|
|
Please use our LinkedIn page to comment on the articles below, or use our CVE Request Web Form by selecting “Other” from the dropdown.
Right-click and copy a URL to share an article.
The CVE Board held a teleconference meeting on November 28, 2018. Read the meeting minutes.
MongoDB is now a CVE Numbering Authority (CNA) for MongoDB products only.
CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
CNAs are the main method for requesting a CVE ID. The following 93 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; ASUSTOR; Atlassian; Autodesk; Avaya; BlackBerry; Booz Allen Hamilton; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell; Distributed Weakness Filing Project; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Facebook; Flexera Software; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (primary CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Netgear; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; Oracle; Palo Alto Networks; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Riverbed; SAP; Schneider Electric; Siemens; SonicWALL; Symantec; Synology; Talos; Tenable; TIBCO; Trend Micro; TWCERT/CC; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.
For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.
Kathleen Trimble of U.S. Department of Homeland Security (DHS) has joined the CVE Board.
Read the full announcement and welcome message in the CVE Board email discussion list archive.
The CVE Board held a teleconference meeting on November 14, 2018. Read the meeting minutes.
The CVE Board held a teleconference meeting on October 31, 2018. Read the meeting minutes.
The CVE Board held a teleconference meeting on October 17, 2018. Read the meeting minutes.
Due to scheduled maintenance, the CVE Request Web Form for contacting the Primary CNA may be temporarily unavailable from 6:30 p.m. until 11:30 p.m. Eastern time on Wednesday, October 31, 2018.
The 91 other CVE Numbering Authority (CNA) organizations can still be contacted during this time to request CVE IDs.
We apologize for any inconvenience. Please contact us with any comments or concerns.
The CVE Board held a teleconference meeting on October 3, 2018. Read the meeting minutes.
The CVE Board held a teleconference meeting on September 19, 2018. Read the meeting minutes.
TWCERT/CC is now a CVE Numbering Authority (CNA) for vulnerability assignment related to its vulnerability coordination role.
CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
CNAs are the main method for requesting a CVE ID. The following 92 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; ASUSTOR; Atlassian; Autodesk; Avaya; BlackBerry; Booz Allen Hamilton; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell EMC; Distributed Weakness Filing Project; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Facebook; Flexera Software; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (primary CNA); Mozilla; Naver; NetApp; Netflix; Netgear; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; Oracle; Palo Alto Networks; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Riverbed; SAP; Schneider Electric; Siemens; SonicWALL; Symantec; Synology; Talos; Tenable; TIBCO; Trend Micro; TWCERT/CC; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.
For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.
CyberSecurity Philippines - CERT is now a CVE Numbering Authority (CNA) for vulnerability assignment related to its vulnerability coordination role that are not covered by another CNA.
CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
CNAs are the main method for requesting a CVE ID. The following 91 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; ASUSTOR; Atlassian; Autodesk; Avaya; BlackBerry; Booz Allen Hamilton; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell EMC; Distributed Weakness Filing Project; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Facebook; Flexera Software; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (primary CNA); Mozilla; Naver; NetApp; Netflix; Netgear; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; Oracle; Palo Alto Networks; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Riverbed; SAP; Schneider Electric; Siemens; SonicWALL; Symantec; Synology; Talos; Tenable; TIBCO; Trend Micro; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.
For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.
The CVE Board held a teleconference meeting on September 5, 2018. Read the meeting minutes.
Appthority is now a CVE Numbering Authority (CNA) for all Appthority products, as well as vulnerabilities in third-party software discovered by Appthority that are not covered by another CNA.
CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
CNAs are the main method for requesting a CVE ID. The following 90 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; ASUSTOR; Atlassian; Autodesk; Avaya; BlackBerry; Booz Allen Hamilton; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; Dahua; Debian GNU/Linux; Dell EMC; Distributed Weakness Filing Project; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Facebook; Flexera Software; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (primary CNA); Mozilla; Naver; NetApp; Netflix; Netgear; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; Oracle; Palo Alto Networks; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Riverbed; SAP; Schneider Electric; Siemens; SonicWALL; Symantec; Synology; Talos; Tenable; TIBCO; Trend Micro; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.
For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.
The CVE Board held a teleconference meeting on August 22, 2018. Read the meeting minutes.
CVE is the main topic of an August 13, 2018 article entitled “CVE and Cloud Services, Part 1: The Exclusion of Cloud Service Vulnerabilities” on the Cloud Security Alliance blog. The article was written by Kurt Seifried, a CVE Board member and Director of IT at Cloud Security Alliance, and Victor Chin, Research Analyst at Cloud Security Alliance.
In the article, the authors explain what CVE is and how the program works, the role of CVE Numbering Authorities (CNAs), and details what CVE currently considers to be a vulnerability as specified by the CNA Rules, Version 2.0 consensus document authored by CNAs and the CVE Board. The authors of the article state: “The CVE system is the linchpin of the vulnerability management process, as its widespread use and adoption allows different services and business processes to interoperate. The system provides a way for specific vulnerabilities to be tracked via the assignment of IDs … These IDs also allow important information regarding a vulnerability to be associated with it such as workarounds, vulnerable software versions, and Common Vulnerability Scoring System (CVSS) scores. Without the CVE system, it becomes difficult to track vulnerabilities in a way that allows the different stakeholders and their tools to interoperate.”
In a section of the article entitled “CVE Inclusion Rules and Limitations,” the authors discuss how CVE’s currently defined inclusion rules do not provide for CVE Entries to be assigned to vulnerabilities in cloud services and explain how this restricts cloud service vulnerabilities from being properly managed: “In the past, [CVE’s] inclusion rule has worked well for the IT industry as most enterprise IT services have generally been provisioned with infrastructure owned by the enterprise. However, … cloud services, as we currently understand them, are not customer controlled. As a result, vulnerabilities in cloud services are generally not assigned CVE IDs. Information such as workarounds, affected software or hardware versions, proof of concepts, references and patches are not available as this information is normally associated to a CVE ID. Without the support of the CVE system, it becomes difficult, if not impossible, to track and manage vulnerabilities.”
The authors conclude the article by advocating for a change in CVE inclusion rules to allow for cloud service vulnerabilities to be included, and request industry feedback on this issue and the “resulting impact on the vulnerability management ecosystem.”
We encourage you to contribute to the discussion.
Two additional organizations are now CVE Numbering Authorities (CNAs): Avaya, Inc. for Avaya products only, and Odoo for Odoo issues only.
CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
CNAs are the main method for requesting a CVE ID. The following 89 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; ASUSTOR; Atlassian; Autodesk; Avaya; BlackBerry; Booz Allen Hamilton; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; Dahua; Debian GNU/Linux; Dell EMC; Distributed Weakness Filing Project; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Facebook; Flexera Software; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (primary CNA); Mozilla; Naver; NetApp; Netflix; Netgear; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; Oracle; Palo Alto Networks; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Riverbed; SAP; Schneider Electric; Siemens; SonicWALL; Symantec; Synology; Talos; Tenable; TIBCO; Trend Micro; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.
For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.
The CVE Board held a teleconference meeting on August 8, 2018. Read the meeting minutes.
Lisa Olson of Microsoft has joined the CVE Board.
Read the full announcement and welcome message in the CVE Board email discussion list archive.
The CVE Team will be holding an informal “CVE Meet-Up” on August 9, 2018 to coincide with Black Hat USA 2018 and DEF CON 26. For meeting details, please see our “Come Meet with CVE at Black Hat 2018/DEF CON 26 on August 9” article on the CVE Blog.
The CVE Board held a teleconference meeting on July 25, 2018. Read the meeting minutes.
The CVE Board held a teleconference meeting on July 11, 2018. Read the meeting minutes.
The CVE Board held a teleconference meeting on June 27, 2018. Read the meeting minutes.
CVE is the main source of vulnerability data used in the 2018 “Prioritization to Prediction: Analyzing Vulnerability Remediation Strategies” by Kenna Security and Cyentia Institute.
The authors of the report found that “The number of CVEs published every year is steadily growing. Between its inception in 1999 through January 1st, 2018, over 120,000 vulnerabilities have been published to [the] Common Vulnerabilities and Exposures (CVE) [List]. 894 CVEs were published in 1999 and 6,447 CVEs published in 2016. 2017 saw a massive spike to 14,712 CVEs and 2018 is trending to meet the 2017 numbers.”
In the report, the authors discuss the effectiveness of the various vulnerability remediation strategies in use today, and conclude that current strategies are lacking but “predictive models are critical to proactively reduce risk efficiently and effectively” and “can and do enable businesses to adopt a proactive strategy for vulnerability remediation that delivers the most efficient use of their people, tools, time, and ultimately dollars to address the threats that pose the greatest risk.”
Read the complete report at: https://www.kennasecurity.com/prioritization-to-prediction-report/. The report is free to download, but sign-up may be required.
CVE is the main topic of an April 30, 2018 blog article by Rapid7 entitled “CVE 100K: A Big, Round Number.” The article discusses the CVE List's 100,000+ entries milestone, describes what CVE is and how it works, details the expansion of the CVE Numbering Authorities (CNAs) program, notes the creation of “CVE Automation Working Group,” and discusses the future of CVE. The article concludes by recommending that other organizations—as Rapid7 itself did in 2016—also become a CNA and help continue to grow the CVE List.
The CVE Board held a teleconference meeting on June 13, 2018. Read the meeting minutes.
Naver Corporation is now a CVE Numbering Authority (CNA) for Naver products only, except Line products.
CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
CNAs are the main method for requesting a CVE ID. The following 89 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; ASUSTOR; Atlassian; Autodesk; BlackBerry; Booz Allen Hamilton; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; Dahua; Debian GNU/Linux; Dell EMC; Distributed Weakness Filing Project; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Facebook; Flexera Software; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; IOActive; ISC; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (primary CNA); Mozilla; Naver; NetApp; Netflix; Netgear; Node.js; Nvidia; Objective Development; OpenSSL; Oracle; Palo Alto Networks; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Riverbed; SAP; Schneider Electric; Siemens; Silicon Graphics; SonicWALL; Symantec; Synology; Talos; Tenable; TIBCO; Trend Micro; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.
For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.
The CVE Board held a teleconference meeting on May 30, 2018. Read the meeting minutes.
The CVE Board held a teleconference meeting on May 16, 2018. Read the meeting minutes.
CVE is the main topic of a May 16, 2017 article entitled “CVE board looks ahead to the next 20 years of vulnerability identification,” on The Daily Swig. In the article, CVE Board members Kent Landfield of McAfee and Chris Levendis of MITRE “take stock of the program’s journey [during its first 20 years] to becoming the world’s de facto vulnerability identification standard” and discuss how CVE is being effectively positioned for the next 20 years.
The author states: “If ever proof were needed that the security industry is evolving at a rapid pace, the CVE program recently announced that the CVE List had surpassed 100,000 entries – a dubious milestone that demonstrates the program’s diligence, while hammering home the sheer scale of the threat landscape in 2018.”
The author then discusses how CVE growing the number of participants in its CVE Numbering Authority (CNA) program helped the CVE List surpass the 100,000+ entries by having more and more CNAs assigning CVE Entries to vulnerabilities, and how CVE will continue to benefit from this federated approach in the future. The author quotes Chris Levendis about this, who states: “[CVE now has] 87 CNAs in the program, who are all involved in the assignment process and help chart the path forward. The CNAs are going to be the primary means by which we scale the CVE program … As far as onboarding [new] CNAs is concerned, the program will strategically look to target certain organizations to fulfil different kinds of roles. We have open and transparent rules for the requirements to become a CNA.”
The author also quotes Kent Landfield regarding the future of CVE, the role of automation, and the CNA program, who states: “During the next year or so, we’re going to be putting in place lots of different pieces and parts to ensure that federated environment [fully] occurs, and that we have set ourselves up for the next 20 years. We have built working groups into the program that allow the board members, the CNAs, and the public to participate in trying to develop some of that automation.”
“CVE is really a fundamental piece of our security defense mechanisms … I would like to stress the sheer number of external participants who take part in this program. CVE is vital to the security industry, and vital to our ability to defend ourselves.”
We are pleased to announce that the CVE Board has approved the latest version of the “CVE Board Charter,” version 2.6, which includes several important updates to board structure; membership descriptions, including the addition of a CNA liaison board member; and voting policies and procedures.
This update was the result of many hours of hard work by the Board, and the resulting document better positions CVE for success as it continues to expand.
We have upgraded our email server, and your CVE Announce e-newsletter subscription will now be sent from a new email address: “cve-announce-list@mitre.org”. Please add our new email address to your email program’s Safe Senders list.
What will change:
Old Email List Sender Address: cve-announce-list@lists.mitre.org
New Email List Sender Address: cve-announce-list@mitre.org
Please contact us with any comments or concerns.
The CVE Board held a teleconference meeting on May 2, 2018. Read the meeting minutes.
The CVE Board held a teleconference meeting on April 25, 2018. Read the meeting minutes.
The CVE website now contains 100,051 CVE Entries, each of which is a unique identifier for a publicly known software or firmware vulnerability.
CVE, which began in 1999 with just 321 common entries on the CVE List, is considered the international standard for public vulnerability identifiers.
CVE Entries are assigned to vulnerabilities in any code-based entity or standards upon which code-based entities are designed. This can include software, shared codebases, libraries, protocols, standards, hardware (e.g., firmware or microcode), hardware platforms, file formats, or data encodings. This definition of what CVE considers to be a vulnerability is specified by the CVE Numbering Authority (CNA) Rules, Version 2.0, a consensus document authored by CNAs and the CVE Board.
Every CVE Entry added to the list is assigned by a CNA. Numerous organizations from around the world already participate as CNAs, with more and more organizations deciding to join the CVE effort and become a CNA to help the community continue to build the CVE List.
Hillstone Networks, Inc. is now a CVE Numbering Authority (CNA) for all Hillstone products only.
CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
CNAs are the main method for requesting a CVE ID. The following 88 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; ASUSTOR; Atlassian; Autodesk; BlackBerry; Booz Allen Hamilton; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; Dahua; Debian GNU/Linux; Dell EMC; Distributed Weakness Filing Project; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Facebook; Flexera Software; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; IOActive; ISC; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (primary CNA); Mozilla; NetApp; Netflix; Netgear; Node.js; Nvidia; Objective Development; OpenSSL; Oracle; Palo Alto Networks; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Riverbed; SAP; Schneider Electric; Siemens; Silicon Graphics; SonicWALL; Symantec; Synology; Talos; Tenable; TIBCO; Trend Micro; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.
For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.
Palo Alto Networks, Inc. is now a CVE Numbering Authority (CNA) for all Palo Alto Networks products.
CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
CNAs are the main method for requesting a CVE ID. The following 87 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; ASUSTOR; Atlassian; Autodesk; BlackBerry; Booz Allen Hamilton; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; Dahua; Debian GNU/Linux; Dell EMC; Distributed Weakness Filing Project; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Facebook; Flexera Software; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; HP; Huawei; IBM; ICS-CERT; Intel; IOActive; ISC; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (primary CNA); Mozilla; NetApp; Netflix; Netgear; Node.js; Nvidia; Objective Development; OpenSSL; Oracle; Palo Alto Networks; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Riverbed; SAP; Schneider Electric; Siemens; Silicon Graphics; SonicWALL; Symantec; Synology; Talos; Tenable; TIBCO; Trend Micro; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.
For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.
The CVE Board held a teleconference meeting on April 4, 2018. Read the meeting minutes.
Due to scheduled maintenance, the CVE Request Web Form for contacting the Primary CNA may be temporarily unavailable from 8:00 p.m. until 9:00 p.m. Eastern time on Thursday, April 12, 2018.
The 86 other CVE Numbering Authority (CNA) organizations can still be contacted during this time to request CVE IDs.
We apologize for any inconvenience. Please contact us with any comments or concerns.
SonicWALL, Inc. is now a CVE Numbering Authority (CNA) for SonicWALL issues only.
CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
CNAs are the main method for requesting a CVE ID. The following 86 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; ASUSTOR; Atlassian; Autodesk; BlackBerry; Booz Allen Hamilton; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; Dahua; Debian GNU/Linux; Dell EMC; Distributed Weakness Filing Project; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Facebook; Flexera Software; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; HP; Huawei; IBM; ICS-CERT; Intel; IOActive; ISC; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (primary CNA); Mozilla; NetApp; Netflix; Netgear; Node.js; Nvidia; Objective Development; OpenSSL; Oracle; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Riverbed; SAP; Schneider Electric; Siemens; Silicon Graphics; SonicWALL; Symantec; Synology; Talos; Tenable; TIBCO; Trend Micro; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.
For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.
Due to scheduled maintenance, the CVE Request Web Form for contacting the Primary CNA may be temporarily unavailable from 6:00 a.m. until 2:00 p.m. Eastern time on Saturday, April 7, 2018.
All other CNAs organizations can still be contacted during this time to request CVE IDs.
We apologize for any inconvenience. Please contact us with any comments or concerns.
The CVE Board held a teleconference meeting on March 21, 2018. Read the meeting minutes.
The CVE Board held a teleconference meeting on March 7, 2018. Read the meeting minutes.
The CVE Board held a teleconference meeting on February 21, 2018. Read the meeting minutes.
Cloudflare, Inc. is now a CVE Numbering Authority (CNA) for all Cloudflare products, projects hosted at https://github.com/cloudflare/, and any vulnerabilities discovered by Cloudflare that are not covered by another CNA.
CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
CNAs are the main method for requesting a CVE ID. The following 85 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; ASUSTOR; Atlassian; Autodesk; BlackBerry; Booz Allen Hamilton; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; Dahua; Debian GNU/Linux; Dell EMC; Distributed Weakness Filing Project; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Facebook; Flexera Software; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; HP; Huawei; IBM; ICS-CERT; Intel; IOActive; ISC; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (primary CNA); Mozilla; NetApp; Netflix; Netgear; Node.js; Nvidia; Objective Development; OpenSSL; Oracle; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Riverbed; SAP; Schneider Electric; Siemens; Silicon Graphics; Symantec; Synology; Talos; Tenable; TIBCO; Trend Micro; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.
For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.
The CVE Board held a teleconference meeting on February 7, 2018. Read the meeting minutes.
Two additional organizations are now CVE Numbering Authorities (CNAs): Facebook, Inc. for Facebook-supported open source projects, mobile apps, and other software, as well as vulnerabilities in third-party software discovered by Facebook that are not covered by another CNA, and Hangzhou Hikvision Digital Technology Co., Ltd. for all Hikvision Internet of Things (IoT) products including cameras and digital video recorders.
CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
CNAs are the main method for requesting a CVE ID. The following 84 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; ASUSTOR; Atlassian; Autodesk; BlackBerry; Booz Allen Hamilton; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Dahua; Debian GNU/Linux; Dell EMC; Distributed Weakness Filing Project; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Facebook; Flexera Software; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; HP; Huawei; IBM; ICS-CERT; Intel; IOActive; ISC; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (primary CNA); Mozilla; NetApp; Netflix; Netgear; Node.js; Nvidia; Objective Development; OpenSSL; Oracle; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Riverbed; SAP; Schneider Electric; Siemens; Silicon Graphics; Symantec; Synology; Talos; Tenable; TIBCO; Trend Micro; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.
For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.
The CVE Board held a teleconference meeting on January 24, 2018. Read the meeting minutes.
We are pleased to announce that the CVE Board has approved the latest version of the “CVE Board Charter,” version 2.5, which includes several important updates to membership, board member responsibilities and conduct, as well as policy and procedure changes.
This update was the result of many hours of hard work by the Board, and the resulting document better positions CVE for success as it continues to expand.
The CVE Board held a teleconference meeting on January 10, 2018. Read the meeting minutes.
Three CVE Entries are cited in numerous major advisories, posts, and news media references related to the recent critical “Meltdown” and “Spectre” vulnerabilities—CVE-2017-5754 for Meltdown, and CVE-2017-5753 and CVE-2017-5715 for Spectre—including in the following examples:
Other news articles may be found by searching on “CVE-2017-5754”, “CVE-2017-5753”, and “CVE-2017-5715” using your preferred search engine.
Also, the CVE Entry pages https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753, and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715 each include a list of advisories used as references.
We have updated the CVE website to streamline site navigation and simplify content for an improved user experience. Improvements include the following:
CVE List Main Menu
Our new main menu provides you with direct access to the CVE List. Located in the black navigation bar at the top of every page, each item in the main menu links to a single page with a specific purpose:
New Site Organization and Secondary Dropdown Menu
The website is now organized into five sections, each of which is accessible from the dropdown menus located across the very top of every page:
Also, the CVE logo in the upper left corner of every page is the “Home” link to the website's homepage.
Please send any comments or concerns to cve@mitre.org.
The CVE Numbering Authorities (CNA) Rules, Version 2.0 document is now available on the CVE website. For details, please see our January 1, 2018 blog post: “CNA Rules, Version 2.0 Now in Effect”.