Chrome OS, and Android Open Source Project issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-2428, CVE-2016-2429, CVE-2016-2430, and CVE-2016-2432 to learn more about these issues.

CVE Mentioned in Article about Severe Vulnerabilities in Firefox 46 on Threatpost

May 4, 2016 | Share this article

CVE is mentioned in an April 27, 2016 article entitled "Firefox 46 Patches Critical Memory Vulnerabilities" on Threatpost. The main topic of the article is that Mozilla Corporation "updated Firefox and patched 10 vulnerabilities, one which was rated critical. Firefox 46 also included patches for four vulnerabilities that Mozilla rated as high severity. Critical bugs enabled remote code execution without user interaction, while bugs rated high can be exploited to steal browser data or inject code into websites via the browser."

CVE is mentioned when the author states: "The critical vulnerability was found internally and included four memory-related flaws in the browser engine used by Firefox and other Mozilla software. "Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code," Mozilla said in its advisory. All four bugs—CVE-2016-2807, CVE-2016-2806, CVE-2016-2805, and CVE-2016-2804—cause the browser to crash; CVE-2016-2805 affects only Firefox ESR 38.8."

In addition, Mozilla is a CVE Numbering Authority (CNA), assigning CVE-IDs for Mozilla issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-2807, CVE-2016-2806, CVE-2016-2805, and CVE-2016-2804 to learn more about these issues.

Minutes from CVE Editorial Board Teleconference Meeting on April 21 Now Available

May 4, 2016 | Share this article

The CVE Editorial Board held a teleconference meeting on April 21, 2016. Read the meeting minutes.

Juniper Added as CVE Numbering Authority (CNA)

April 22, 2016 | Share this article

Juniper Networks, Inc. is now a CVE Numbering Authority (CNA) for Juniper issues only. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

CNAs are the main method for requesting a CVE-ID number. The following 23 organizations currently participate as CNAs: Adobe; Apple; Attachmate; BlackBerry; CERT/CC; Cisco; Debian GNU/Linux; EMC; FreeBSD; Google; HP; IBM; ICS-CERT; JPCERT/CC; Juniper; Microsoft; MITRE (primary CNA); Mozilla; Oracle; Red Hat; Silicon Graphics; Symantec; and Ubuntu Linux.

For more information about requesting CVE-ID numbers from CNAs, visit the CVE Numbering Authorities page.

New CVE Editorial Board Member for US-CERT

April 22, 2016 | Share this article

Tom Millar of US-CERT has joined the CVE Editorial Board.

Read the full announcement and welcome message in the CVE Editorial Board email discussion list archive.

Two CVE Identifiers Cited in Numerous Security Advisories and News Media References about the "Badlock" Vulnerability

April 22, 2016 | Share this article

Two CVE Identifiers — CVE-2016-0128 and CVE-2016-2118 — are cited in numerous major advisories, posts, and news media references related to the "Badlock" vulnerability, including the following examples:

Other news articles may be found by searching on "CVE-2016-0128" and "CVE-2016-2118" using your preferred search engine. Also, the CVE Identifier pages https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0128 and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2118 include lists of advisories used as references.

CVE Editorial Board Holds Teleconference Meeting

April 22, 2016 | Share this article

The CVE Editorial Board held a teleconference meeting on March 30, 2016. Read the meeting minutes.

CVE Mentioned in an Article about a Severe Cisco Firewall Vulnerability on ThreatPost

April 5, 2016 | Share this article

CVE is mentioned in an April 4, 2015 article entitled "Cisco 'High Severity' Flaw Lets Malware Bypass Firepower Firewall" on ThreatPost. The main topic of the article is that Cisco recently patched a "critical vulnerability found in its recently introduced line of FirePower firewall products. The vulnerability, according to Cisco, allows attackers to slip malware onto critical systems without detection. The flaw is also impacts Snort, an open source network-based intrusion detection system also owned by Cisco."

CVE is mentioned as follows: "Cisco alerted customers of the vulnerability (CVE-2016-1345) last week classifying it as "high severity". The networking firm has released software updates that address the vulnerability in Cisco Firepower System Software 5.4.0.7 and later, 5.4.1.6 and later and 6.0.1 and later."

In addition, Cisco is a CVE Numbering Authority (CNA), assigning CVE-IDs for Cisco issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-1345 to learn more about this issue.

CVE Mentioned in Article about an Apple OS X and iOS Zero-Day Vulnerability on Tech Times

April 5, 2016 | Share this article

CVE is mentioned in a March 28, 2016 article entitled "Zero-Day Vulnerability Bypasses Apple's Security Features To Compromise OS X And iOS Devices: Update Now" on Tech Times. The main topic of the article is that "A security analyst from SentinelOne unveiled a critical zero-day vulnerability that affects all versions of Apple's OS X and some iOS versions. By using the vulnerability, hackers can get full access of the affected device, making it easy to steal sensitive data and bypass the company's protection feature."

CVE is mentioned when the author states: "…SentinelOne reported back in January about a critical vulnerability in both the iOS and OS X codes, which permits local privilege escalation as well as a surprisingly easy bypassing of the SIP, sans kernel exploit. Codenamed CVE-2016-1757, the zero-day vulnerability is a Non-Memory Corruption bug. This means that it makes it easy for hackers to do a number of things, such as executing remote code (Remote Code Execution), running custom-made code on your device and even perform sandbox escapes."

In addition, Apple is a CVE Numbering Authority (CNA), assigning CVE-IDs for Apple issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-1757 to learn more about this issue.

CVE Mentioned in Article about Four Vulnerabilities Used in Ransomware Attacks on Dark Reading

April 5, 2016 | Share this article

CVE is mentioned throughout an in a March 22, 2016 article entitled "Here Are 4 Vulnerabilities Ransomware Attacks Are Exploiting Now" on Dark Reading. The main topic of the article is that "there's a common thread in the most recent ransomware attacks: they use four known Adobe Flash Player and Microsoft Silverlight software bugs that have patches available, according to new research published today."

CVE is first mentioned at the beginning of the article when the author states: "So if you haven't already patched recently revealed Flash flaws CVE-2015-7645, CVE-2015-8446, CVE-2015-8651, and Microsoft Silverlight's CVE-2016-0034, you'll "significantly" minimize your risk of getting hit by the latest in ransomware threats if you apply these updates, according to Recorded Future, which analyzed which vulns were being exploited most in ransomware attacks as of March 16."

CVE is mentioned a second time, when the author states: "The Angler, Neutrino, Magnitude, RIG, and Nuclear exploit kits spread the Flash CVE-2015-7645 exploit; Angler spreads Flash CVE-2015-8446; Angler and Neutrino spread Flash CVE-2015-8651; and Angler spreads Silverlight CVE-2016-0034, an exploit exposed in the Hacking Team breach. In addition to patching these four vulns, Recorded Future offers additional recommendations for thwarting ransomware attacks: set Flash to "click to play;" run browser ad-blockers to protect against malvertising-borne attacks; and perform regular backups, especially of shared files, which are often the target of ransomware attacks."

In addition, both Adobe and Microsoft are CVE Numbering Authorities (CNAs), with Adobe assigning CVE-IDs for Adobe issues and Microsoft assigning CVE-IDs for Microsoft issues. CNAs are major OS vendors, security researchers, and research organizations that assign newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2015-7645, CVE-2015-8446, CVE-2015-8651, and CVE-2016-0034 to learn more about these issues.

CVE Mentioned in Article about 49 Chrome Vulnerabilities on SC Magazine

April 5, 2016 | Share this article

CVE is mentioned throughout an in a March 28, 2016 article entitled "Google patches Chrome 49 vulnerabilities" on SC Magazine. The main topic of the article is that Google Inc. "released a patch on Thursday [March 24, 2016] for vulnerabilities affecting the latest version of Chrome for Windows, Mac, and Linux, including several high-risk issues."

The CVE-IDs cited in this article include the following: CVE-2016-1646, CVE-2016-1649, CVE-2016-1647, CVE-2016-1648, and CVE-2016-1650.

In addition, Google is a CVE Numbering Authority (CNA), assigning CVE-IDs for Chrome, Chrome OS, and Android Open Source Project issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

CVE Cited as Product Feature in Press Release for Threat Stack's Cloud Security Platform

April 5, 2016 | Share this article

CVE is cited as a product feature in a March 30, 2016 press release entitled "Threat Stack Announces Most Comprehensive Cloud Security Vulnerability Verification: Cloud Security Platform Provides Automated CVE Check Against Every Package Installed" by Threat Stack, Inc.

CVE is mentioned in a quote by Threat Stack's vice president of products and customer advocacy, Venkat Pothamsetty, who states: "Threat Stack wants to keep customers as current as possible on critical CVEs. The Threat Stack Cloud Security Platform compares every single CVE published to every package installed, cross-checks against all corresponding vendor advisories on those packages and pinpoints to the image ID on the affected servers. The extensive approach we take is resulting in the least false positive rate of CVEs in the industry."

CVE is also mentioned in the conclusion to press release, as follows: "By providing vulnerability management at the workload layer, Threat Stack gives customers the confidence they're managing CVEs efficiently, enabling them to focus on more high-priority security threats."

1 Product from Beijing Leadsec Technology Now Registered as Officially "CVE-Compatible"

April 5, 2016 | Share this article

cve compatible image

One additional information security product has achieved the final stage of MITRE's formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 151 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CVE-Compatible":

Beijing Leadsec Technology Co., Ltd. - Leadsec Web Application Firewall (Leadsec WAF)

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

1 Product from Hillstone Networks Now Registered as Officially "CVE-Compatible"

April 5, 2016 | Share this article

cve compatible image

One additional information security product has achieved the final stage of MITRE's formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 151 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CVE-Compatible":

Hillstone Networks - Intrusion Prevention System

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

CVE Mentioned in Article about Three Critical Vulnerabilities in Symantec Endpoint Protection on InfoWorld

March 22, 2016 | Share this article

CVE is mentioned in a March 21, 2016 article entitled "Symantec fixes high-risk flaws in Symantec Endpoint Protection" on InfoWorld. The main topic of the article is that Symantec Corporation "fixed three high-risk security vulnerabilities in Symantec Endpoint Protection last week, which serves as a reminder: Security software needs to be regularly patched, too."

All three vulnerabilities are identified by their CVE-ID numbers, as follows: "The cross-site request forgery flaw (CVE-2015-8152) and SQL injection bug (CVE-2015-8153) in the SEP Management Console can be exploited to give authorized users more elevated privileges than originally assigned. These vulnerabilities, if successfully exploited, make it easier for attackers because they no longer need to try to steal administrator-level credentials. They can intercept lower-level user credentials and bump up the privileges as needed." "The third flaw (CVE-2015-8154) was in the SysPlant.sys driver, which Symantec Endpoint Protection loads on Windows clients as part of Application and Device Control (ADC) component. The driver prevents untrusted code from running on Windows systems. If the vulnerability is successfully exploited, the attacker bypasses the ADC to execute malicious code on the system with the same privileges as the logged on user."

In addition, Symantec is a CVE Numbering Authority (CNA), assigning CVE-IDs for Symantec issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2015-8152, CVE-2015-8153, and CVE-2015-8154 to learn more about these issues.

CVE Mentioned in Article about a Linux Kernel Vulnerability in Android on eWeek

March 22, 2016 | Share this article

CVE is mentioned in a March 21, 2016 article entitled "Google Updates Android for Linux Kernel Flaw" on eWeek. The main topic of the article is that Google, Inc. issued an "unprecedented mid-month emergency patch update" for a Linux kernel vulnerability. The article also discusses the "Metaphor" exploit for the previously patched Android "Stagefright" vulnerability.

CVE is first mentioned when the author states: "Android Security Advisory 2016-03-18 is an out-of-band update for a privilege escalation vulnerability identified as CVE-2015-1805. As the CVE number implies, the vulnerability dates back to 2015 when it was first discovered in the upstream Linux kernel. While Google did not have a formal patch for the issue until March 18, Google's Verify Apps technology already was identifying and blocking apps that attempted to use the vulnerability. Verify Apps is a Google technology that works for both Google Play apps as well as apps installed from third-party sources as a scanning technology that looks for malicious components. Google noted in its security advisory that the CVE-2015-1805 was set to be included as a formal patch in a future Android update. That plan changed on March 15, when security firm Zimperium reported that it was aware of the CVE-2015-1805 vulnerability being used successfully to exploit a Nexus 5 device."

CVE is mentioned a second time, as follows: "Of note also is the fact that in the scheduled March 7 update, Google patched a high-severity issue identified as CVE-2016-0824 in the Stagefright media library. Google has patched the libstagefright (Stagefright) and Android media libraries multiple times since August 2015…" CVE is then mentioned a third time, when the author states: "In unrelated research, security firm NorthBit reported on March 18 that a Stagefright exploit it referred to as Metaphor is attacking Android. The Metaphor exploit makes use of a vulnerability identified as CVE-2015-3864, which Google patched in August 2015."

In addition, Google is a CVE Numbering Authority (CNA), assigning CVE-IDs for Chrome, Chrome OS, and Android Open Source Project issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2015-1805, CVE-2016-0824, and CVE-2015-3864 to learn more about these issues.

FOCUS ON: CVE Program Status Update

March 21, 2016 | Share this article

The recent explosion of Internet-enabled devices—known as the Internet of Things—as well as the propagation of software-based functionality in systems has led to a huge increase in the number of CVE requests we have been receiving on a daily basis. We did not anticipate this rate of growth, and, as a result, were not as prepared for the latest surge in requests over the past 12 months as we had hoped. The result has been some of the delay in CVE assignments that the software security community has recently witnessed.

We recognize the inconvenience that has resulted, and are working hard to come up with a solution.

Last week, we proposed a possible option to our CVE Editorial Board, but some members raised concerns about the approach, and we have withdrawn it from consideration. We are working diligently to come up with a solution that will meet the needs of all the various use cases of CVE.

The CVE Team, March 21, 2016

FOCUS ON: CVE Program Status

March 11, 2016 | Share this article

CVE has been experiencing an unprecedented demand for vulnerability IDs. We look forward to working with the CVE Editorial Board and the broader vulnerability management community to significantly improve stakeholder communication, and improve and scale CVE operations to reduce ID assignment response times and increase product coverage. Details as they become available will be posted to https://cve.mitre.org/.

The CVE Team, March 11, 2016

CVE Mentioned in Article about Tripwire's "2016 Patch Management Study" on Dark Reading

March 10, 2016 | Share this article

CVE is mentioned in a March 8, 2016 article entitled "Patch Management Still Plagues Enterprise" on Dark Reading. The main topic of the article is that "In spite of years of data showing effective patch management to be some of the lowest-hanging fruit in improving IT risk management, half of enterprises today still aren't getting it right. So says a new survey out today [by Tripwire, Inc.], which queried over 480 IT professionals on their patch management practices."

CVE is mentioned in a quote by Tim Erlin, Director, Product Management, Security and IT Risk Strategist at Tripwire, who states: "The fact is that we, as an industry, consistently conflate vulnerabilities with patches. They are not the same thing! The fact is, we identify known vulnerabilities with CVE IDs, and vendors release increments of code that address some of those CVE IDs. It’s not a one-to-one relationship, except when it is, and bundles are common, except from vendors who don't roll up patches. Sometimes patches don't fix all the vulnerabilities, and sometimes they fix multiple vulnerabilities on some platforms but not others. Sometimes a patch is an upgrade, sometimes it's not, and sometimes you can apply an individual patch or an upgrade to fix disparate but overlapping sets of vulnerabilities."

The "Tripwire 2016 Patch Management Study" findings are free to read at http://www.tripwire.com/company/research/tripwire-2016-patch-management-study/.

CVE Mentioned in Article about Three Critical Chrome Vulnerabilities on ThreatPost

March 10, 2016 | Share this article

CVE is mentioned in a March 9, 2016 article entitled "Chrome Update Fixes Three 'High' Severity Vulnerabilities" on ThreatPost. The main topic of the article is that "Google pushed out the latest version of its flagship browser Chrome on Tuesday, fixing three high severity bugs in the process."

CVE is mentioned when the author identifies the three vulnerabilities and notes their severity ratings as determined by Google: "High CVE-2016-1643: Type confusion in Blink"; "High CVE-2016-1644: Use-after-free in Blink"; and "High CVE-2016-1645: Out-of-bounds write in PDFium". All three were discovered by researchers who submitted them to Google's vulnerability reward program.

In addition, Google is a CVE Numbering Authority (CNA), assigning CVE-IDs for Chrome, Chrome OS, and Android Open Source Project issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-1643, CVE-2016-1644, and CVE-2016-1645 to learn more about these issues.

CVE Mentioned in Article about Multiple Android Vulnerabilities on InfoWorld

March 10, 2016 | Share this article

CVE is mentioned in a March 8, 2016 article entitled "Google fixes Android bugs, including lingering Mediaserver flaw" on InfoWorld. The main topic of the article is that Google Inc. "addressed 19 security vulnerabilities, seven of them rated critical, in its latest Android security update. The updates addressed critical security vulnerabilities in the keyring component, MediaTek Wi-Fi Driver, Conscrypt, the libvpx library, Mediaserver component, and the Qualcomm Performance component."

The CVE-IDs cited in this article include the following: CVE-2016-0815, CVE-2016-0816, CVE-2016-0824, CVE-2016-0826, CVE-2016-0827, CVE-2016-0828, CVE-2016-0829, CVE-2016-1621, CVE-2016-0818, CVE-2016-0819, CVE-2016-0728, CVE-2016-0820, CVE-2016-0822, CVE-2016-0821, and CVE-2016-0823.

In addition, Google is a CVE Numbering Authority (CNA), assigning CVE-IDs for Chrome, Chrome OS, and Android Open Source Project issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

CVE Mentioned in Article about Microsoft's Patch Tuesday Fixes for March on ThreatPost

March 10, 2016 | Share this article

CVE is mentioned in a March 8, 2016 article entitled "Microsoft Patches Critical Vulnerabilities in its Browsers" on ThreatPost. The main topic of the article is that Microsoft Corporation recently released 13 security bulletins "including five rated critical and two rated important that could result in remote code execution attacks against compromised machines."

CVE is first mentioned with regard to the bulletin for the Microsoft Edge browser, as follows: "All 11 flaws are memory corruption vulnerabilities and five of those are also applicable to IE, Microsoft said. Edge also is vulnerable to an information disclosure vulnerability, CVE-2016-0125, enabled by Edge's improper handling of the referrer policy. An attacker could use this flaw to learn about the request context or browsing history of a user…"

CVE is mentioned a second time regarding a bulletin that patches “two flaws in Windows Graphic Fonts. A user would have to open a crafted document to exploit the flaw or view a website hosting maliciously crafted embedded OpenType fonts. Only one of the OpenType Font Parsing vulnerabilities, CVE-2016-0121, is rated critical and leads to remote code execution; the other, CVE-2016-0120, is a denial-of-service issue and is rated moderate…." CVE is mentioned a third time regarding a bulletin that patches “patches two flaws in Windows Media that can be exploited via malicious media content to gain remote code execution. Neither CVE-2106-0101, nor CVE-2016-0098, has been publicly attacked, Microsoft said, adding that the patch corrects the way Windows handles resources in the media library."

In addition, Microsoft is a CVE Numbering Authority (CNA), assigning CVE-IDs for Microsoft issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-0125, CVE-2016-0121, CVE-2016-0120, CVE-2016-0101, and CVE-2016-0098 to learn more about these issues.

CVE Mentioned in Article about Vulnerabilities in Adobe Acrobat and Reader on ThreatPost

March 10, 2016 | Share this article

CVE is mentioned in a March 8, 2016 article entitled "Adobe Patches Reader and Acrobat, Teases Upcoming Flash Update" on ThreatPost. The main topic of the article is that Adobe Systems Incorporated recently released "security updates for its PDF editing and viewing products, Acrobat and Reader, and its ereader for books called Adobe Digital Editions. And while the customary Flash update is missing from today's monthly rollout, Adobe said a new version of the software will be available "in the coming days."

CVE is mentioned when the author discusses Adobe patching three vulnerabilities in its Acrobat and Reader products: "Two of the patches (CVE-2016-1007 and CVE-2016-1009) address memory corruption vulnerabilities, while the third addresses a flaw in the directory search path (CVE-2016-1008). All three can be exploited to remotely execute code on compromised machines, Adobe said, adding that it was not aware of any public attacks against these bugs."

CVE is mentioned again regarding a vulnerability in Adobe Digital Editions, when the author states: "The patch specifically addresses a memory corruption issue (CVE-2016-0954); it has not been publicly attacked, Adobe said, adding that versions 4.5.0 and earlier are affected. Users are urged to update to 4.5.1."

In addition, Adobe is a CVE Numbering Authority (CNA), assigning CVE-IDs for Adobe issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-20161007, CVE-2016-1009, CVE-2016-1008, and CVE-2016-0094 to learn more about these issues.

CVE Mentioned in Article about the DROWN Vulnerability on Softpedia

March 2, 2016 | Share this article

CVE is mentioned in a March 1, 2016 article entitled "A Third of All HTTPS Websites Are Vulnerable to the DROWN Attack" on Softpedia.

CVE is mentioned when the author states: "The OpenSSL project has released versions 1.0.2g and 1.0.1s to address a high severity security issue known as the DROWN attack (CVE-2016-0800) which allows attackers to break HTTPS and steal encrypted information. DROWN stands for "Decrypting RSA using Obsolete and Weakened eNcryption" and … At its core, the principle behind the DROWN attack relies on the presence of both the SSLv2 and TLS protocols on target machines. DROWN is a cross-protocol attack, meaning it will use weaknesses in the SSLv2 implementation against TLS."

Visit CVE-2016-0800 to learn more about this issue.

CVE Identifier "CVE-2015-7547" Cited in Numerous Security Advisories and News Media References about a Severe Linux Vulnerability

February 18, 2016 | Share this article

"CVE-2015-7547" is cited in numerous major advisories, posts, and news media references related to a recent severe Linux stack-based buffer overflow vulnerability, including the following examples:

Other news articles may be found by searching on "CVE-2015-7547" using your preferred search engine. Also, the CVE Identifier page https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7547 includes a list of advisories used as references.

CVE Mentioned in Article about HPE's Cyber Risk Report 2016 on IT World Canada

February 18, 2016 | Share this article

CVE is mentioned in a February 17, 2016 article entitled "Security industry has learned nothing from patching lapses: Report" on IT World Canada. CVE is mentioned as part of the main topic of this article, which is that Hewlett-Packard Enterprise's "HPE Security Research Cyber Risk Report 2016" states that the "most exploited bug in 2015 was a Windows Shell vulnerability (CVE-2010-2568) that was discovered along with a patch issued in 2010 — and patched again in early 2015."

Visit CVE-2010-2568 to learn more about this issue.

CVE Mentioned in Article about Vulnerabilities in VoIP Phones on Bank Info Security

February 18, 2016 | Share this article

CVE is mentioned throughout a February 15, 2016 article entitled "VoIP Phones: Eavesdropping Alert" on Bank Info Security. The main topic of the article is that "VoIP devices built by the likes of Cisco and Snom can be easily exploited with just a couple of lines of JavaScript … if they use the devices' default security settings. Once attackers compromise a device, they can monitor or reroute all calls, surreptitiously activate microphones built into the device to listen to what's being said locally, or upload malicious firmware, amongst other potential attacks."

CVE is mentioned when the author discusses how the "attack would also work against some Cisco VoIP devices. Cisco has confirmed a related vulnerability - CVE-2015-0670 - affects some Cisco Small Business IP phones, but so far has released no patches."

Visit CVE-2015-0670 to learn more about this issue.

CVE Mentioned in Article about a Vulnerability in a Teddy Bear on eWeek

February 4, 2016 | Share this article

CVE is mentioned in a February 2, 2016 article entitled "Fisher-Price Smart Teddy Bear Latest IoT Toy Under Hacker Scrutiny" on eWeek. The main topic of the article is that "When it comes to the emerging Internet of things world, security vulnerabilities can exist almost anywhere, including in a child's teddy bear. Security vendor Rapid7 … disclosed a vulnerability in the Fisher-Price Smart Toy, which could have enabled an attacker to gain access to user information. Rapid7 responsibly disclosed the flaw to Fisher-Price, and the toy vendor has already patched the issue."

CVE is mentioned as follows: "Fisher-Price did not properly secure the Web APIs it uses for the back end of the Smart Toy, potentially giving an attacker access to customer profile information, including name, birthday, gender, language and which toys have been registered. Going a step further … an attacker could have deleted or modified a child's profile. The core flaw, which is identified as CVE-2015-8269, is an improper authentication handling vulnerability. [This means that the] Web back end for the Smart Toy would let anyone attempting to access the site assert that they were any customer ID. Fisher-Price [has] fixed the remote security issues … [and since] … the disclosed issues are all remote, there is no need for end users to patch the local device."

Visit CVE-2015-8269 to learn more about this issue.

CVE Mentioned in Article about Multiple Android Vulnerabilities on InfoWorld

February 4, 2016 | Share this article

CVE is mentioned in a February 1, 2016 article entitled "Google fixes multiple Wi-Fi flaws, mediaserver bugs in Android" on InfoWorld. The main topic of the article is that "Google addressed multiple remote code execution and elevation of privilege vulnerabilities in its Android monthly security update for February. Along with the usual mediaserver suspects, the patches addressed multiple issues in several Wi-Fi components."

The CVE-IDs cited in this article include the following: CVE-2016-0803, CVE-2016-0804, CVE-2016-0810, CVE-2016-0811, CVE-2016-0801, CVE-2016-0802, CVE-2016-0806, CVE-2016-0809, CVE-2016-0805, CVE 2016-0807, CVE-2016-0808, CVE-2016-0812, and CVE-2016-0813.

In addition, Google is a CVE Numbering Authority (CNA), assigning CVE-IDs for Chrome, Chrome OS, and Android Open Source Project issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

CVE Mentioned in Article about Two OpenSSL Vulnerabilities on InfoWorld

February 4, 2016 | Share this article

CVE is mentioned throughout a January 28, 2016 article entitled "OpenSSL patches two vulnerabilities in cryptographic library" on InfoWorld.

CVE is first mentioned as follows: "The OpenSSL project team has patched two vulnerabilities in the cryptographic library and enhanced the strength of existing cryptography used by OpenSSL versions 1.0.1 and 1.0.2", one of which was a "high-priority bug addresses an issue in how some Diffie-Hellman parameters are generated in OpenSSL 1.0.2 (CVE 2016-0701)."

CVE is mentioned two more times in the article with regard to lower-priority bug fixes, as follows: "The other vulnerability, which affects both 1.0.1 and 1.0.2, can let a malicious client negotiate SSLv2 ciphers that have been disabled on the server and complete SSLv2 handshakes (CVE 2015-3197)." "OpenSSL also enhanced the strength of the cryptography used to mitigate the Logjam downgrade vulnerability in TLS. Logjam (CVE 2015-4000) refers to the vulnerability in the TLS protocol that allows a man-in-the-middle attacker to downgrade vulnerable TLS connections using ephemeral Diffie-Hellman key exchange to 512-bit cryptography. This meant that attackers could break and read any encrypted traffic."

Visit CVE-2016-0701, CVE-2015-3197, and CVE-2015-4000 to learn more about these issues.

CVE Mentioned in Article about Apple Issuing Its First OS X and iOS Security Updates for 2016 on eWeek

February 4, 2016 | Share this article

CVE is mentioned in a January 20, 2016 article entitled "Apple Issues First OS X, iOS Security Updates for 2016" on InfoWorld. The main topic of the article is that "Apple released its first security updates of 2016 on Jan. 19, with the debut of OS X 10.11.3 and IOS 9.2.1, which provides patches for multiple classes of vulnerabilities that could potentially enable attackers to exploit users and their devices."

The CVE-IDs cited in this article include the following: CVE-2016-1722, CVE-2016-1730, CVE-2016-1719, CVE-2016-1720, and CVE-2016-1721.

In addition, Apple is a CVE Numbering Authority (CNA), assigning CVE-IDs for Apple issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

CVE Mentioned in Article about a Silverlight Zero-Day Vulnerability on ZDNet

February 4, 2016 | Share this article

CVE is mentioned in a January 13, 2016 article entitled "Kaspersky Lab discovers Silverlight zero-day vulnerability" on ZDNet. The main topic of the article is that "Kaspersky Lab has discovered a dangerous zero-day vulnerability in Silverlight, potentially placing millions of users at risk … the cybersecurity firm said the vulnerability would allow an attacker to gain full access to a compromised computer and execute malicious code to steal secret information, conduct surveillance and cause wholesale destruction if they so wished." CVE is mentioned as follows: "The vulnerability, CVE-2016-0034, was discovered after Ars Technica revealed an alleged link between exploit and surveillance tool seller…"

Visit CVE-2016-0034 to learn more about this issue.

CVE Mentioned in Article about Microsoft's Patch Tuesday Fixes for January on InfoWorld

January 14, 2016 | Share this article

CVE is mentioned in a January 13, 2016 article entitled "Microsoft fixes critical flaws in Windows, Office, Edge, IE, other products" on InfoWorld. The main topic of the article are the fixes included in Microsoft's Patch Tuesday for January: "Microsoft has released the first batch of security updates for 2016 and they include critical fixes for remote code execution flaws in Windows, Office, Edge, Internet Explorer, Silverlight and Visual Basic."

CVE is first mentioned when the author states: "In total, Microsoft issued 9 security bulletins covering patches for 24 vulnerabilities. According to Wolfgang Kandek, the CTO of security firm Qualys, administrators should prioritize the MS16-005 security bulletin, especially for systems running Windows Vista, 7 and Server 2008. This patch addresses a remote code execution vulnerability tracked as CVE-2016-0009 that has been publicly disclosed, making attacks more likely."

CVE is mentioned a second time, as follows: "The second most important bulletin, according to Qualys, is MS16-004, which addresses six vulnerabilities in Microsoft Office. This bulletin is rated critical, which has been unusual for Microsoft Office in the recent past. The culprit for this severity rating is one particular remote code execution vulnerability tracked as CVE-2016-0010 that's present in all versions of Office from 2007 to 2016, even those running on Mac and Windows RT…."

In addition, Microsoft is a CVE Numbering Authority (CNA), assigning CVE-IDs for Microsoft issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-0009 and CVE-2016-0010 to learn more about these issues.

CVE Is Main Topic of Numerous News Media Articles about Products with Most Vulnerabilities in 2015

January 12, 2016 | Share this article

CVE was the main topic of several news media articles about the number of CVE-IDs issued to different platforms in 2015. The "Top 50 Products By Total Number Of "Distinct" Vulnerabilities in 2015" list was published by CVE Details, which takes CVE vulnerability data from the U.S. National Vulnerability Database (NVD), which is itself based upon the CVE List, and presents it in "an easy to use web interface to CVE vulnerability data." CVE Details is listed in the CVE Compatibility Program.

Examples of the news media articles about the list include the following:

Review the list at http://www.cvedetails.com/top-50-products.php?year=2015. To review or research CVE vulnerability content, visit NVD and CVE.

 
Page Last Updated: August 25, 2016