CVE Announce - March 14, 2024 (opt-in newsletter from the CVE website)
1. Public Review Period for “CNA Operational Rules” Document Open March 6-20
2. Six Additional Organizations Added as CVE Numbering Authorities (CNAs)
3. Phase 3 of Legacy CVE Download Formats Deprecation Now Underway
4. MegaZone of F5 Joins CVE Board as CNA Liaison
5. Get Ready for CVE/FIRST VulnCon 2024 on March 25-27, 2024!
Public Review Period for “CNA Operational Rules” Document Open March 6-20
Members of the CVE community are encouraged to review and comment on the CVE Program’s new and improved “CVE Numbering Authority (CNA) Operational Rules” document. This document guides all program members on the consensus rules for CVE ID assignment, CVE Record publication and updating, and much more.
The document has already been reviewed by the CVE Board and the program’s CNA Partners. We are now making the document available for review and comment by the CVE user community.
In addition to the CNA Operational Rules document there is an Editing Process document that you should read prior to entering comments in the rules document draft. Links to both documents, as well as other details, are provided below.
Review Period
The community review period will last two (2) weeks:
- Opened: March 06, 2024, at 11:59 p.m. ET
- Closes: March 20, 2024, at 11:59 p.m. ET
Editing Process
All documents are provided in Google Docs. A Google account may be required to access the documents. If you are unable to use Google Docs, please contact us at cve-rules@googlegroups.com to request an alternative format.
By following the instructions in the Editing Process document, you will enhance our ability to expedite organizing, reviewing, and addressing all collected comments. Please read the Editing Process document prior to reviewing the CNA Operational Rules document.
The “Editing Process” document is located here.
Rules Document for Review and Comment
The “CNA Operational Rules” document, which will only be accessible during the review period, is located here.
To review only selected highlights of changes from the previous version of the document, click here.
Final Publication
This is the first major revision of the CNA Operational Rules that will explicitly include public input. We expect to learn from this revision process and develop a more robust and repeatable process for future revisions of the CNA Operational Rules and other CVE Program documents.
The final version of the document will be published later in 2024.
Share this article or comment on Medium:
CVE Website - https://www.cve.org/Media/News/item/blog/2024/03/05/CNA-Operational-Rules-Public-Review-Open-March
CVE on Medium - https://medium.com/@cve_program/public-review-period-for-cna-operational-rules-document-open-march-6-20-8415d6857bed
Six Additional Organizations Added as CVE Numbering Authorities (CNAs)
Since our last issue, six (6) additional organizations from around the world have partnered with the program as CNAs:
- BeyondTrust Inc.: All BeyondTrust products, including PasswordSafe, Privileged Remote Access, Remote Support, Privilege Management for Windows/Mac, Privilege Management for Unix/Linux, Identity Security Insights, Active Directory (AD) Bridge, and Total PASM (USA)
- DevCycle: All DevCycle products (including end-of-life/end-of-service products) as listed on https://devcycle.com/ (Canada)
- DirectCyber: Products in Australia (either the reporter or the target vendor must operate in AU), which are not covered by another CNA (Australia)
- kernel.org: Any vulnerabilities in the Linux kernel as listed on kernel.org, excluding end-of-life (EOL) versions (USA)
- Sec1: Vulnerabilities found in cybersecurity software solutions developed and maintained by Sec1 as listed on https://sec1.io/, and vulnerabilities identified in software projects or products where Sec1 has a direct and substantial contribution or partnership, unless covered by the scope of another CNA (India)
- Teleport: All Teleport (Gravitational, Inc.) products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by Teleport that are not in another CNA’s scope (USA)
CNAs are organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
There are currently 364 CNAs (362 CNAs and 2 CNA-LRs) from 40 countries and 1 no country affiliation participating in the CVE Program. View the entire list of CNA partners on the CVE website.
Phase 3 of Legacy CVE Download Formats Deprecation Now Underway
Phase 3 of the phased deprecation of legacy CVE content download formats (i.e., CSV, HTML, XML, and CVRF) scheduled for the first half of 2024 is underway. In Phase 3, per the phase-out schedule, the legacy download formats will only be updated once per month in March, April, May, and June 2024. They will no longer be updated after June 30, 2024.
The legacy download formats have been replaced by CVE JSON as the only supported format for CVE Records and downloads. See below.
This change was first announced in July 2023 in a CVE Blog article entitled “Legacy CVE Download Formats Will Be Phased Out Beginning January 1, 2024” on the CVE.ORG website and promoted throughout the remainder of 2023 in the CVE Announce email newsletter and on CVE social media. A second blog article, entitled “Deprecation of Legacy CVE Download Formats Now Underway,” was published in January 2024, and a third, “Phase 2 of Legacy CVE Download Formats Deprecation Now Underway,” was published in February 2024, and promoted on the CVE.ORG website, in the CVE Announce email newsletter, and on CVE social media.
Phase-Out Schedule
Phased deprecation means that the frequency of updates to the legacy download formats will be reduced over the coming months until they are no longer updated at the end of June 2024.
To assist consumers with their transition to the new format, the frequency of updates to the legacy download formats are being reduced from daily updates (which ended on December 31, 2023) to updates on the following schedule:
- January 2024: Once per week updates.
- February 2024: Every other week updates.
- March–June 2024: Once per month updates.
- June 30, 2024: Legacy downloads formats no longer updated with new CVE Records.
New Format for CVE Records and Downloads
CVE Downloads in our new official data format for CVE Records, “CVE JSON,” are hosted in the cvelistV5 repository on GitHub.com. Update frequency and other details are available in the repository ReadMe.
CVE JSON is a richer, more structured format for vulnerability identification and description and will provide enhanced information for your customers. The schema for this new format is also available on GitHub.
Who Is Affected?
CVE Numbering Authority (CNA) partners, tool vendors, and other parties that use CVE download files for automation or other purposes should pay particular attention to this change.
Take Action Now!
Product teams and others need to update their tools and processes to the new supported format prior to these legacy format download files no longer being updated after June 30, 2024.
Share this article or comment on Medium:
CVE Website - https://www.cve.org/Media/News/item/blog/2024/02/12/Phase-3-Deprecation-of-Legacy-Downloads-Underway
CVE on Medium - https://medium.com/@cve_program/phase-3-of-legacy-cve-download-formats-deprecation-now-underway-15c27faa4456
MegaZone of F5 Joins CVE Board
The CVE Program is pleased to welcome MegaZone of F5, Inc. as the CVE Numbering Authority (CNA) Liaison to the CVE Board.
Per the CVE Board Charter, “Section 1.3.3 CNA Liaison – A single seat on the Board is reserved for a CNA Liaison who represents the CNA community, and ensures CNAs are updated with various status and activity-related information. This is an elected position which CVE Numbering Authorities (CNAs) vote on annually. The liaison is a voting member of the Board, with a one-year term, and can serve more than one consecutive term if the CNA community desires as indicated by the results of the voting. This position is a two-way conduit for CNAs to bring things to and from the Board in a more official and structured way.”
About MegaZone
MegaZone has been involved with the CVE Program since F5 joined as a CNA in 2016 and has taken an increasingly active role over time, eventually running out of working groups to join. He is currently representing the CNA community in the Automation Working Group (AWG), CNA Coordination Working Group (CNACWG), Outreach and Communications Working Group (OCWG), Strategic Planning Working Group (SPWG), Tactical Working Group (TWG), Quality Working Group (QWG), and Vulnerability Conference and Events Working Group (VCEWG), including being a co-chair of the last two. He is honored to further represent the CNA community before the CVE Board in his new role as CNA Liaison.
Outside of work he collects whisk(e)y, enjoys travel with his wife (often Disney-related), and volunteers to help a local non-profit in their small Massachusetts town with their tech issues.
About the CVE Board
The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information.
Share this article or comment on Medium:
CVE Website - https://www.cve.org/Media/News/item/blog/2024/02/20/MegaZone-of-F5-Joins-CVE-Board-as
CVE on Medium - https://medium.com/@cve_program/megazone-of-f5-joins-cve-board-as-cna-liaison-561474312026
Get Ready for CVE/FIRST VulnCon 2024 on March 25-27, 2024!
The purpose of VulnCon — which is open to the public — is to collaborate with various vulnerability management and cybersecurity professionals to develop forward leaning ideas that can be taken back to individual programs for action to benefit the vulnerability management ecosystem. A key goal of the conference is to understand what important stakeholders and programs are doing within the vulnerability management ecosystem and best determine how to benefit the ecosystem broadly.
CNAs, please note that VulnCon 2024 takes the place of this year’s Spring CVE Global Summit.
Registration
If you haven’t already registered, we encourage you to register now for in-person ($250.00 US) or virtual ($100.00 US) attendance as registration closes soon. The VulnCon 2024 registration form is here.
Agenda
We have a very exciting conference agenda with numerous interesting talks scheduled! The full agenda with multiple tracks for each of the three days is here.
Attendance
- In-Person – Check-in will be located in the main lobby of the McKimmon Conference and Training Center (see venue section below). Please have a copy of your ID or registration confirmation readily available to assist with badge collection. Registration will open at 07:30 all three days.
- Virtual – All presentations will be TLP:CLEAR and streamed for those interested in virtual participation. Streaming will be delivered over Zoom.
Venue
McKimmon Center
North Carolina State University
1101 Gorman St.
Raleigh, North Carolina 27606
USA
Learn More About VulnCon 2024
For most up-to-date information, visit the CVE/FIRST VulnCon 2024 conference page hosted on the FIRST website. We look forward to seeing you at this first-ever community event!
Cisco patches Secure Client VPN flaw that could reveal authentication tokens (CVE-2024-20337), Help Net Security
Critical Fortinet FortiOS bug CVE-2024-21762 potentially impacts 150,000 internet-facing devices, Security Affairs
Microsoft's March Updates Fix 61 Vulnerabilities, Including Critical Hyper-V Flaws, The Hacker News
VMware sandbox escape bugs are so critical, patches are released for end-of-life products, Ars Technica
CISA Warns of Pixel Phone Vulnerability Exploitation, SecurityWeek
Critical JetBrains TeamCity vulnerabilities under attack, TechTarget
Urgent: Apple Issues Critical Updates for Actively Exploited Zero-Day Flaws, The Hacker News
Follow us for the latest from CVE:
@CVEnew – X-Twitter feed of the latest CVE Records
@CVEannounce – X-Twitter feed of news and announcements about CVE
@CVE_Program – Mastodon feed of news and announcements about CVE
CVE Program - LinkedIn page
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE website
CVE Blog on Medium - Medium
We Speak CVE - Podcast
CVEProject - GitHub
CVE Program Channel - YouTube
CVE Announce Newsletter - Email
If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://www.cve.org/Media/News/NewsletterSignup. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).
