CVE List▾ CVE List Search Search Tips CVE Request Web Form Web Form Help PGP Key CVE List Documents & Guidance Terms of Use        CNAs▾ CVE Numbering Authorities (CNAs) Participating CNAs CNA Documents, Policies & Guidance CNA Rules, Version 3.0 New CNA Onboarding Slides & Videos How to Become a CNA         WGs▾ CVE Working Groups Automation (AWG) CNA Coordination (CNACWG) Outreach and Communications (OCWG) CVE Quality (QWG) Strategic Planning (SPWG) Tactical (TWG)         Board▾ CVE Board Members Email Archives Meeting Archives Board Charter         About▾ About CVE Professional Code of Conduct CVE & NVD Relationship History Sponsor Documentation & Guidance FAQs Terminology       News & Blog▾ Latest CVE News Blog Podcast Calendar Archive Follow CVE Free CVE Newsletter CVEnew Twitter Feed CVEannounce Twitter Feed CVE on Medium CVE on LinkedIn CVEProject on GitHub CVE on YouTube
Search CVE List         Downloads         Data Feeds         Update a CVE Record         Request CVE IDs
TOTAL CVE Records: 228713 NOTICE: Transition to the all-new CVE website at WWW.CVE.ORG and CVE Record Format JSON are underway. NOTICE: Legacy CVE download formats deprecation is now underway and will end on June 30, 2024. New CVE List download format is available now.



2016 News & Events (Archive)

Right-click and copy a URL to share an article.

The following five software vendors, one third-party coordinator, and one vulnerability researcher are now CVE Numbering Authorities (CNAs): Dell EMC (formerly EMC Corporation) for Dell EMC, RSA, Pivotal, and VCE issues only; KrCERT/CC (third-party coordinator); Internet Systems Consortium for all ISC.org projects; McAfee (formerly Intel Security) for McAfee issues only; Puppet for Puppet issues only; Rapid 7 (vulnerability researcher); and VMWare for VMWare issues only. In addition, existing CNA Intel Corporation will no longer cover McAfee issues and will now cover Intel issues only.

CNAs are OS and product vendors, developers, security researchers, and research organizations that assign CVE IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE ID numbers in the first public disclosure of the vulnerabilities.

CNAs are the main method for requesting a CVE ID number. The following 47 organizations currently participate as CNAs: Adobe; Apache; Apple; BlackBerry; Brocade; CERT/CC; Check Point; Cisco; Debian GNU/Linux; Dell EMC; Distributed Weakness Filing Project; F5; Fortinet; FreeBSD; Google; HackerOne; HP; Hewlett Packard Enterprise; Huawei; IBM; ICS-CERT; Intel; ISC; JPCERT/CC; Juniper; KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (primary CNA); Mozilla; Nvidia; Objective Development; OpenSSL; Oracle; Puppet; Rapid 7; Red Hat; Silicon Graphics; Symantec; Talos; Ubuntu Linux; VMWare; and Yandex.

For more information about requesting CVE ID numbers from CNAs, visit Products Covered.

The CVE Board held a teleconference meeting on December 14, 2016. Read the meeting minutes.

OpenSSL Software Foundation is now a CVE Numbering Authority (CNA). CNAs are OS and product vendors, developers, security researchers, and research organizations that assign CVE IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE ID numbers in the first public disclosure of the vulnerabilities.

CNAs are the main method for requesting a CVE ID number. The following 41 organizations currently participate as CNAs: Adobe; Apache; Apple; BlackBerry; Brocade; CERT/CC; Check Point; Cisco; Debian GNU/Linux; Distributed Weakness Filing Project; EMC; F5; Fortinet; FreeBSD; Google; HackerOne; HP; Hewlett Packard Enterprise; Huawei; IBM; ICS-CERT; Intel; JPCERT/CC; Juniper; Larry Cashdollar; Lenovo; MarkLogic; Micro Focus; Microsoft; MITRE (primary CNA); Mozilla; Nvidia; Objective Development; OpenSSL; Oracle; Red Hat; Silicon Graphics; Symantec; Talos; Ubuntu Linux; and Yandex.

For more information about requesting CVE ID numbers from CNAs, visit Products Covered.

Takayuki Uchiyama of JPCERT Coordination Center (JPCERT/CC) has joined the CVE Board.

Read the full announcement and welcome message in the CVE Board email discussion list archive.

The CVE Board held a teleconference meeting on November 30, 2016. Read the meeting minutes.

The CVE Board held a teleconference meeting on November 16, 2016. Read the meeting minutes.

Cronus Cyber Technologies

-

CyBot Suite

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

The CVE Board held a teleconference meeting on November 2, 2016. Read the meeting minutes.

The CVE Numbering Authority (CNA) Rules document is now available on the CVE website. This document provides detailed information about rules, requirements, and procedures for CNAs. Information on how to become a CNA is also included.

The following products are now registered as officially "CVE-Compatible":

SAINT Corporation

- -

SAINT Security Suite SAINTCloud

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

The CVE Team has launched a "CVE Blog" to establish a dialogue with CVE users and get your input on issues and topics that are important to CVE. Our first post is entitled "What's your opinion on how Descriptions are used in CVE IDs?" We very much look forward to hearing from you.

The CVE Board held a teleconference meeting on October 19, 2016. Read the meeting minutes.

The following ten software vendors, two vulnerability researchers, and one third-party coordinator are now CVE Numbering Authorities (CNAs): Brocade Communications Systems, Inc.; Check Point Software Technologies Ltd.; F5 Networks, Inc.; Fortinet, Inc.; Huawei Technologies Co., Ltd.; Larry Cashdollar (vulnerability researcher); HackerOne (third-party coordinator); Lenovo Group Ltd.; MarkLogic Corporation; Nvidia Corporation; Objective Development Software GmbH; Talos (vulnerability researcher); and Yandex N.V..

CNAs are OS and product vendors, developers, security researchers, and research organizations that assign CVE IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE ID numbers in the first public disclosure of the vulnerabilities.

CNAs are the main method for requesting a CVE ID number. The following 40 organizations currently participate as CNAs: Adobe; Apache; Apple; BlackBerry; Brocade; CERT/CC; Check Point; Cisco; Debian GNU/Linux; Distributed Weakness Filing Project; EMC; F5; Fortinet; FreeBSD; Google; HackerOne; HP; Hewlett Packard Enterprise; Huawei; IBM; ICS-CERT; Intel; JPCERT/CC; Juniper; Larry Cashdollar; Lenovo; MarkLogic; Micro Focus; Microsoft; MITRE (primary CNA); Mozilla; Objective Development; Oracle; Red Hat; Silicon Graphics; Symantec; Talos; Ubuntu Linux; and Yandex.

For more information about requesting CVE ID numbers from CNAs, visit the CVE Numbering Authorities page.

Huawei Technologies Co., Ltd. declared that its firewall and application security gateway products, Huawei Next Generation Firewall Eudemon 200E-N/1000E-N/8000E-X Series and Huawei Next Generation Firewall USG6000/9000 Series, are CVE-Compatible.

For additional information about these and other CVE-Compatible products, visit the CVE-Compatible Products and Services section.

The CVE Board held a teleconference meeting on October 5, 2016. Read the meeting minutes.

The CVE Privacy Policy was updated to include the new CVE Request web form.

CVE is mentioned in an October 19, 2016 article entitled "Oracle fixes 100s of vulnerabilities that put enterprise data at risk" on PCWorld. The main topic of the article is that Oracle Corporation has "released another large batch of patches, fixing many critical vulnerabilities in enterprise products that are used to store and work with critical business data … In total, Oracle's October Critical Patch Update (CPU) contains 253 security fixes across hundreds of products including database servers, networking components, operating systems, application servers and ERP systems."

CVE is mentioned when the author states: "In databases, 31 flaws were patched in MySQL and 12 in the Oracle Database Server." "Databases are typically not exposed to the internet, but administrators should plan on patching for CVE-2016-6304, CVE-2016-5598 and CVE-2010-5312 as they are remotely exploitable and attackers can use them after compromising another system on the network …"

In addition, Oracle is a CVE Numbering Authority (CNA), assigning CVE IDs for Oracle issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-6304, CVE-2016-5598, and CVE-2010-5312 to learn more about these issues.

CVE is mentioned in an October 11, 2016 article entitled "Patch Tuesday: Microsoft patches five zero day vulnerabilities" on Threatpost. The main topic of the article is that Microsoft Corporation "patched a handful of zero-day vulnerabilities that have been publicly attacked in Internet Explorer, Edge, Windows and Office products … Today also signaled the first time Microsoft issued security updates for older Windows versions (Windows 7 and 8, and Windows Server 2008 and 2012) as single, cumulative security and feature updates."

CVE is mentioned as follows: "The Internet Explorer zero day, CVE-2016-3298, was one of 11 remote code execution flaws patched in a cumulative update, MS16-118 … The Microsoft Edge bulletin, MS16-119, also includes a patch for a zero day, CVE-2016-7189, in the browser's scripting engine … Another zero day, CVE-2016-3393, was addressed in Microsoft Windows Graphics Component in MS16-020 … An Office zero-day, CVE-2016-7193, was also patched in MS16-121 … The remaining publicly attacked zero day, CVE-2016-3298, was in the Microsoft Internet Messaging API and patched in MS16-126 … The remaining bulletin rated critical, MS16-122, patches a vulnerability in the Windows Video Control. The vulnerability, CVE-2016-0142 …"

In addition, Microsoft is a CVE Numbering Authority (CNA), assigning CVE IDs for Microsoft issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-3298, CVE-2016-7189, CVE-2016-3393, CVE-2016-7193, and CVE-2016-0142 to learn more about these issues.

CVE is mentioned in an October 5, 2016 article entitled "Insulin pump vulnerabilities could lead to overdose" on ZDNet. The main topic of the article is that "Users of the Animas OneTouch Ping insulin pump system have been warned that security vulnerabilities in the device allow attackers to remotely deliver insulin doses."

CVE is mentioned when the author states: "[The] first vulnerability, CVE-2016-5084, reveals that data flowing between these two modules is transmitted in the clear. This opens the door for eavesdroppers to capture information such as dosage data and blood glucose results. The second critical security flaw, CVE-2016-5085, stems from the weak pairing between the pump and meter." CVE is mentioned again when the author states: "The third security vulnerability is equally as dangerous. The bug, CVE-2016-5086, highlights the fact the communication taking place between the pump and meter … in which legitimate commands could be intercepted by an attacker and then played back at a later date. This, too, could be used in theory by an attacker to re-issue insulin doses."

Visit CVE-2016-5084, CVE-2016-5085, CVE-2016-5086 to learn more about these issues.

CVE is mentioned in a September 29, 2016 article entitled "Cisco Warns of Critical Flaw in Email Security Appliances" on Threatpost. The main topic of the article is that "Cisco Systems released a critical security bulletin for a vulnerability that allows remote unauthenticated users to gain complete control of its email security appliances. The vulnerability is tied to Cisco's IronPort AsyncOS operating system."

CVE is mentioned with regard to the email vulnerability when the author states: "Cisco says the vulnerability (CVE-2016-6406) is tied to the presence of the company's own internal testing and debugging interface; accessible on the IronPort AsyncOS operating system. "An attacker could exploit this vulnerability by connecting to this testing and debugging interface. An exploit could allow an attacker to obtain complete control of an affected device with root-level privileges …"

In addition, Cisco is a CVE Numbering Authority (CNA), assigning CVE IDs for Cisco issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-6406 to learn more about this issue.

CVE is mentioned in an October 3, 2016 article entitled "Critical Security Flaws Discovered in Samsung Knox Give Hackers Full Control of Android Devices" on WCCFtech.

CVE is mentioned when the author states: "Samsung KNOX is an umbrella term used by Samsung for a collection of security features that are employed in the Android operating system used in the company's mobile devices. Samsung announced Knox in early 2013 as an end-to-end security solution for Android … The flaws exist in a module called Real-time Kernel Protection – or, TIMA RKP. RKP is responsible for defending the system against kernel exploits. Knox is designed to enhance security of the operating system. However, the flaws allowed full control of the Samsung Galaxy S6 and Note 5 that were used during the testing process. The exploits required an existing flaw to work … an existing kernel vulnerability known as a write-what-where flaw, CVE-2015-1805. [But] "any such vulnerability can be used" to exploit the flaws."

Visit CVE-2015-1805 to learn more about this issue.

The CVE Board held a teleconference meeting on September 21, 2016. Read the meeting minutes.

CVE is mentioned in a September 12, 2016 article entitled "Zero-day vulnerability found within MySQL database application" on ZDNet.

CVE is mentioned when the author states: "The bug, CVE-2016-6662, is a privilege escalation flaw which impacts all version branches of MySQL, including 5.7.15, 5.6.33 and 5.5.52, as well as software linked to MySQL, including MariaDB and PerconaDB. CVE-2016-6662 can be exploited if an attacker has an authenticated connection to MySQL, such as through shared networking or web interfaces. Attackers are able to inject malicious settings into MySQL configuration files, my.cnf, to gain root access and execute additional malicious code. The previously unknown vulnerability can be exploited by both local and remote attackers and can lead to remote code execution with root privileges, which in turn can grant an attacker the ability to fully compromise a server."

In addition, Oracle is a CVE Numbering Authority (CNA), assigning CVE IDs for Oracle issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-6662 to learn more about this issue.

CVE is mentioned in a September 16, 2016 article entitled "Cisco drops patch for nasty WebEx remote code execution hole" on The Register.

CVE is mentioned when the author states: "The remote code execution flaw (CVE-2016-1482) could allow attackers to execute arbitrary commands on WebEx servers. Admins can only apply the patch and do not have an option to deploy work-around mitigations." CVE is mentioned a second time, when the author states: "Denial of service attacks affect Cisco's Web Security Appliance, WebEx server, IOS XE software, and carrier routing system. That WebEx server flaw (CVE-2016-1483) is rated high severity and occurs thanks to improper validation of user accounts by specific services."

In addition, Cisco is a CVE Numbering Authority (CNA), assigning CVE IDs for Cisco issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-1482 and CVE-2016-1483 to learn more about these issues.

The CVE Board held a teleconference meeting on August 25, 2016. Read the meeting minutes.

Due to scheduled maintenance, the CVE Request Web Form may be temporarily unavailable from 8:00pm until 10:00p.m. Eastern time on Thursday, September 15, 2016.

Organizations participating as CNAs are the primary method through which CVE IDs are assigned. Participating CNAs organizations can still be contacted during this time to request CVE IDs.

We apologize for any inconvenience. Please contact cve@mitre.org with any comments or concerns.

We have updated the CVE website to streamline site navigation for an improved user experience. The main navigation menu is now located in an easy-to-access menu bar at the top of every page, and expanded Section Contents menus for each section of the website are on the left of each interior page.

The homepage has also been refreshed and now includes quick-access links to the most frequently requested information about CVE including requesting CVE IDs, updating information in CVE IDs, access to the various CVE List downloads, and where to find data feeds of CVE content.

The website is now organized into these main sections:

Additional updates will be coming soon, so please check back frequently.

Please send any comments or concerns to cve@mitre.org.

We are pleased to announce that the CVE Board has approved the latest version of the "CVE Board Charter," which includes several important updates to membership, board member roles and responsibilities, as well as a number of policy and procedure changes.

This update was the result of many hours of hard work by the Board, and the resulting document better positions CVE for success as it expands its reach to other sectors.

Beginning August 29, 2016, anyone requesting a CVE ID from MITRE, requesting an update to a CVE, providing notification about a vulnerability publication, or submitting comments will do so by submitting a "CVE Request" web form. The previous practice of submitting requests via email has been discontinued.

The new CVE Request web form will make it easier for requestors to know what information to include in their initial request, and will enhance MITRE's ability to respond to those requests in a timely manner. User instructions will be available on the website and on the form itself. View the web form guidance for more information. Upon completion of the form, the requestor will receive an immediate web acknowledgement that their form was submitted successfully, and an email confirmation which will include a reference number.

Contacting a CVE Numbering Authority (CNA) continues to be the first method that should be used when requesting a CVE ID related to a CNA’s products.

Please send any comments or concerns to cve@mitre.org.

A list of previously unpublished vulnerabilities was released last week by a group calling themselves "The Shadow Brokers." This list includes references to Cisco, Juniper, Fortinet, WatchGuard, and TOPSEC products. As these vendors and vulnerability researchers confirm vulnerabilities, CVEs are being assigned for those products within scope of the program.

Cisco and Juniper, as CVE Numbering Authorities (CNAs), assign CVEs related to their products as appropriate. To date, Cisco assigned CVE IDs CVE-2016-6366 and CVE-2016-6367 to vulnerabilities they confirmed. Additionally, MITRE, as the primary CNA, assigned CVE IDs for the Fortinet and WatchGuard products based on publicly available information from the covered sources list. CVE-2016-6909 was assigned to the Fortinet vulnerability and CVE-2016-7089 was assigned to the WatchGuard vulnerability. As information about these vulnerabilities becomes available, the CVEs will be updated.

Visit CVE-2016-6366, CVE-2016-6367, CVE-2016-6909, and CVE-2016-7089 to learn more about these issues.

The method to request CVE IDs from MITRE will change on August 29, 2016.

Using the new method, CVE ID requestors will complete a "CVE Request" web form when requesting a CVE ID from MITRE. The previous practice of submitting requests via cve-assign@mitre.org will be discontinued.

The new web form will make it easier for requestors to know what information to include in their initial request, and will enhance MITRE's ability to respond to those requests in a timely manner. User instructions will be available on the CVE website and on the form itself. Upon completion of the form, the requestor will receive a confirmation message that the request was received and a reference number.

Please send any comments or concerns to cve@mitre.org.

The CVE Editorial Board held a teleconference meeting on August 11, 2016. Read the meeting minutes.

The Intel Corporation and The Apache Software Foundation are now CVE Numbering Authorities (CNAs). CNAs are OS and product vendors, developers, security researchers, and research organizations that assign CVE IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE ID numbers in the first public disclosure of the vulnerabilities.

CNAs are the main method for requesting a CVE ID number. The following 27 organizations currently participate as CNAs: Adobe; Apache; Apple; BlackBerry; CERT/CC; Cisco; Debian GNU/Linux; Distributed Weakness Filing Project; EMC; FreeBSD; Google; HP; Hewlett Packard Enterprise; IBM; ICS-CERT; Intel; JPCERT/CC; Juniper; Micro Focus; Microsoft; MITRE (primary CNA); Mozilla; Oracle; Red Hat; Silicon Graphics; Symantec; and Ubuntu Linux.

For more information about requesting CVE-ID numbers from CNAs, visit the CVE Numbering Authorities page.

The Distributed Weakness Filing (DWF) CNA (established May 24, 2016), makes CVE assignments using seven digit numbers as a way of initially differentiating between DWF assignments and other CNA assignments. The CVE Program wants to make the community aware of this so that the community is prepared to deal with these larger number series in their infrastructures. The CVE syntax change allowing seven digits went into effect on January 1, 2015 (CVE-ID Syntax Change). We are posting this message to the community because we realize it is important to communicate when those additional digits are being used.

If you have any questions, please reach out to cve@mitre.org.

The CVE Editorial Board held a teleconference meeting on July 28, 2016. Read the meeting minutes.

CVE is mentioned in a July 26, 2016 article entitled "Unpatched Smart Lighting Flaws Pose IoT Risk to Businesses" on ThreatPost.

The main topic of the article is that several "web-based vulnerabilities in Osram Lightify smart lighting products remain unpatched, despite private notification to the vendor in late May and CVEs assigned to the issues in June by CERT/CC. Researchers at Rapid7 today publicly disclosed some of the details on each of the nine vulnerabilities with temporary mitigation advice users can deploy until a fix is available."

CVE is mentioned when the author states: "Osram Lightify products are indoor and outdoor lighting products that can be managed over the web or through a mobile application. The products are used commercially and in homes, and the vulnerabilities are just the latest to affect connected devices." "… a weak default WPA2 pre-shared key on the Pro solution (CVE-2016-5056) is the most critical of the nine flaws. The keys use only eight characters from a limited set of numerals and letters, making it possible to capture a WPA2 authentication handshake and crack the PSK offline in fewer than six hours."

In addition, CERT/CC is a CVE Numbering Authority (CNA). CNAs are major OS vendors, security researchers, and research organizations that assign CVE IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-5056 to learn more about this issue.

CVE is mentioned in a July 22, 2016 article entitled "iOS, Mac vulnerabilities allow remote code execution through a single image" on ZDNet. The main topic of the article is that "Security flaws which affect both Apple iOS and Mac devices permit attackers to grab your passwords and data, researchers claim. … a set of five vulnerabilities, if exploited, could lead to data theft and remote code execution -- which in its worst state may result in device hijacking."

CVE is mentioned when the author states: "The set of bugs, CVE-2016-4631, CVE-2016-4629, CVE-2016-4630, CVE-2016-1850, and CVE-2016-4637, are all caused by how Apple processes image formats. Apple offers APIs as interfaces for accessing image data, and … there are five remote code execution flaws related to this system. The image files which place Mac and iOS users at risk are .tiff, often used in publishing, OpenEXR, Digital Asset Exchange file format XML files, and BMP images." "The malware avoids detection due to the processing weaknesses, and if exploited, this leads to a heap buffer flow issue which extends to remote code execution."

In addition, Apple is a CVE Numbering Authority (CNA), assigning CVE IDs for Apple issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-4631, CVE-2016-4629, CVE-2016-4630, CVE-2016-1850, and CVE-2016-4637 to learn more about these issues.

CVE is mentioned in a July 21, 2016 article entitled "Oracle's Quarterly CPU Fixes Record Number of Vulnerabilities" on ADTMag. The main topic of the article is that "Oracle Corp.'s latest Critical Patch Update (CPU), issued this week, fixed a record 276 vulnerabilities in a range of the company's products, including 13 in Java SE, some of which received high-severity scores."

CVE is mentioned when the author states: "Each vulnerability is issued a unique CVE number. Two of the Java vulnerabilities (CVE-2016-3587 and CVE-2016-3606) earned a CVSS score of 9.6 (the highest is 10.0), and both allow remote attackers to affect confidentiality, integrity, and availability via vectors related to Hotspot VM … these vulnerabilities relate to Java features introduced in versions Java SE 7 and above, which support the "invokedynami" "feature that enables dynamic code execution and scripting. [The] less severe CVE-2016-3550 (CVSS score of 4.3) also applies to the HotSpot JVM internals for Java SE versions 6, 7, and 8."

In addition, Oracle is a CVE Numbering Authority (CNA), assigning CVE IDs for Oracle issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-3587, CVE-2016-3606, and CVE-2016-3550 to learn more about these issues.

The CVE Editorial Board held a teleconference meeting on July 14, 2016. Read the meeting minutes.

CVE is mentioned in a July 11, 2016 article entitled "92 Percent of Internet-Available ICS Hosts Have Vulnerabilities" on Softpedia.

The main topic of the article is discussion of a July 2016 report by Kapersky Lab that "…following an Internet-wide scan, [Kapersky] found 188,019 hosts connected to ICS equipment, in 170 countries around the globe. Over 170,000 Internet-available ICS devices have vulnerabilities. Of these, 92 percent, or 172,982, contained vulnerabilities that can be exploited to attack, take over, or even harm devices and their normal mode of operation."

CVE is mentioned when the author states: "According to Kaspersky, most of the vulnerable devices are located in the US (57,417), followed at a long distance by Germany (26,142), Spain (11,264), France (10,578), and Canada (5,413). Most of these devices are available to external connections via the HTTP protocol (116,900), Telnet (29,586), Niagara Fox (20,622), SNMP (16,752), or Modbux (16,233) … The vulnerability encountered by far in ICS/SCADA equipment was Sunny WebBox Hard-Coded Credentials (CVE-2015-3964), found in 11,904 devices."

Visit CVE-2015-3964 to learn more about this issue.

CVE is mentioned in a July 12, 2016 article entitled "Windows Print Spooler Flaws Lead to Code Execution" on ThreatPost.

The main topic of the article is that Microsoft's July Patch Tuesday "patched a legitimate [networked printer] vulnerability that an attacker could abuse to attack corporate and home networks. MS16-087, one of a half-dozen critical security bulletins published today by Microsoft, patches a pair of flaws in Windows Print Spooler components. The most serious of the vulnerabilities patched today can be attacked either with local access to the printer, via drive-by download, or a by spoofing a shared network print server that is then broadcast with auto-discovery."

CVE is mentioned when the author states: "The flaw, CVE-2016-3238, affects all supported versions of Windows, and allows an attacker to install and execute a driver that acts essentially as a wrapper for malicious code…"

In addition, Microsoft is a CVE Numbering Authority (CNA), assigning CVE-IDs for Microsoft issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-3238 to learn more about this issue.

CVE is mentioned in a July 12, 2016 article entitled "Adobe Flash Player Receives 52 Security Patches" on Softpedia. The main topic of the article is that Adobe Systems, Inc." released security fixes for Flash Player that addressed a total of 52 security issues" in its patch Tuesday updates for July.

The CVE-IDs cited in this article include the following: CVE-2016-4247, CVE-2016-4223, CVE-2016-4224, CVE-2016-4225, CVE-2016-4249, CVE-2016-4232, CVE-2016-4178, CVE-2016-4176, CVE-2016-4177, and CVE-2016-4216.

In addition, Adobe is a CVE Numbering Authority (CNA), assigning CVE-IDs for Adobe issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

CVE is mentioned in a July 7, 2016 article entitled "Google Issues Largest Android Security Update" on eWeek. The main topic of the article is that Google, Inc.'s July Android update "far exceeds any past Android update in terms of the total number of vulnerabilities, and it introduces a new two bundle patch set approach to help accelerate the overall patching process."

The CVE-IDs cited in this article include the following: CVE-2016-2108, CVE-2016-2503, CVE-2016-2067, CVE-2016-3768, CVE-2016-2068, CVE-2016-3797, CVE-2016-3769, CVE-2015-8816, and CVE-2016-3775.

In addition, Google is a CVE Numbering Authority (CNA), assigning CVE-IDs for Chrome, Chrome OS, and Android Open Source Project issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

The CVE Editorial Board held a teleconference meeting on June 30, 2016. Read the meeting minutes.

Hewlett Packard Enterprise (HPE) is now a CVE Numbering Authority (CNA) for HPE issues. In 2015, Hewlett-Packard Company, which was formerly a CNA, split into two separate organizations—Hewlett Packard Enterprise and HP Inc.—both of which are now CNAs for their own issues.

CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

CNAs are the main method for requesting a CVE-ID number. The following 25 organizations currently participate as CNAs: Adobe; Apple; Attachmate; BlackBerry; CERT/CC; Cisco; Debian GNU/Linux; Distributed Weakness Filing Project; EMC; FreeBSD; Google; HP; HPE; IBM; ICS-CERT; JPCERT/CC; Juniper; Microsoft; MITRE (primary CNA); Mozilla; Oracle; Red Hat; Silicon Graphics; Symantec; and Ubuntu Linux.

For more information about requesting CVE-ID numbers from CNAs, visit the CVE Numbering Authorities page.

HP Inc. is now a CVE Numbering Authority (CNA) for HP Inc. issues. In 2015, Hewlett-Packard Company, which was formerly a CNA, split into two separate organizations—HP Inc. and Hewlett Packard Enterprise—both of which are now CNAs for their own issues.

CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

CNAs are the main method for requesting a CVE-ID number. The following 25 organizations currently participate as CNAs: Adobe; Apple; Attachmate; BlackBerry; CERT/CC; Cisco; Debian GNU/Linux; Distributed Weakness Filing Project; EMC; FreeBSD; Google; HP; HPE; IBM; ICS-CERT; JPCERT/CC; Juniper; Microsoft; MITRE (primary CNA); Mozilla; Oracle; Red Hat; Silicon Graphics; Symantec; and Ubuntu Linux.

For more information about requesting CVE-ID numbers from CNAs, visit the CVE Numbering Authorities page.

The CVE Editorial Board held a teleconference meeting on June 2, 2016. Read the meeting minutes.

CVE is mentioned in a June 22, 2016 article entitled "New 'Godless' Malware Targets Android Mobile Devices" on Top Tech News. The main topic of the article is discovery of the "Godless" family of malware targeting Android mobile devices that uses multiple exploits to root users' devices and can root 90% of Android phones.

CVE is mentioned in a section of the article entitled "Bypassing Security Checks," when the author states: "Godless is similar to an exploit kit … [with a framework that] has various exploits in its arsenal that it can use to root a number of different Android-based devices. The two most prominent vulnerabilities targeted by the rooting kit are CVE-2015-3636 (used by the PingPongRoot exploit) and CVE-2014-3153 (used by the Towelroot exploit). By gaining root privilege, Godless can connect to a command-and-control (C&C) server capable of delivering remote instructions that force the device to download and install additional apps without the user's knowledge. At best, a user receives unwanted apps on the phones. At worst, the same technique can be used to install a backdoor or spy on the user."

In addition, Google is a CVE Numbering Authority (CNA), assigning CVE-IDs for Chrome, Chrome OS, and Android Open Source Project issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2015-3636 and CVE-2014-3153 to learn more about these issues.

CVE is mentioned in a June 14, 2016 article entitled "Microsoft's June Patch Tuesday features 16 bulletins, five rated critical" on SC Magazine. The main topic of the article is "Microsoft's June Patch Tuesday offering served up 16 update bulletins with five rated critical covering 44 CVEs, which equaled the number posted in May, but with three fewer critical issues." "The impacted applications are: Windows, Internet Explorer, Edge and Office and Office services and web apps. The remaining 11 bulletins all had an "important" rating."

The CVE-IDs cited in this article include the following: CVE-2016-0025, CVE-2016-3225, CVE-2016-3236, and CVE-2016-3230.

In addition, Microsoft is a CVE Numbering Authority (CNA), assigning CVE-IDs for Microsoft issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

One additional information security product has achieved the final stage of MITRE's formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CVE-Compatible Products and Services page on the CVE website. A total of 152 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CVE-Compatible":

NileSOFT Ltd.

-

Secuguard Web Security Explorer (WSE) Webscan

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

Huawei Technologies Co., Ltd. declared that its firewall and application security gateway, Huawei Next Generation Firewall, is CVE-Compatible. For additional information about this and other CVE-Compatible products, visit the CVE-Compatible Products and Services section.

CVE is mentioned in a June 16, 2016 article entitled "Adobe patches critical zero-day vulnerability in Flash Player" on SC Magazine.

CVE is mentioned at the beginning of the article when the author states: "Adobe released a Flash Player "update containing patches for 36 vulnerabilities, including the zero-day CVE-2016-4171, a critical issue that was called out earlier this week as having been spotted hitting targets in the wild. CVE-2016-4171 affects Flash Player version 21.0.0.242 and earlier in Adobe Desktop Runtime, Extended Support Release, Google Chrome, Microsoft Edge and Internet Explorer 11 and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system …"

In addition, Adobe is a CVE Numbering Authority (CNA), assigning CVE-IDs for Adobe issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-4171 to learn more about this issue.

CVE is mentioned in a June 7, 2016 article entitled "Google Patches 40 Android Flaws in June Update" on eWeek. The main topic of the article is that in its June Android update Google "fixed 40 vulnerabilities, eight of which are rated critical. Once again, the security update includes a familiar set of flaws, with media server issues and Qualcomm drivers topping the list."

The CVE-IDs cited in this article include the following: CVE-2016-2062, CVE-2016-2464, CVE-2016-2465, CVE-2016-2466, CVE-2016-2467, CVE-2016-2468, CVE-2016-2060, CVE-2016-2463, CVE-2016-2495, and CVE-2016-2500.

In addition, Google is a CVE Numbering Authority (CNA), assigning CVE-IDs for Chrome, Chrome OS, and Android Open Source Project issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

CVE is mentioned in a May 31, 2016 article entitled "Samsung Knox isn't as secure as you think it is" on Tech Republic. The main topic of the article is that Samsung's "Samsung Knox, the security system that runs on a plethora of the company's Android smartphones, was recently found to be suffering from a host of security problems."

CVE is first mentioned when the author states: "The first of the three big vulnerabilities that were found was described as "Weak eCryptFS Key generation from user password on Knox 1.0 / Android 4.3," known officially as CVE-2016-1919 … The eCryptFS key is supposed to mix the user's password and a 32-bit key to provide encryption, but the vulnerability "allows an attacker to decrypt Knox encrypted data without knowing the user's password." CVE is mentioned a second time, as follows: "Next up was the vulnerability CVE-2016-1920, which allows an app running outside of Knox to run a man-in-the-middle (MITM) attack against Knox SSL traffic. With this vulnerability, a third-party app running VPN-related permissions can run traffic through it." CVE is mentioned a third time when the author states: "Last, but not least, was CVE-2016-3996, which "allows an attacker to steal the contents of the Knox clipboard."

Visit CVE-2016-1919, CVE-2016-1920, and CVE-2016-3996 to learn more about these issues.

CVE is mentioned in a May 31, 2016 article entitled "Device hijacking security flaws discovered in LG handsets" on ZDNet. The main topic of the article is the discovery of two critical security flaws "impacting LG devices [that] could be exploited to compromise user devices, leading to device hijacking and data theft".

CVE is mentioned when the author states: "CVE-2016-3117, was discovered in LG's privileged service. Dubbed LGATCMDService, the service is not protected by bind permissions, which means that any application — regardless of its origins — can communicate with it … If exploited, this could lead to privilege escalation and device hijacking, rebooting, disabling USB connections, wiping, identifying private IDs such as a device's MAC address or completely bricking the device itself. The second security flaw, CVE-2016-2035, lies within LG's implementation of the WAP Push protocol. This protocol is used to send URLs to mobile devices through SMS messages, but due to LG's implementation of the system, an SQL vulnerability is present.

Visit CVE-2016-3117 and CVE-2016-2035 to learn more about these issues.

CVE is mentioned in a May 31, 2016 article entitled "US ICS-CERT Urges Admins to Mitigate New SCADA Risk" on Info Security. The main topic of the article is that the U.S. Department of Homeland Security "issued an alert urging IT administrators in the energy sector to take steps to mitigate two serious vulnerabilities in SCADA products … from the department's ICS-CERT, and concerns two bugs discovered in … [Environmental Systems Corporation's (ESC) ESC 8832 Version 3.02 and earlier versions]."

CVE is mentioned when the author states: "Both bugs have been given a CVSS v3 base score of 7.5. The first – CVE-2016-4501 – is an authentication bypass vulnerability which could allow an attacker to make unauthorized modifications to the device's configuration. The second – CVE-2016-4502 – is a privilege management bug which could allow a hacker to "gain access to functions, which are not displayed in the menu for the user by means of brute force of a parameter." An attacker with only low skill could exploit these two vulnerabilities remotely, ICS-CERT warned. To mitigate the risk of such an exploit, ESC recommends admins either upgrade the device, block Port 80 with a firewall, or manage the device not through the web interface but alternative means."

In addition, ICS-CERT is a CVE Numbering Authority (CNA). CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-4501 and CVE-2016-4502 to learn more about these issues.

CVE is mentioned in a May 30, 2016 article entitled "CERT warns of hardcoded creds in medical app" on The Register. The main topic of the article is that US-CERT "issued a warning after admin credentials were found in a popular medical application used for acquiring patient data" that is used in about "1,000 healthcare facilities".

CVE is mentioned when the author states: "The MEDHOST application is designed for handling the perioperative three stages of surgery including patient tracking, and patient conditions. It can be hosted and managed remotely … The flaw meant attackers could key in the details and access patient data on servers that did not restrict logins from unknown locations … the hardcoded credential flaw (CVE-2016-4328) in MEDHOST Perioperative Information Management System in versions older than 2015R1."

Visit CVE-2016-4328 to learn more about this issue.

The CVE Editorial Board held a teleconference meeting on May 19, 2016. Read the meeting minutes.

The Distributed Weakness Filing (DWF) Project is now a CVE Numbering Authority (CNA) for open source software issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

CNAs are the main method for requesting a CVE-ID number. The following 24 organizations currently participate as CNAs: Adobe; Apple; Attachmate; BlackBerry; CERT/CC; Cisco; Debian GNU/Linux; Distributed Weakness Filing Project; EMC; FreeBSD; Google; HP; IBM; ICS-CERT; JPCERT/CC; Juniper; Microsoft; MITRE (primary CNA); Mozilla; Oracle; Red Hat; Silicon Graphics; Symantec; and Ubuntu Linux.

For more information about requesting CVE-ID numbers from CNAs, visit the CVE Numbering Authorities page.

CVE is mentioned in a May 17, 2016 article entitled "Symantec's anti-virus engine updated, flaw could cause Blue Screen of Death" on SC Magazine. The main topic of the article is that Symantec Corporation "released an update to its anti-virus engine (AVE) to repair a kernel-level flaw making the software susceptible to a memory access violation when parsing a specifically-crafted portable-executable (PE) header file."

CVE is mentioned when the author states: "Symantec said the critical vulnerability, CVE-2016-2208, affected Symantec anti-virus engine version 20151.1.0.32. These malformed PE files do not require any user interaction to trigger the parsing of the malformed files, but they can be received through email, downloading a document or application or by visiting a malicious web site."

In addition, Symantec is a CVE Numbering Authority (CNA), assigning CVE-IDs for Symantec issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-2208 to learn more about this issue.

CVE is mentioned in a May 17, 2016 article entitled "Apple Makes Security Improvements to iOS and OS X" on eWeek. The main topic of the article is that "Apple, Inc.'s "iOS alone is being patched for 39 vulnerabilities, but it's not just about fixing existing flaws; the update is also providing new features to harden security."

The CVE-IDs cited in this article include the following: CVE-2016-1793, CVE-2016-1794, CVE-2016-1801, CVE-2016-1803, CVE-2016-1807, CVE-2016-1813, CVE-2016-1819, CVE-2016-1821, CVE-2016-1823, and [CVE-2016-1846].

In addition, Apple is a CVE Numbering Authority (CNA), assigning CVE-IDs for Apple issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

"CVE-2016-4117" is cited in numerous major advisories, posts, and news media references related to the recent zero-day Adobe Flash vulnerability, including the following examples:

• http://www.computerworld.com/article/3070026/security/flash-player-update-fixes-zero-day-flaw-and-24-other-critical-vulnerabilities.html
• http://www.zdnet.com/article/adobe-readies-patch-for-flash-player-exploit-being-exploited-in-the-wild/
• http://www.theregister.co.uk/2016/05/12/flash_zero_day_hole/
• http://www.pcworld.com/article/3069200/security/hackers-exploit-unpatched-flash-player-vulnerability-adobe-warns.html
• http://bgr.com/2016/05/11/adobe-flash-windows-zero-day-fix/
• https://threatpost.com/adobe-warns-of-flash-zero-day-patches-acrobat-reader/117981/
• http://www.networkworld.com/article/3069197/hackers-exploit-unpatched-flash-player-vulnerability-adobe-warns.html
• http://www.ibtimes.co.uk/adobe-flash-zero-day-exploit-found-wild-theres-currently-no-fix-1559501
• http://neurogadget.net/2016/05/14/adobe-releases-new-security-update-flash-player/30163
• http://www.infosecurity-magazine.com/news/adobe-patches-yet-another-flash/

Other news articles may be found by searching on "CVE-2016-4117" using your preferred search engine. Also, the CVE Identifier page https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4117 includes a list of advisories used as references.

The CVE Editorial Board held a teleconference meeting on May 5, 2016. Read the meeting minutes.

Nurun IT Consulting Services declared that its Neo Threat Management Solution (NTMS) is CVE-Compatible. For additional information about this and other CVE-Compatible products, visit the CVE-Compatible Products and Services section.

NileSOFT Ltd. declared that its Secuguard Web Security Explorer (WSE) Webscan is CVE-Compatible. For additional information about this and other CVE-Compatible products, visit the CVE-Compatible Products and Services section.

We continue to work diligently on expanding CVE assignment in ways that meet the needs of all the various use cases of CVE. Towards that end, we have begun increasing the number of organizations participating as CVE Numbering Authorities (CNAs). We are also working closely with the CVE Editorial Board to define additional ways for CNAs to enable CVE to expand its coverage. Updates on our progress will continue to be posted here as soon as they occur.

CVE is mentioned in a May 3, 2016 article entitled "ImageTragick Exploit Used in Attacks to Compromise Sites via ImageMagick 0-Day" on Softpedia. The main topic of the article is the May 3 announcement of "a vulnerability in the ImageMagick image processing library deployed with countless Web servers, a zero-day which [the researchers who discovered the issue] say has been used in live attacks."

CVE is mentioned when the author states: "Nicknamed ImageTragick and identified via the CVE-2016–3714 vulnerability ID, the issue has a massive attack surface, since, alongside the GD library, ImageMagick is one of the most used image processing toolkits around … Mitigation instructions are available on ImageTragick's website."

Visit CVE-2016-3714 to learn more about this issue.

CVE is mentioned in a May 3, 2016 article entitled "Google patches 40 Android security flaws" on SC Magazine. The main topic of the article is that Google Inc. "released patches for 40 security vulnerabilities affecting Android devices. Vulnerabilities include remote code execution, elevated privilege, and remote denial of service (DoS) flaws. Six of the vulnerabilities are rated as critical flaws and 10 vulnerabilities are rated as high severity."

CVE is first mentioned when the author states: "The most severe vulnerability (CVE-2016-2428 and CVE-2016-2429) affects media files processing, a recurring issue for Android devices. The flaw allows remote code execution when devices receive a malicious email or MMS message, or through viewing an infected webpage."

CVE is mentioned a second time, as follows: "The elevated privilege vulnerabilities affecting Android's integrated debugger (CVE-2016-2430) and Qualcomm TrustZone (CVE-2016-2432) allow malicious applications to execute arbitrary code within the debugger and the TrustZone kernel, respectively. The flaws may permanently compromise devices and may require an operating system reflash."

In addition, Google is a CVE Numbering Authority (CNA), assigning CVE-IDs for Chrome, Chrome OS, and Android Open Source Project issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-2428, CVE-2016-2429, CVE-2016-2430, and CVE-2016-2432 to learn more about these issues.

CVE is mentioned in an April 27, 2016 article entitled "Firefox 46 Patches Critical Memory Vulnerabilities" on Threatpost. The main topic of the article is that Mozilla Corporation "updated Firefox and patched 10 vulnerabilities, one which was rated critical. Firefox 46 also included patches for four vulnerabilities that Mozilla rated as high severity. Critical bugs enabled remote code execution without user interaction, while bugs rated high can be exploited to steal browser data or inject code into websites via the browser."

CVE is mentioned when the author states: "The critical vulnerability was found internally and included four memory-related flaws in the browser engine used by Firefox and other Mozilla software. "Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code," Mozilla said in its advisory. All four bugs—CVE-2016-2807, CVE-2016-2806, CVE-2016-2805, and CVE-2016-2804—cause the browser to crash; CVE-2016-2805 affects only Firefox ESR 38.8."

In addition, Mozilla is a CVE Numbering Authority (CNA), assigning CVE-IDs for Mozilla issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-2807, CVE-2016-2806, CVE-2016-2805, and CVE-2016-2804 to learn more about these issues.

The CVE Editorial Board held a teleconference meeting on April 21, 2016. Read the meeting minutes.

Juniper Networks, Inc. is now a CVE Numbering Authority (CNA) for Juniper issues only. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

CNAs are the main method for requesting a CVE-ID number. The following 23 organizations currently participate as CNAs: Adobe; Apple; Attachmate; BlackBerry; CERT/CC; Cisco; Debian GNU/Linux; EMC; FreeBSD; Google; HP; IBM; ICS-CERT; JPCERT/CC; Juniper; Microsoft; MITRE (primary CNA); Mozilla; Oracle; Red Hat; Silicon Graphics; Symantec; and Ubuntu Linux.

For more information about requesting CVE-ID numbers from CNAs, visit the CVE Numbering Authorities page.

Tom Millar of US-CERT has joined the CVE Editorial Board.

Read the full announcement and welcome message in the CVE Editorial Board email discussion list archive.

Two CVE Identifiers — CVE-2016-0128 and CVE-2016-2118 — are cited in numerous major advisories, posts, and news media references related to the "Badlock" vulnerability, including the following examples:

• https://nakedsecurity.sophos.com/2016/04/12/badlock-revealed-probably-not-as-bad-as-you-thought/
• http://www.computerworld.com/article/3055917/security/microsoft-samba-badlock-flaw-not-critical-but-serious-enough.html
• http://www.infoworld.com/article/3055572/security/dont-let-badlock-distract-you-from-real-vulnerabilities.html
• https://threatpost.com/badlock-vulnerability-falls-flat-against-its-hype/117349/
• http://www.networkworld.com/article/3054645/security/microsoft-rated-6-of-13-security-updates-as-critical-badlock-bug-fix-rated-important.html
• http://www.eweek.com/security/badlock-flaw-disclosed-as-microsoft-issues-13-security-advisories.html
• http://www.theregister.co.uk/2016/04/12/badlock_bug_windows_samba/
• http://news.softpedia.com/news/microsoft-patches-overhyped-badlock-vulnerability-502887.shtml
• http://www.itpro.co.uk/security/26347/microsofts-patch-tuesday-deals-with-badlock-bug
• http://www.infosecurity-magazine.com/news/patch-tuesday-badlock-bulletin/
• http://www.darkreading.com/vulnerabilities---threats/badlock-bug-declared-a-bust--but-patch-anyway/d/d-id/1325083
• http://blog.trendmicro.com/trendlabs-security-intelligence/how-bad-is-badlock/

Other news articles may be found by searching on "CVE-2016-0128" and "CVE-2016-2118" using your preferred search engine. Also, the CVE Identifier pages https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0128 and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2118 include lists of advisories used as references.

The CVE Editorial Board held a teleconference meeting on March 30, 2016. Read the meeting minutes.

CVE is mentioned in an April 4, 2015 article entitled "Cisco 'High Severity' Flaw Lets Malware Bypass Firepower Firewall" on ThreatPost. The main topic of the article is that Cisco recently patched a "critical vulnerability found in its recently introduced line of FirePower firewall products. The vulnerability, according to Cisco, allows attackers to slip malware onto critical systems without detection. The flaw is also impacts Snort, an open source network-based intrusion detection system also owned by Cisco."

CVE is mentioned as follows: "Cisco alerted customers of the vulnerability (CVE-2016-1345) last week classifying it as "high severity". The networking firm has released software updates that address the vulnerability in Cisco Firepower System Software 5.4.0.7 and later, 5.4.1.6 and later and 6.0.1 and later."

In addition, Cisco is a CVE Numbering Authority (CNA), assigning CVE-IDs for Cisco issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-1345 to learn more about this issue.

CVE is mentioned in a March 28, 2016 article entitled "Zero-Day Vulnerability Bypasses Apple's Security Features To Compromise OS X And iOS Devices: Update Now" on Tech Times. The main topic of the article is that "A security analyst from SentinelOne unveiled a critical zero-day vulnerability that affects all versions of Apple's OS X and some iOS versions. By using the vulnerability, hackers can get full access of the affected device, making it easy to steal sensitive data and bypass the company's protection feature."

CVE is mentioned when the author states: "…SentinelOne reported back in January about a critical vulnerability in both the iOS and OS X codes, which permits local privilege escalation as well as a surprisingly easy bypassing of the SIP, sans kernel exploit. Codenamed CVE-2016-1757, the zero-day vulnerability is a Non-Memory Corruption bug. This means that it makes it easy for hackers to do a number of things, such as executing remote code (Remote Code Execution), running custom-made code on your device and even perform sandbox escapes."

In addition, Apple is a CVE Numbering Authority (CNA), assigning CVE-IDs for Apple issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-1757 to learn more about this issue.

CVE is mentioned throughout an in a March 22, 2016 article entitled "Here Are 4 Vulnerabilities Ransomware Attacks Are Exploiting Now" on Dark Reading. The main topic of the article is that "there's a common thread in the most recent ransomware attacks: they use four known Adobe Flash Player and Microsoft Silverlight software bugs that have patches available, according to new research published today."

CVE is first mentioned at the beginning of the article when the author states: "So if you haven't already patched recently revealed Flash flaws CVE-2015-7645, CVE-2015-8446, CVE-2015-8651, and Microsoft Silverlight's CVE-2016-0034, you'll "significantly" minimize your risk of getting hit by the latest in ransomware threats if you apply these updates, according to Recorded Future, which analyzed which vulns were being exploited most in ransomware attacks as of March 16."

CVE is mentioned a second time, when the author states: "The Angler, Neutrino, Magnitude, RIG, and Nuclear exploit kits spread the Flash CVE-2015-7645 exploit; Angler spreads Flash CVE-2015-8446; Angler and Neutrino spread Flash CVE-2015-8651; and Angler spreads Silverlight CVE-2016-0034, an exploit exposed in the Hacking Team breach. In addition to patching these four vulns, Recorded Future offers additional recommendations for thwarting ransomware attacks: set Flash to "click to play;" run browser ad-blockers to protect against malvertising-borne attacks; and perform regular backups, especially of shared files, which are often the target of ransomware attacks."

In addition, both Adobe and Microsoft are CVE Numbering Authorities (CNAs), with Adobe assigning CVE-IDs for Adobe issues and Microsoft assigning CVE-IDs for Microsoft issues. CNAs are major OS vendors, security researchers, and research organizations that assign newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2015-7645, CVE-2015-8446, CVE-2015-8651, and CVE-2016-0034 to learn more about these issues.

CVE is mentioned throughout an in a March 28, 2016 article entitled "Google patches Chrome 49 vulnerabilities" on SC Magazine. The main topic of the article is that Google Inc. "released a patch on Thursday [March 24, 2016] for vulnerabilities affecting the latest version of Chrome for Windows, Mac, and Linux, including several high-risk issues."

The CVE-IDs cited in this article include the following: CVE-2016-1646, CVE-2016-1649, CVE-2016-1647, CVE-2016-1648, and CVE-2016-1650.

In addition, Google is a CVE Numbering Authority (CNA), assigning CVE-IDs for Chrome, Chrome OS, and Android Open Source Project issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

CVE is cited as a product feature in a March 30, 2016 press release entitled "Threat Stack Announces Most Comprehensive Cloud Security Vulnerability Verification: Cloud Security Platform Provides Automated CVE Check Against Every Package Installed" by Threat Stack, Inc.

CVE is mentioned in a quote by Threat Stack's vice president of products and customer advocacy, Venkat Pothamsetty, who states: "Threat Stack wants to keep customers as current as possible on critical CVEs. The Threat Stack Cloud Security Platform compares every single CVE published to every package installed, cross-checks against all corresponding vendor advisories on those packages and pinpoints to the image ID on the affected servers. The extensive approach we take is resulting in the least false positive rate of CVEs in the industry."

One additional information security product has achieved the final stage of MITRE's formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 151 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CVE-Compatible":

Beijing Leadsec Technology Co., Ltd.

-

Leadsec Web Application Firewall (Leadsec WAF)

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

One additional information security product has achieved the final stage of MITRE's formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 151 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CVE-Compatible":

Hillstone Networks

-

Intrusion Prevention System

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

CVE is mentioned in a March 21, 2016 article entitled "Symantec fixes high-risk flaws in Symantec Endpoint Protection" on InfoWorld. The main topic of the article is that Symantec Corporation "fixed three high-risk security vulnerabilities in Symantec Endpoint Protection last week, which serves as a reminder: Security software needs to be regularly patched, too."

All three vulnerabilities are identified by their CVE-ID numbers, as follows: "The cross-site request forgery flaw (CVE-2015-8152) and SQL injection bug (CVE-2015-8153) in the SEP Management Console can be exploited to give authorized users more elevated privileges than originally assigned. These vulnerabilities, if successfully exploited, make it easier for attackers because they no longer need to try to steal administrator-level credentials. They can intercept lower-level user credentials and bump up the privileges as needed." "The third flaw (CVE-2015-8154) was in the SysPlant.sys driver, which Symantec Endpoint Protection loads on Windows clients as part of Application and Device Control (ADC) component. The driver prevents untrusted code from running on Windows systems. If the vulnerability is successfully exploited, the attacker bypasses the ADC to execute malicious code on the system with the same privileges as the logged on user."

In addition, Symantec is a CVE Numbering Authority (CNA), assigning CVE-IDs for Symantec issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2015-8152, CVE-2015-8153, and CVE-2015-8154 to learn more about these issues.

CVE is mentioned in a March 21, 2016 article entitled "Google Updates Android for Linux Kernel Flaw" on eWeek. The main topic of the article is that Google, Inc. issued an "unprecedented mid-month emergency patch update" for a Linux kernel vulnerability. The article also discusses the "Metaphor" exploit for the previously patched Android "Stagefright" vulnerability.

CVE is first mentioned when the author states: "Android Security Advisory 2016-03-18 is an out-of-band update for a privilege escalation vulnerability identified as CVE-2015-1805. As the CVE number implies, the vulnerability dates back to 2015 when it was first discovered in the upstream Linux kernel. While Google did not have a formal patch for the issue until March 18, Google's Verify Apps technology already was identifying and blocking apps that attempted to use the vulnerability. Verify Apps is a Google technology that works for both Google Play apps as well as apps installed from third-party sources as a scanning technology that looks for malicious components. Google noted in its security advisory that the CVE-2015-1805 was set to be included as a formal patch in a future Android update. That plan changed on March 15, when security firm Zimperium reported that it was aware of the CVE-2015-1805 vulnerability being used successfully to exploit a Nexus 5 device."

CVE is mentioned a second time, as follows: "Of note also is the fact that in the scheduled March 7 update, Google patched a high-severity issue identified as CVE-2016-0824 in the Stagefright media library. Google has patched the libstagefright (Stagefright) and Android media libraries multiple times since August 2015…" CVE is then mentioned a third time, when the author states: "In unrelated research, security firm NorthBit reported on March 18 that a Stagefright exploit it referred to as Metaphor is attacking Android. The Metaphor exploit makes use of a vulnerability identified as CVE-2015-3864, which Google patched in August 2015."

In addition, Google is a CVE Numbering Authority (CNA), assigning CVE-IDs for Chrome, Chrome OS, and Android Open Source Project issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2015-1805, CVE-2016-0824, and CVE-2015-3864 to learn more about these issues.

The recent explosion of Internet-enabled devices—known as the Internet of Things—as well as the propagation of software-based functionality in systems has led to a huge increase in the number of CVE requests we have been receiving on a daily basis. We did not anticipate this rate of growth, and, as a result, were not as prepared for the latest surge in requests over the past 12 months as we had hoped. The result has been some of the delay in CVE assignments that the software security community has recently witnessed.

We recognize the inconvenience that has resulted, and are working hard to come up with a solution.

Last week, we proposed a possible option to our CVE Editorial Board, but some members raised concerns about the approach, and we have withdrawn it from consideration. We are working diligently to come up with a solution that will meet the needs of all the various use cases of CVE.

– The CVE Team, March 21, 2016

CVE has been experiencing an unprecedented demand for vulnerability IDs. We look forward to working with the CVE Editorial Board and the broader vulnerability management community to significantly improve stakeholder communication, and improve and scale CVE operations to reduce ID assignment response times and increase product coverage. Details as they become available will be posted to https://cve.mitre.org/.

– The CVE Team, March 11, 2016

CVE is mentioned in a March 8, 2016 article entitled "Patch Management Still Plagues Enterprise" on Dark Reading. The main topic of the article is that "In spite of years of data showing effective patch management to be some of the lowest-hanging fruit in improving IT risk management, half of enterprises today still aren't getting it right. So says a new survey out today [by Tripwire, Inc.], which queried over 480 IT professionals on their patch management practices."

CVE is mentioned in a quote by Tim Erlin, Director, Product Management, Security and IT Risk Strategist at Tripwire, who states: "The fact is that we, as an industry, consistently conflate vulnerabilities with patches. They are not the same thing! The fact is, we identify known vulnerabilities with CVE IDs, and vendors release increments of code that address some of those CVE IDs. It's not a one-to-one relationship, except when it is, and bundles are common, except from vendors who don't roll up patches. Sometimes patches don't fix all the vulnerabilities, and sometimes they fix multiple vulnerabilities on some platforms but not others. Sometimes a patch is an upgrade, sometimes it's not, and sometimes you can apply an individual patch or an upgrade to fix disparate but overlapping sets of vulnerabilities."

The "Tripwire 2016 Patch Management Study" findings are free to read at http://www.tripwire.com/company/research/tripwire-2016-patch-management-study/.

CVE is mentioned in a March 9, 2016 article entitled "Chrome Update Fixes Three 'High' Severity Vulnerabilities" on ThreatPost. The main topic of the article is that "Google pushed out the latest version of its flagship browser Chrome on Tuesday, fixing three high severity bugs in the process."

CVE is mentioned when the author identifies the three vulnerabilities and notes their severity ratings as determined by Google: "High CVE-2016-1643: Type confusion in Blink"; "High CVE-2016-1644: Use-after-free in Blink"; and "High CVE-2016-1645: Out-of-bounds write in PDFium". All three were discovered by researchers who submitted them to Google's vulnerability reward program.

In addition, Google is a CVE Numbering Authority (CNA), assigning CVE-IDs for Chrome, Chrome OS, and Android Open Source Project issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-1643, CVE-2016-1644, and CVE-2016-1645 to learn more about these issues.

CVE is mentioned in a March 8, 2016 article entitled "Google fixes Android bugs, including lingering Mediaserver flaw" on InfoWorld. The main topic of the article is that Google Inc. "addressed 19 security vulnerabilities, seven of them rated critical, in its latest Android security update. The updates addressed critical security vulnerabilities in the keyring component, MediaTek Wi-Fi Driver, Conscrypt, the libvpx library, Mediaserver component, and the Qualcomm Performance component."

The CVE-IDs cited in this article include the following: CVE-2016-0815, CVE-2016-0816, CVE-2016-0824, CVE-2016-0826, CVE-2016-0827, CVE-2016-0828, CVE-2016-0829, CVE-2016-1621, CVE-2016-0818, CVE-2016-0819, CVE-2016-0728, CVE-2016-0820, CVE-2016-0822, CVE-2016-0821, and CVE-2016-0823.

In addition, Google is a CVE Numbering Authority (CNA), assigning CVE-IDs for Chrome, Chrome OS, and Android Open Source Project issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

CVE is mentioned in a March 8, 2016 article entitled "Microsoft Patches Critical Vulnerabilities in its Browsers" on ThreatPost. The main topic of the article is that Microsoft Corporation recently released 13 security bulletins "including five rated critical and two rated important that could result in remote code execution attacks against compromised machines."

CVE is first mentioned with regard to the bulletin for the Microsoft Edge browser, as follows: "All 11 flaws are memory corruption vulnerabilities and five of those are also applicable to IE, Microsoft said. Edge also is vulnerable to an information disclosure vulnerability, CVE-2016-0125, enabled by Edge's improper handling of the referrer policy. An attacker could use this flaw to learn about the request context or browsing history of a user…"

CVE is mentioned a second time regarding a bulletin that patches "two flaws in Windows Graphic Fonts. A user would have to open a crafted document to exploit the flaw or view a website hosting maliciously crafted embedded OpenType fonts. Only one of the OpenType Font Parsing vulnerabilities, CVE-2016-0121, is rated critical and leads to remote code execution; the other, CVE-2016-0120, is a denial-of-service issue and is rated moderate…." CVE is mentioned a third time regarding a bulletin that patches "patches two flaws in Windows Media that can be exploited via malicious media content to gain remote code execution. Neither CVE-2106-0101, nor CVE-2016-0098, has been publicly attacked, Microsoft said, adding that the patch corrects the way Windows handles resources in the media library."

In addition, Microsoft is a CVE Numbering Authority (CNA), assigning CVE-IDs for Microsoft issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-0125, CVE-2016-0121, CVE-2016-0120, CVE-2016-0101, and CVE-2016-0098 to learn more about these issues.

CVE is mentioned in a March 8, 2016 article entitled "Adobe Patches Reader and Acrobat, Teases Upcoming Flash Update" on ThreatPost. The main topic of the article is that Adobe Systems Incorporated recently released "security updates for its PDF editing and viewing products, Acrobat and Reader, and its ereader for books called Adobe Digital Editions. And while the customary Flash update is missing from today's monthly rollout, Adobe said a new version of the software will be available "in the coming days."

CVE is mentioned when the author discusses Adobe patching three vulnerabilities in its Acrobat and Reader products: "Two of the patches (CVE-2016-1007 and CVE-2016-1009) address memory corruption vulnerabilities, while the third addresses a flaw in the directory search path (CVE-2016-1008). All three can be exploited to remotely execute code on compromised machines, Adobe said, adding that it was not aware of any public attacks against these bugs."

CVE is mentioned again regarding a vulnerability in Adobe Digital Editions, when the author states: "The patch specifically addresses a memory corruption issue (CVE-2016-0954); it has not been publicly attacked, Adobe said, adding that versions 4.5.0 and earlier are affected. Users are urged to update to 4.5.1."

In addition, Adobe is a CVE Numbering Authority (CNA), assigning CVE-IDs for Adobe issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-20161007, CVE-2016-1009, CVE-2016-1008, and CVE-2016-0094 to learn more about these issues.

CVE is mentioned in a March 1, 2016 article entitled "A Third of All HTTPS Websites Are Vulnerable to the DROWN Attack" on Softpedia.

CVE is mentioned when the author states: "The OpenSSL project has released versions 1.0.2g and 1.0.1s to address a high severity security issue known as the DROWN attack (CVE-2016-0800) which allows attackers to break HTTPS and steal encrypted information. DROWN stands for "Decrypting RSA using Obsolete and Weakened eNcryption" and … At its core, the principle behind the DROWN attack relies on the presence of both the SSLv2 and TLS protocols on target machines. DROWN is a cross-protocol attack, meaning it will use weaknesses in the SSLv2 implementation against TLS."

Visit CVE-2016-0800 to learn more about this issue.

"CVE-2015-7547" is cited in numerous major advisories, posts, and news media references related to a recent severe Linux stack-based buffer overflow vulnerability, including the following examples:

• http://www.cio.co.nz/article/594074/use-linux-stop-what-re-doing-apply-patch/
• http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-apps-and-devices-vulnerable/
• http://www.infoworld.com/article/3033862/security/patch-now-unix-bug-puts-linux-android-and-ios-systems-at-risk.html
• https://threatpost.com/critical-glibc-vulnerability-puts-all-linux-machines-at-risk/116261/
• http://www.eweek.com/security/linux-systems-patched-for-critical-glibc-flaw.html
• http://www.theregister.co.uk/2016/02/16/glibc_linux_dns_vulernability/
• http://www.techtimes.com/articles/134191/20160217/deadly-linux-bug-puts-millions-of-systems-at-risk-patch-now-available.htm
• https://threatpost.com/magnitude-of-glibc-vulnerability-coming-to-light/116296/
• http://www.itpro.co.uk/security/26060/linux-vulnerability-leaves-thousands-open-to-dns-attack
• http://www.pcworld.com/article/3033451/linux/use-linux-stop-what-youre-doing-and-apply-this-patch.html
• http://www.straitstimes.com/tech/major-computer-security-bug-threatens-thousands-of-devices
• http://news.softpedia.com/news/buffer-overflow-bug-in-glibc-exposes-users-to-attack-from-rogue-dns-servers-500484.shtml

Other news articles may be found by searching on "CVE-2015-7547" using your preferred search engine. Also, the CVE Identifier page https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7547 includes a list of advisories used as references.

CVE is mentioned in a February 17, 2016 article entitled "Security industry has learned nothing from patching lapses: Report" on IT World Canada. CVE is mentioned as part of the main topic of this article, which is that Hewlett-Packard Enterprise's "HPE Security Research Cyber Risk Report 2016" states that the "most exploited bug in 2015 was a Windows Shell vulnerability (CVE-2010-2568) that was discovered along with a patch issued in 2010 — and patched again in early 2015."

Visit CVE-2010-2568 to learn more about this issue.

CVE is mentioned throughout a February 15, 2016 article entitled "VoIP Phones: Eavesdropping Alert" on Bank Info Security. The main topic of the article is that "VoIP devices built by the likes of Cisco and Snom can be easily exploited with just a couple of lines of JavaScript … if they use the devices' default security settings. Once attackers compromise a device, they can monitor or reroute all calls, surreptitiously activate microphones built into the device to listen to what's being said locally, or upload malicious firmware, amongst other potential attacks."

CVE is mentioned when the author discusses how the "attack would also work against some Cisco VoIP devices. Cisco has confirmed a related vulnerability - CVE-2015-0670 - affects some Cisco Small Business IP phones, but so far has released no patches."

Visit CVE-2015-0670 to learn more about this issue.

CVE is mentioned in a February 2, 2016 article entitled "Fisher-Price Smart Teddy Bear Latest IoT Toy Under Hacker Scrutiny" on eWeek. The main topic of the article is that "When it comes to the emerging Internet of things world, security vulnerabilities can exist almost anywhere, including in a child's teddy bear. Security vendor Rapid7 … disclosed a vulnerability in the Fisher-Price Smart Toy, which could have enabled an attacker to gain access to user information. Rapid7 responsibly disclosed the flaw to Fisher-Price, and the toy vendor has already patched the issue."

CVE is mentioned as follows: "Fisher-Price did not properly secure the Web APIs it uses for the back end of the Smart Toy, potentially giving an attacker access to customer profile information, including name, birthday, gender, language and which toys have been registered. Going a step further … an attacker could have deleted or modified a child's profile. The core flaw, which is identified as CVE-2015-8269, is an improper authentication handling vulnerability. [This means that the] Web back end for the Smart Toy would let anyone attempting to access the site assert that they were any customer ID. Fisher-Price [has] fixed the remote security issues … [and since] … the disclosed issues are all remote, there is no need for end users to patch the local device."

Visit CVE-2015-8269 to learn more about this issue.

CVE is mentioned in a February 1, 2016 article entitled "Google fixes multiple Wi-Fi flaws, mediaserver bugs in Android" on InfoWorld. The main topic of the article is that "Google addressed multiple remote code execution and elevation of privilege vulnerabilities in its Android monthly security update for February. Along with the usual mediaserver suspects, the patches addressed multiple issues in several Wi-Fi components."

The CVE-IDs cited in this article include the following: CVE-2016-0803, CVE-2016-0804, CVE-2016-0810, CVE-2016-0811, CVE-2016-0801, CVE-2016-0802, CVE-2016-0806, CVE-2016-0809, CVE-2016-0805, CVE 2016-0807, CVE-2016-0808, CVE-2016-0812, and CVE-2016-0813.

In addition, Google is a CVE Numbering Authority (CNA), assigning CVE-IDs for Chrome, Chrome OS, and Android Open Source Project issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

CVE is mentioned throughout a January 28, 2016 article entitled "OpenSSL patches two vulnerabilities in cryptographic library" on InfoWorld.

CVE is first mentioned as follows: "The OpenSSL project team has patched two vulnerabilities in the cryptographic library and enhanced the strength of existing cryptography used by OpenSSL versions 1.0.1 and 1.0.2", one of which was a "high-priority bug addresses an issue in how some Diffie-Hellman parameters are generated in OpenSSL 1.0.2 (CVE 2016-0701)."

CVE is mentioned two more times in the article with regard to lower-priority bug fixes, as follows: "The other vulnerability, which affects both 1.0.1 and 1.0.2, can let a malicious client negotiate SSLv2 ciphers that have been disabled on the server and complete SSLv2 handshakes (CVE 2015-3197)." "OpenSSL also enhanced the strength of the cryptography used to mitigate the Logjam downgrade vulnerability in TLS. Logjam (CVE 2015-4000) refers to the vulnerability in the TLS protocol that allows a man-in-the-middle attacker to downgrade vulnerable TLS connections using ephemeral Diffie-Hellman key exchange to 512-bit cryptography. This meant that attackers could break and read any encrypted traffic."

Visit CVE-2016-0701, CVE-2015-3197, and CVE-2015-4000 to learn more about these issues.

CVE is mentioned in a January 20, 2016 article entitled "Apple Issues First OS X, iOS Security Updates for 2016" on InfoWorld. The main topic of the article is that "Apple released its first security updates of 2016 on Jan. 19, with the debut of OS X 10.11.3 and IOS 9.2.1, which provides patches for multiple classes of vulnerabilities that could potentially enable attackers to exploit users and their devices."

The CVE-IDs cited in this article include the following: CVE-2016-1722, CVE-2016-1730, CVE-2016-1719, CVE-2016-1720, and CVE-2016-1721.

In addition, Apple is a CVE Numbering Authority (CNA), assigning CVE-IDs for Apple issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

CVE is mentioned in a January 13, 2016 article entitled "Kaspersky Lab discovers Silverlight zero-day vulnerability" on ZDNet. The main topic of the article is that "Kaspersky Lab has discovered a dangerous zero-day vulnerability in Silverlight, potentially placing millions of users at risk … the cybersecurity firm said the vulnerability would allow an attacker to gain full access to a compromised computer and execute malicious code to steal secret information, conduct surveillance and cause wholesale destruction if they so wished." CVE is mentioned as follows: "The vulnerability, CVE-2016-0034, was discovered after Ars Technica revealed an alleged link between exploit and surveillance tool seller…"

Visit CVE-2016-0034 to learn more about this issue.

CVE is mentioned in a January 13, 2016 article entitled "Microsoft fixes critical flaws in Windows, Office, Edge, IE, other products" on InfoWorld. The main topic of the article are the fixes included in Microsoft's Patch Tuesday for January: "Microsoft has released the first batch of security updates for 2016 and they include critical fixes for remote code execution flaws in Windows, Office, Edge, Internet Explorer, Silverlight and Visual Basic."

CVE is first mentioned when the author states: "In total, Microsoft issued 9 security bulletins covering patches for 24 vulnerabilities. According to Wolfgang Kandek, the CTO of security firm Qualys, administrators should prioritize the MS16-005 security bulletin, especially for systems running Windows Vista, 7 and Server 2008. This patch addresses a remote code execution vulnerability tracked as CVE-2016-0009 that has been publicly disclosed, making attacks more likely."

CVE is mentioned a second time, as follows: "The second most important bulletin, according to Qualys, is MS16-004, which addresses six vulnerabilities in Microsoft Office. This bulletin is rated critical, which has been unusual for Microsoft Office in the recent past. The culprit for this severity rating is one particular remote code execution vulnerability tracked as CVE-2016-0010 that's present in all versions of Office from 2007 to 2016, even those running on Mac and Windows RT…."

In addition, Microsoft is a CVE Numbering Authority (CNA), assigning CVE-IDs for Microsoft issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Visit CVE-2016-0009 and CVE-2016-0010 to learn more about these issues.

CVE was the main topic of several news media articles about the number of CVE-IDs issued to different platforms in 2015. The "Top 50 Products By Total Number Of "Distinct" Vulnerabilities in 2015" list was published by CVE Details, which takes CVE vulnerability data from the U.S. National Vulnerability Database (NVD), which is itself based upon the CVE List, and presents it in "an easy to use web interface to CVE vulnerability data." CVE Details is listed in the CVE Compatibility Program.

Examples of the news media articles about the list include the following:

• http://www.theregister.co.uk/2016/01/04/apple_had_more_cves_than_any_single_ms_product_in_2015_but_it_doesnt_really_matter/
• http://news.softpedia.com/news/apple-software-tops-vulnerability-list-microsoft-the-leading-company-498372.shtml
• http://www.ghacks.net/2016/01/04/and-the-product-with-the-most-distinct-vulnerabilities-in-2015-is/
• http://www.opptrends.com/2016/01/surprise-apple-inc-aapl-topped-cve-count-2015/
• http://betanews.com/2016/01/02/windows-doesnt-top-the-vulnerability-list-for-2015-but-microsoft-as-a-whole-does/
• http://www.neowin.net/news/2015-number-of-software-vulnerabilities-led-by-mac-os-x-ios-and-flash
• https://www.hackread.com/apples-os-x-most-vulnerable-software-of-2015/
• http://venturebeat.com/2015/12/31/software-with-the-most-vulnerabilities-in-2015-mac-os-x-ios-and-flash/
• http://dazeinfo.com/2016/01/06/apple-microsoft-adobe-mac-os-ios-flash-most-vulnerabie-apps-os/
• http://www.macworld.com/article/3019003/security/lies-damned-lies-and-these-lies-security-numbers-don-t-tell-the-story.html 

Review the list at http://www.cvedetails.com/top-50-products.php?year=2015. To review or research CVE vulnerability content, visit NVD and CVE.