News & Events

Right-click and copy a URL to share an article. Send feedback about this page to cve@mitre.org.

iScan Online Makes Declaration of CVE Compatibility

April 16, 2015 | Share this article

iScan Online, Inc. declared that its vulnerability detection and financial risk analytics product, Data Breach Risk Intelligence Platform, is CVE-Compatible. For additional information about this and other CVE-Compatible products, visit the CVE-Compatible Products and Services section.

Interition Makes Declaration of CVE Compatibility

April 16, 2015 | Share this article

Interition Ltd. declared that its software code knowledge base, Sparqlycode, is CVE-Compatible. For additional information about this and other CVE-Compatible products, visit the CVE-Compatible Products and Services section.

CVE Identifiers Used throughout Google's "Android Security 2014 Year in Review" Report

April 10, 2015 | Share this article

CVE-IDs are mentioned throughout Google, Inc.'s "Google Report Android Security 2014 Year in Review" to uniquely identify many of the vulnerabilities referenced in the report text. According to Google's Android Security State of the Union 2014 blog post on April 2, 2015, the report "analyzes billions (!) of data points gathered every day during 2014 and provides comprehensive and in-depth insight into security of the Android ecosystem. We hope this will help us share our approaches and data-driven decisions with the security community in order to keep users safer and avoid risk."

Google is a CVE Numbering Authority (CNA), assigning CVE-IDs for Chrome, Chrome OS, and Android Open Source Project issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

The free report is available for download at http://googleonlinesecurity.blogspot.com/2015/04/android-security-state-of-union-2014.html.

CVE Mentioned in Article about a "Critical Backdoor Flaw in OS X 10.10.3" on eWeek

April 10, 2015 | Share this article

CVE is mentioned in an April 9, 2015 article entitled "Apple Patches Critical Backdoor Flaw in OS X 10.10.3" on eWeek. CVE is first mentioned when the author states: Among the security issues patched in OS X 10.10.3 is a security vulnerability in its administration framework. The issue, identified as CVE-2015-1130, was reported by security researcher Emile Kvarnhammar, CEO at TrueSec. … While Apple has now fixed the CVE-2015-1130 in the 10.10.3 update for users of Apple's Yosemite OS 10.10 operating system, older OS X systems are also at risk."

CVE is mentioned a second time, when the author states: "Apple also has nine patches in OS X 10.10.3 for various OS X kernel vulnerabilities. Among the patched kernel flaws is CVE-2015-1103, which was discovered by Zimperium Mobile Security Labs. According to Apple's advisory, the flaw could have enabled an attacker to redirect user traffic to arbitrary hosts."

CVE is mentioned a third time, when the author states: "Apple is also providing its OS X users with the Safari 8.0.5 update. Seven security updates in the Safari browser are specifically for the WebKit rendering engine. One particularly nasty flaw fixed in Safari is CVE-2015-1129, an SSL/TLS tracking issue. According to Apple, the vulnerability could have enabled users to be tracked by malicious Websites using client certificates."

Visit CVE-2015-1130 and CVE-2015-1129 to learn more about the issues cited above.

CVE Identifier "CVE-2015-0932" Cited in Numerous Security Advisories and News Media References about a Zero-Day Hotel Wi-Fi Network Vulnerability

April 10, 2015 | Share this article

"CVE-2015-0932" is cited in numerous major advisories, posts, and news media references related to a zero-day hotel Wi-Fi network vulnerability, including the following examples:

Other news articles may be found by searching on "CVE-2015-0932" using your preferred search engine. Also, the CVE Identifier page https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0932 includes a list of advisories used as references.

CVE Mentioned in Article about an Exploit Targeting the Middle East Energy Industry on ZDNet

April 10, 2015 | Share this article

CVE is mentioned in a March 31, 2015 article entitled "Reconnaissance malware wave strikes energy sector: Symantec says a new Trojan-based campaign, focused on the Middle East, is targeting the energy industry and its trade secrets" on ZDNet. CVE is mentioned when the author states: "Symantec says the initial attack vector stems from the moneytrans[.]eu domain, which acts as an SMTP server. Emails sent from this domain contain a malicious file containing an exploit for the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158). Once a victim clicks on the email and opens the attachment -- usually in the guise of an Excel file -- Laziok is dropped."

Visit CVE-2012-0158 to learn more about the issue cited above.

CVE Mentioned in Article about Microsoft's March 2015 Patch Tuesday on NetworkWorld

April 10, 2015 | Share this article

CVE is mentioned in a March 10, 2015 article entitled "March 2015 Patch Tuesday: 5 of 14 rated Critical and Microsoft issues a fix for FREAK" on NetworkWorld. CVE is mentioned when the author quotes Tripwire, Inc. security researcher Craig Young, as follows: "While Microsoft's fix to nix the FREAK attack seems to be getting all the love, "enterprises should know by now the importance of patching critical Office and Explorer vulnerabilities; MS15-027, a NETLOGON spoofing vulnerability, could be just as important to an enterprise," [Young] added. "The underlying vulnerability, CVE-2015-0005, could enable a successful attacker to move deeper into a network after breaching a workstation through a separate attack. For example an intruder could use the Office defect to gain low-level access into a network and then use impersonation techniques leveraging CVE-2015-0005 to further penetrate the network. The risk of APT and insider threat make it imperative that enterprises patch their domain controllers with MS15-027 immediately."

Visit CVE-2015-0005 to learn more about the issue cited above.

CVE Mentioned in Article about Stuxnet on eWeek

April 10, 2015 | Share this article

CVE is mentioned throughout a March 10, 2015 article entitled "Stuxnet Flaw Finally Gets Patched After More Than 4 Years" on eWeek. CVE is mentioned when the author states: "The Stuxnet worm was an exploit that was used against a nuclear facility in Iran back in 2010, in part by taking advantage of a vulnerability in Windows. The vulnerability that enabled Stuxnet was identified as CVE-2010-2568, which was thought to have been patched by Microsoft in October 2010. More than four years later, Hewlett-Packard's (HP) Zero Day Initiative (ZDI) has discovered that the CVE-2010-2568 fix was not, in fact, complete and the underlying vulnerability has remained exploitable the whole time."

CVE is mentioned a second time when the author notes that a second CVE Identifier has been issued: "The proof-of-concept code exploits that HP's ZDI provided to Microsoft on the security flaw were designed to bypass the validation checks put in place by MS10-046, the bulletin released in 2010 to patch CVE-2010-2568, [vulnerability research manager for HP Security Research Brian Gorenc said]. Rather than update the CVE-2010-2568 vulnerability information, a new identifier has been assigned with CVE 2015-0096 to encompass the expanded impact."

CVE is mentioned a third time in another quote by Gorenc, who states: "CVE-2015-0096 is a vulnerability in the Microsoft Windows operating system that allows remote attackers to execute arbitrary code by having the target simply browse to a directory containing a malicious .LNK file. The patch for CVE-2010-2568 did not completely address the issues present in the Windows Shell, and the weaknesses left are now being resolved five years later as CVE-2015-0096."

Visit CVE-2010-2568 and CVE-2015-0096 to learn more about the issues cited above.

1 Product from ToolsWatch Now Registered as Officially "CVE-Compatible"

March 27, 2015 | Share this article

cve compatible image

One additional information security product has achieved the final stage of MITRE's formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 147 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CVE-Compatible":

ToolsWatch - vFeed API and Vulnerability Database Community

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

CVE Mentioned in Article about a Vulnerability in a Wind Turbine on The Register

March 27, 2015 | Share this article

CVE is mentioned in a March 24, 2015 article entitled "Wind turbine blown away by control system vulnerability: Cross-site request forgery flaw takes the wind out of renewable energy" on The Register.

CVE is mentioned at the beginning of the article, when the author states: "It had to happen, we suppose: since even a utility-grade wind turbine might ship with a handy Webby control interface, someone was bound to do it badly. That's what's emerged in a new ICS-CERT advisory: CVE-2015-0985 details how turbines from US manufacturer XZERES allow the user name and password to be retrieved from the company's 442 SR turbine. As the advisory notes, "This exploit can cause a loss of power for all attached systems". The turbine in question is, according to the company, "deployed across the energy sector" worldwide."

Visit CVE-2015-0985 for more information about this issue.

CVE Identifier "CVE-2011-2461" Cited in Numerous Security Advisories and News Media References about a Still Exploitable 4-Year-Old Adobe Flex Vulnerability

March 27, 2015 | Share this article

"CVE-2011-2461" is cited in numerous major advisories, posts, and news media references related to a still exploitable four-year-old Adobe Flex vulnerability, including the following examples:

Other news articles may be found by searching on "CVE-2011-2461" using your preferred search engine. Also, the CVE Identifier page https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2461 includes a list of advisories used as references.

CVE Identifiers "CVE-2015-0204" and "CVE-2015-0291" Cited in Numerous Security Advisories and News Media References about the FREAK Vulnerability

March 20, 2015 | Share this article

"CVE-2015-0204" and "CVE-2015-0291" are cited in numerous major advisories, posts, and news media references related to the recent FREAK vulnerability, including the following examples:

Other news articles may be found by searching on "CVE-2015-0204" and "CVE-2015-0291" using your preferred search engine. Also, the CVE Identifier pages https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204 and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0291 each includes a list of advisories used as references.

CVE Editor's Commentary Blog Updated with Post about Turnaround Times on Requests for CVE-IDs

March 20, 2015 | Share this article

One new post has been added to the CVE-Specific section of the CVE Editor's Commentary blog in the CVE List section: "Update on Turnaround Times for CVE-Assign Requests."

The CVE Editor's Commentary blog includes opinion and commentary about CVE, vulnerabilities, software assurance, and related topics by CVE List Editor Steve Christey Coley. Posts are either Community Issues or CVE-Specific.

CVE Included in Google's Recently Updated Vulnerability Disclosure Policy

March 3, 2015 | Share this article

CVE is included in Google Inc.'s refined Vulnerability Disclosure Policy, as described in a February 13, 2015 blog post entitled "Feedback and data-driven updates to Google's disclosure policy" on its Project Zero blog. CVE is mentioned as bullet 3 of 3 as improvements to the policy, as follows: "Assignment of CVEs. CVEs are an industry standard for uniquely identifying vulnerabilities. To avoid confusion, it's important that the first public mention of a vulnerability should include a CVE. For vulnerabilities that go past deadline, we'll ensure that a CVE has been pre-assigned."

Release of the updated policy also resulted in CVE being cited in numerous major news media references and posts, including the following examples:

Google is a CVE Numbering Authority (CNA), assigning CVE-IDs for Chrome, Chrome OS, and Android Open Source Project issues. CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

CVE-IDs Used throughout Article about "HP's Cyber Risk Report 2014" on Techworld

March 3, 2015 | Share this article

CVE-IDs are used throughout a February 23, 2015 article entitled "The top software exploit of 2014? The Stuxnet XP flaw from 2010, reckons HP" on TechWorld.com to uniquely identify the vulnerabilities discussed. CVE is mentioned at the very beginning of the article when the author states: "For cyber-attackers, the old flaws are still the best, according to HP's Cyber Risk Report 2014 and it has a startling piece of evidence to back up its claim – the most commonly exploited software vulnerability for last year was the infamous .lnk flaw in Windows XP made famous by Stuxnet in the distant summer of 2010. Designated CVE-2010-2568, this on its own accounted for a third of all exploits the firm detected being used against its customers, just ahead of the even older CVE-2010-0188, a flaw in Adobe's Reader and Acrobat, responsible for 11 percent of exploits." Other CVE-IDs discussed in the article include CVE-2009-3129 for a Microsoft Office issue; CVE-2014-0322 and CVE-2014-0307, both for Internet Explorer issues, and CVE-2013-4787 for the Android Master Key vulnerability. An illustrated chart is also included with the article listing 10 security flaws, each of which is identified by its CVE-ID number.

Visit CVE-2010-2568, CVE-2010-0188, CVE-2009-3129, CVE-2014-0322, CVE-2014-0307, CVE-2013-4787 and to learn more about the issues noted above.

CVE-IDs Used throughout Article about "HP's Cyber Risk Report 2014" on SC Magazine

March 3, 2015 | Share this article

CVE is mentioned in a February 23, 2015 article entitled "Older vulnerabilities a top enabler of breaches, according to report" on SC Magazine about the "HP Cyber Risk Report 2015". CVE is mentioned at the outset of the article when the author states: "Organizations are not properly patching their systems and networks, according to the HP Cyber Risk Report 2015, which took a look back at the threat landscape in 2014 and noted that 44 percent of known breaches were possible due to vulnerabilities identified years ago. Accounting for 33 percent of identified exploit samples in 2014 is CVE-2010-2568, a popular Microsoft Windows vulnerability that was used as one of the infection vectors for Stuxnet, Jewel Timpe, senior manager of threat research at HP Security Research, told SCMagazine.com on Monday." CVE is mentioned a second time when the author states: "The report shows that CVE-2010-0188, a vulnerability in Adobe Reader and Acrobat, accounted for 11 percent of exploit samples in 2014. Six Oracle Java bugs identified in 2012 and 2013 also made the top ten list, as well as two Microsoft Office flaws – one identified in 2009 and the other in 2012."

Visit CVE-2010-2568 and CVE-2010-0188 to learn more about the issues noted above.

CVE Mentioned in Article about Firefox Vulnerabilities on The Register

March 3, 2015 | Share this article

CVE is mentioned in a February 26, 2015 article entitled "Firefox 36 swats bugs, adds HTTP2 and gets certifiably serious: Three big bads, six medium messes and 1024-bit certs all binned in one release" on The Register. CVE is mentioned when the author states: "Mozilla has outfoxed three critical and six high severity flaws in its latest round of patches for its flagship browser. It stomps out memory safety bugs, exploitable use-after-free crashes, and a buffer overflow. Of the critical crashes, bad guys could potentially craft attacks targeting MP4 video playback through a buffer overflow in the libstagefright library (CVE-2015-0829). Another potential exploitable crash that is unlikely to be a threat in email clients where scripting was disabled centres on a use-after-free flaw for specific web content with IndexedDB (CVE-2015-0831). The third are a bunch of memory bugs (CVE-2015-0836) (CVE-2015-0835) Mozilla and its fans found in the engine behind the company's products including Firefox browser that dedicated attackers could probably exploit, given enough coffee."

Visit CVE-2015-0829, CVE-2015-0831, CVE-2015-0836, and CVE-2015-0835 to learn more about these issues.

CVE Mentioned in Article about a Samba Vulnerability on The Register

March 3, 2015 | Share this article

CVE is mentioned in a February 24, 2015 article entitled "Samb-AAAHH! Scary remote execution vuln spotted in Windows-Linux interop code" on The Register. CVE is mentioned at the outset of the article when the author states: "Linux admins were sent scrambling to patch their boxes on Monday after a critical vulnerability was revealed in Samba, the open source Linux-and-Windows-compatibility software. The bug, which has been designated CVE-2015-0240, lies in the smbd file server daemon. Samba versions 3.5.0 through 4.2.0rc4 are affected, the Samba Project said in a security alert. An attacker who successfully exploits the flaw could potentially execute code remotely with root privileges, the project's developers warned. Root access is automatic and no login or authentication is necessary."

Visit CVE-2015-0240 to learn more about this issue.

CVE Mentioned in Article about an Apple Macintosh Vulnerability on Techlicious

March 3, 2015 | Share this article

CVE is mentioned in a February 18, 2015 article entitled "The Best Mac Security Software" on Techlicious. CVE is mentioned when the author states: "Many Mac owners may be under the impression that their computers don't need antivirus protection. They're inherently safer, right? While there are fewer Trojan horses, viruses and worms designed to attack Macs than PCs, that doesn't mean they're immune to infection. … In fact, a serious threat to Macs was verified as recently as December 2014, according to the National Vulnerability Database. To combat this threat, Apple issued its first ever automatic security update for Mac computers in December. (Previously, Mac users would initiate the security updates themselves.) The bug, CVE-2014-9295, could enable hackers to gain remote control of machines through a vulnerability with the network time protocol, or NTP, which synchronizes a computer's clock. It was serious enough that Apple didn't want to wait for users to fix it themselves, according to Reuters."

Visit CVE-2014-9295 to learn more about this issue.

CVE Mentioned in Article about Android "Corrupdate" Vulnerability on Android Headlines

March 3, 2015 | Share this article

CVE is mentioned in a February 18, 2015 article entitled "NowSecure Provides Fix For Serious Vulnerabilities Found In 80 Percent Of Samsung Devices Last Year" on Android Headlines. CVE is mentioned at the outset of the article, when the author states: "A major vulnerability, named "Corrupdate" because of the methods used to gain access to a pair of system applications from Samsung, has been announced; it affects nearly 80% of all Samsung Android devices including the Galaxy S5 and Note 4. The vulnerability was discovered by security researchers Ryan Welton and Jake Van Dyke of NowSecure. NowSecure, a mobile security vendor, reported the issues to Samsung and assisted with creating a patch for the affected devices. They also have confirmed that the patch that was created has appeared to work. This vulnerability affects The Samsung Account and Samsung GALAXY Applications or on some devices may be called Samsung Apps and Samsung Updates, and because they are system applications, they cannot be uninstalled. For those of you who track vulnerabilities, GALAXY Apps has been assigned CVE-2015-0863 and Samsung Account has been assigned CVE-2015-0864."

Visit CVE-2015-0863 and CVE-2015-0864 to learn more about these issues.

CVE Mentioned in Article about Malware Research Presentations at Black Hat Asia 2015 on DarkReading.com

March 3, 2015 | Share this article

CVE is mentioned in a February 26, 2015 article entitled "Black Hat Asia 2015: Target: Malware" on DarkReading.com. The main topic of the article is the upcoming Black Hat Asia 2015 conference being held on March 24- 27, 2015 in Singapore, and how "Hostile software is ever evolving, and Black Hat-associated research is one of the key loci of information on monitoring, defending against, and nullifying it. With that in mind, today we'll preview a quartet of interesting malware-related Briefings from Black Hat Asia 2015."

CVE is mentioned with regard to one of the malware-related briefings, when the author states: "The Security Content Automation Protocol (SCAP) comprises a number of open standards meant to enumerate system vulnerabilities and malware characteristics via components like Common Vulnerabilities and Exposures (CVE), Common Configuration Enumeration (CCE), and Malware Attribute Enumeration and Characterization (MAEC), which all capture high-fidelity data in XML. Unfortunately, their XML schemes lack mutual compatibility, making deeper cross-analysis difficult. Security Content Metadata Model with an Efficient Search Methodology for Real Time Monitoring and Threat Intelligence proposes a low-impact way to modify these schema which will result in more powerful analyses that can resolve vulnerabilities before they're exploited."

2nd Product from Beijing Netpower Technologies Now Registered as Officially "CVE-Compatible"

February 12, 2015 | Share this article

cve compatible imageOne additional information security product has achieved the final stage of MITRE's formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 146 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CVE-Compatible":

Beijing Netpower Technologies Inc. - Netpower Network Intrusion Detection System

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

ToolsWatch Makes Declaration of CVE Compatibility

February 12, 2015 | Share this article

ToolsWatch declared that its open source correlated and cross-linked vulnerability XML vulnerability database, vFeed API and Vulnerability Database Community, is CVE-Compatible. For additional information about this and other CVE-Compatible products, visit the CVE-Compatible Products and Services section.

CVE Identifier "CVE-2015-0313" Cited in Numerous Security Advisories and News Media References about a Zero-Day Adobe Flash Vulnerability

February 12, 2015 | Share this article

"CVE-2015-0313" was cited in numerous major advisories, posts, and news media references related to the recent zero-day Adobe Flash vulnerability, including the following examples:

Other news articles may be found by searching on "CVE-2015-0313" using your preferred search engine. Also, the CVE Identifier page https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0313 includes a list of advisories used as references.

1 Product from WPScan Now Registered as Officially "CVE-Compatible"

February 4, 2015 | Share this article

cve compatible imageOne additional information security product has achieved the final stage of MITRE's formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 145 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CVE-Compatible":

WPScan - WPScan Vulnerability Database

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

1 Product from Beijing Netpower Technologies Now Registered as Officially "CVE-Compatible"

February 4, 2015 | Share this article

cve compatible imageOne additional information security product has achieved the final stage of MITRE's formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 145 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CVE-Compatible":

Beijing Netpower Technologies Inc. - Netpower Network Vulnerability Scanner

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

CVE Identifier "CVE-2015-0235" Cited in Numerous Security Advisories and News Media References about "Ghost" Vulnerability

January 30, 2015 | Share this article

"CVE-2015-0235" was cited in numerous major advisories, posts, and news media references related to the recent Ghost vulnerability, including the following examples:

Other news articles may be found by searching on "CVE-2015-0235" using your preferred search engine. Also, the CVE Identifier page https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235 includes a list of advisories used as references.

CVE Mentioned in Article about Disclosing and Patching Vulnerabilities on Tripwire's State of Security Blog

January 30, 2015 | Share this article

CVE is mentioned in a January 20, 2014 article about responsible vulnerability disclosure entitled "Hacker halted… What is it?" on the Tripwire, Inc.'s State of Security blog. The article is a follow-up to a presentation by Tripwire's Vulnerability and Exposures Research Team at "Hacker Halted 2014" about the vulnerability disclosure process and the turnaround times for creating patches.

CVE is mentioned in a section of the article entitled "Responsible Disclosure," when the author states:

"There are a few steps to properly disclose a vulnerability to a vendor.

  1. Determine if the vendor is a CVE Numbering Authority (CNA). If they are ([MITRE] maintains a list at: https://cve.mitre.org/cve/cna.html), you can contact the vendor directly. If they aren't, you can request a CVE from [MITRE].
  2. Determine the vendor security contact.
  3. Send all relevant information to the contact.
  4. You now have to follow up with the vendor until the issue has been resolved. Once resolved and a patch has been released you can release your information about the vulnerability to the public."

The author concludes the article as follows: "If we don't properly disclose vulnerabilities, we not only hurt ourselves but we hurt others. It's like driving home drunk — the moment you get into your vehicle you put your life, and others, at risk. While a vulnerability may not be as dire, we need to work together with the vendors to properly disclose and fix vulnerabilities."

First CVE-IDs Issued in New Numbering Format Now Available

January 13, 2015 | Share this article

The first ever CVE-ID numbers issued in the new CVE-ID numbering format were posted on January 13, 2015 for vulnerabilities disclosed in 2014: CVE-2014-10001 with 5 digits and CVE-2014-100001 with 6 digits.

The format of CVE-ID numbers was changed a year ago this month in January 2014 so that the CVE project can track 10,000 or more vulnerabilities for a given calendar year. Previously, CVE-IDs were restricted to four digits at the end in the sequence number portion of the ID, for example "CVE-2014-0160", but this four-digit restriction only allowed up to 9,999 vulnerabilities per year. With the new format, CVE-ID numbers may have 4, 5, 6, 7, or more digits in the sequence number if needed in a calendar year. For example, the just released "CVE-2014-10001" with 5 digits in the sequence number and "CVE-2014-100001" with 6 digits in the sequence number, or CVE-2014-XXXXXXX with 7 digits in the sequence number, and so on.

Additional CVE-IDs in the new format with 5 and 6 digits in the sequence number were also issued today—CVE-2014-10001 through CVE-2014-10039 with 5 digits, and CVE-2014-100001 through CVE-2014-100038 with 6 digits—to also identify vulnerabilities disclosed in 2014. Enter these CVE-ID numbers on the CVE List search page to learn more about each issue.

Please report any problems, or anticipated problems, that you encounter with CVE-IDs issued in the new format to cve-id-change@mitre.org.

CVE Editor's Commentary Page Updated

January 13, 2015 | Share this article

One new item has been added to the CVE-Specific section of the CVE Editor's Commentary page in the CVE List section: "CVE-IDs Posted Today for the First Time Using the New ID Syntax."

The CVE Editor's Commentary page includes opinion and commentary about CVE, vulnerabilities, software assurance, and related topics by CVE List Editor Steve Christey. Posts are either Community Issues or CVE-Specific.

CVE Mentioned in Article about Vulnerabilities in Software Libraries on TechWorld.com

January 8, 2015 | Share this article

CVE is mentioned in a January 5, 2015 article entitled "Think that software library is safe to use? Think again…" on TechWorld.com. The main topic of the article is that third-party software code libraries and components are not bug-free and that the "major patching efforts triggered by the Heartbleed, Shellshock and POODLE flaws last year highlight the effect of critical vulnerabilities in third-party code. The flaws affected software that runs on servers, desktop computers, mobile devices and hardware appliances, affecting millions of consumers and businesses."

CVE is first referenced as an example when the author states: "One example… is a vulnerability discovered in 2006… The flaw was among several that affected LibTIFF and were fixed in a new release at the time. It was tracked as CVE-2006-3459 in the Common Vulnerabilities and Exposures database." CVE is mentioned again in a quote about this example by Risk Based Security, Inc.'s Chief Research Officer, Carsten Eiram, who states: "In 2010, a vulnerability was fixed in Adobe Reader, which turned out to be one of the vulnerabilities covered by CVE-2006-3459. For four years, a vulnerable and outdated version of LibTIFF had been bundled with Adobe Reader, and it was even proven to be exploitable. Adobe Systems has since become one of the software vendors taking the threat of flaws in third-party components seriously. They've made major improvements to their process of tracking and addressing vulnerabilities in the third-party libraries and components used in their products."

Visit CVE-2006-3459 to learn more about the issue cited above. To learn about "Heartbleed" see CVE-2014-0160; for "Bash Shellshock" see CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278; and for "POODLE" see CVE-2014-3566.

CVE Identifier "CVE-2014-9295" Cited in Numerous Security Advisories and News Media References about the Apple/Linux Network Time Protocol Vulnerability

January 8, 2015 | Share this article

"CVE-2014-9295" was cited in numerous major advisories, posts, and news media references related to the recent Network Time Protocol vulnerability affecting Apple and Linux operating systems, including the following examples:

Other news articles may be found by searching on "CVE-2014-9295" using your preferred search engine. Also, the CVE Identifier page https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9295 includes a list of advisories used as references.

CVE Identifier "CVE-2014-9222" Cited in Numerous Security Advisories and News Media References about "Misfortune Cookie" Vulnerability

January 8, 2015 | Share this article

"CVE-2014-9222" was cited in numerous major advisories, posts, and news media references related to the recent Misfortune Cookie vulnerability, including the following examples:

Other news articles may be found by searching on "CVE-2014-9222" using your preferred search engine. Also, the CVE Identifier page https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9222 includes a list of advisories used as references.

CVE Identifier "CVE-2014-9390" Cited in an Article about a Git Source Code Management System Vulnerability on eWeek

January 8, 2015 | Share this article

"CVE-2014-9390" was cited in a December 20, 2014 article entitled "Git Vulnerability Exposed; Patch Now or Be Hacked Later" on eWeek.com. CVE is mentioned at the beginning of the article when the author states: "A new vulnerability has been reported and was patched on Dec. 18 in the widely used open-source Git source-code management system. The vulnerability has been identified as CVE-2014-9390 and impacts Git clients running on Windows and Mac OS X. Git is an open-source source-code management system used by developers on Linux, Windows and Mac OS X, and includes both a host server-side component as well as a local client on developer machines. Git is also the open-source technology behind the popular GitHub code repository. Linus Torvalds, best known as the creator of the open-source Linux operating system, developed Git. Somewhat ironically, the author of the rival Mercurial open-source version control system first discovered the CVE-2014-9390 issue, which also impacts Mercurial."

CVE is mentioned again when the author notes that patches are now available for the issue: "The fix for the CVE-2014-9390 vulnerability is now present in the new Git v2.2.1 release and has also been patched in Mercurial version 3.2.3. Although the issue only directly affects Windows and Mac OS X users, Linux users are also being advised to be cautious." CVE is mentioned for a third time at the end of the article, as follows: "Metasploit is often the first place where new exploits come for security researchers to be able to test vulnerabilities. It is likely that an exploit for CVE-2014-9390 will find its way into Metasploit at some point to be able to demonstrate the vulnerability."

Visit CVE-2014-9390 to learn more about this issue.

CVE Mentioned in Article about Critical Infrastructure Attacks on Infosecurity Magazine

December 18, 2014 | Share this article

CVE is mentioned in a December 11, 2014 article entitled "ICS-CERT: BlackEnergy Attacks on Critical Infrastructure" on Infosecurity-Magazine.com. The main focus of the article is a "sophisticated malware campaign that has compromised numerous industrial control systems (ICS) environments using a variant of the BlackEnergy malware appears to be targeting internet-connected human-machine interfaces (HMIs). The BlackEnergy campaign has been ongoing since at least 2011, and the United States' ICS-CERT recently published information and technical indicators about it… "

CVE is mentioned when the author states: "Typical malware deployments have included modules that search out any network-connected file shares and removable media for additional lateral movement within the affected environment. Analysis suggests that the actors likely used automated tools to discover and compromise vulnerable systems as an initial vector. For instance, the organization's analysis has identified that systems running GE's Cimplicity HMI with a direct connection to the internet are being targeted using an exploit for a vulnerability in GE's Cimplicity HMI product that has been known since at least January 2012. GE has patched the vulnerability, CVE-2014-0751, so users should update their systems immediately."

Visit CVE-2014-0751 to learn more about this issue.

CVE Mentioned in Article about Microsoft's Patch Tuesday for December on eWeek

December 18, 2014 | Share this article

CVE is mentioned in a December 9, 2014 article entitled "Microsoft Fixes 24 Flaws in 2014's Last Patch Tuesday" on eWeek.com.

CVE is mentioned at the very beginning of the article when the author states: "Microsoft came out with its December Patch Tuesday update, marking the final set of regularly scheduled security updates for 2014. In total, Microsoft is fixing 24 unique Common Vulnerabilities and Exposures (CVEs) this month, across seven security advisories. Of those seven security advisories, Microsoft rated only three as critical. One of the critical advisories is MS14-080, which patches 14 CVEs in Microsoft's Internet Explorer (IE) Web browser. The December CVE count in IE is actually a decline from the 17 CVEs patched in November's Patch Tuesday update."

Visit the Microsoft Security Bulletin Summary for December 2014 for more information about these issues.

CVE Mentioned in Article about Branding Vulnerabilities with "Catchy Names and Logos" on ZDNet

December 18, 2014 | Share this article

CVE is mentioned in a November 25, 2014 article entitled "The branded bug: Meet the people who name vulnerabilities" on ZDNet.com. The main topic of the article is that "As 2014 comes to a close, bugs are increasingly disclosed with catchy names and logos. Heartbleed's branding changed the way we talk about security, but is making a bug 'cool' frivolous or essential?"

CVE is first mentioned in a section of the article entitled "Can attackers be thwarted with marketing?", as follows: "Heartbleed — birth name CVE-2014-0160 — became a household term overnight, even though average households still don't actually understand what it is. The media mostly didn't understand what Heartbleed was either, but its logo was featured on every major news site in the world, and the news spread quickly. Which was good, because for the organizations who needed to remediate Heartbleed, it was critical to move fast."

CVE is mentioned again when the author states: "The next "big bug" after Heartbleed was Shellshock — real name CVE-2014-6271 [and CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278]. Shellshock didn't have a company's pocketbook or marketing team behind it. So, despite the fact that many said Shellshock was worse than Heartbleed (rated high on severity but low on complexity, making it easy for attackers), creating a celebrity out of Shellshock faced an uphill climb."

Visit CVE-2014-0160 to learn about Heartbleed and CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278 to learn more about Shellshock.

CVE Mentioned in Article about Vulnerabilities in Surveillance DVRs on The Register

December 18, 2014 | Share this article

CVE is mentioned in a November 21, 2014 article entitled "HACKERS can DELETE SURVEILLANCE DVRS remotely – report" on The Register.

Four different CVE-IDs are cited in the article as follows: "Security researchers at Rapid7 discovered that 150,000 of Hikvision DVRs devices could be accessed remotely. Rapid7 warns that DVRs exposed to the internet are routinely targeted for exploitation. "This is especially troubling given that a similar vulnerability (CVE-2013-4977) was reported last year, and the product still appears unpatched out of the box today," researchers at the firm behind the Metasploit penetration testing tool conclude. A blog post (extract below) by Rapid7, the firm behind the Metasploit penetration testing tool, explains the vulnerabilities at play in greater depth. "[Hikvision] DS-7204 and other models in the same product series that allow a remote attacker to gain full control of the device. More specifically, three typical buffer overflow vulnerabilities were discovered in Hikvision's RTSP request handling code: CVE-2014-4878, CVE-2014-4879 and CVE-2014-4880. This blog post serves as disclosure of the technical details for those vulnerabilities. In addition, a remote code execution through a Metasploit exploit module has been published." No authentication (login) is required to exploit this vulnerability. The Metasploit module demonstrates how unpatched security bugs would enable hackers to gain control of a vulnerable device while sitting behind their keyboard, potentially thousands of miles away."

Visit CVE-2013-4977, CVE-2014-4878, CVE-2014-4879, and CVE-2014-4880 for more information about these issues.

CVE Mentioned in Article about Adopting Open Source on GCN.com

December 18, 2014 | Share this article

CVE is mentioned in a November 13, 2014 article entitled "6 tips for adopting open source," on GCN.com.

CVE is mentioned in section 4 of the article, "Master navigation of vendor vulnerability databases and tools to minimize vulnerability windows," in which the author states: "When a data center is vulnerable to security flaws, the window of attack needs to be patched immediately. The best way to do so is to choose software that is officially compatible with CVE, the set of standard identifiers for publicly known security vulnerabilities and exposures. When a vulnerability is recognized, it's assigned a CVE number. This gives multiple vendors a single identifier to determine their vulnerability in a consistent and measurable way. Many open source projects and communities don't consistently track against CVEs, but several companies who commercialize these projects do, so choose wisely. In addition to tracking the CVEs, admins can use OpenSCAP to do vulnerability scans. OpenSCAP can use Open Vulnerability and Assessment Language (OVAL) content to scan systems for known vulnerabilities where remediation is available. The trick is to ensure your chosen vendors provide OVAL content consistently, so again, choose wisely."

The article was also posted on November 24, 2014 with the same title, "6 tips for adopting open source," on OpenSource.com.

 
Page Last Updated: April 16, 2015