CVE Announce - December 21, 2023 (opt-in newsletter from the CVE website)
1. CVE Records Keep Getting Better and Better
2. 22 Additional Organizations Added as CVE Numbering Authorities (CNAs)
3. OpenSSF Publishes Guide to Becoming a CNA as an Open Source Project
4. CVE Podcast — How the New CVE Record Format Will Benefit Consumers
5. REMINDER: Legacy CVE Download Formats Will Be Phased Out Beginning January 1, 2024
6. Videos from the “CVE Program Workshop - Fall 2023” Are Now Available
7. Have an Innovative Idea or a New Feature Request to Enhance the CVE Program?
8. SAVE THE DATE for “CVE/FIRST VulnCon 2024” on March 25-27, 2024!
CVE Records Keep Getting Better and Better
About a year ago, CVE Records underwent a major transformation and now include significantly enhanced information about the cybersecurity vulnerabilities they describe. Gone are the days when a CVE Record was just an ID, a brief free form description of the vulnerability, and one or more advisory or blog post references. Today, details that were previously squeezed into the description field of a record, particularly affected products and versions, are now provided in a structured format in dedicated fields within the CVE Record. Optional content fields are also now available for severity scores, CWE IDs, researcher credit, and more, making CVE Records even more valuable.
The new structured format provides the ability for CVE content consumers to streamline and more easily automate their use of CVE Records because the data format is standardized and machine-readable. It also enables the creation and publication of CVE Records to be automated, which means more quality CVE Records can be produced at a faster pace than ever before for use by the worldwide community.
In this article, we’ll look at the improvements the CVE Program has made that led to this signpost moment, review an example of a CVE Record in the new format, and discuss how the CVE Program continues to evolve to better serve its partners and the worldwide cybersecurity community.
Some History
The CVE Program began in 1999 with 321 CVE Records on the CVE List. There are now 200,000+ CVE Records available on the CVE.ORG website with more added almost daily. Until 2022, each record contained only three basic components: CVE ID, brief free-form description of the vulnerability, and one or more references. But that changed in recent years when the CVE Program and its CVE Numbering Authority (CNA) partners (325+ from 37 countries!) decided that the process of reserving CVE IDs and publishing the associated CVE Records needed more automation.
An automation pilot that used the existing data format revealed that an all-new record format would be needed to ensure all relevant vulnerability data could be included in a record as well as be easily consumed by a downstream user. Working groups were stood-up, and after a sufficient period of time, the CVE Program’s new format for CVE Records, “CVE JSON 5.0,” as well as automated “CVE Services” for CVE ID reservation and CVE Record publication and management for CNAs, were launched in October 2022 in beta and fully adopted by the program in March 2023.
CNAs now have the tools they need to produce more quality CVE Records faster without the need for manual intervention, and consumers have CVE content that is both human- and machine-readable.
Example of the New Format for CVE Records
Today’s CVE Records are significantly enhanced and include more information than ever before. While the CVE JSON 5.0 schema on GitHub provides all the details of what’s required and optional in a CVE Record, the example CVE Record below shows how these structured fields look when published as a web page on the CVE.ORG website.
The CVE ID is located at the top of the web page along with the status of the record (i.e., Reserved, Published, or Rejected). The title field is new. There’s an assigner field for the name of the CNA. The description field is now used for any content the CNA wishes to include that’s not specified in the other structured fields of the record or for a brief summary of the vulnerability. Product Status, which specifies affected products and versions, is now a standalone section of the record. Help information about how the versions are presented is included in each record published as a CVE.ORG web page. The credit field is new. The references section will include at least 1 link, such as in this example, which is a link to the CNA’s own advisory. That advisory may include even more information about the vulnerability that as a result of the CNA’s internal automated vulnerability management infrastructure did not, or will not, migrate to the CVE Record. A courtesy link to the U.S. National Vulnerability Database (NVD) entry for the record is also provided. Finally, note that the JSON for the record is also available to view from the top of every record web page.
View on CVE-2023-0010 webpage.
A major change in the new format is how CNAs use the description field. As shown in the example above, much of the information that was previously included in the legacy record format’s free-form description field has been moved to dedicated fields within the structure of the new format.
However, we still need to promote this message. Although the CVE Program moved to the new CVE.ORG website in 2021, the legacy CVE.MITRE.ORG website (scheduled for retirement on July 1, 2024) is still in use while vulnerability databases, cybersecurity tool vendors, and other users transition to the new CVE JSON 5.0 format for records. This means anyone still using CVE Record data from that legacy website could be missing significant data about the vulnerability as the records on that site have been down converted from the new format to the old record format and it’s not a 1:1 conversion because of all the new fields in the new structured format. In fact, this may have been the case with the vulnerability researcher who wrote a commentary on Dark Reading a few months ago saying that CVE Records descriptions from some CNAs had become too short and were no longer useful. The links in his examples were all NVD links for their versions of the CVE Records, and NVD continues to use the down converted version for its own CVE content, so he was definitely not seeing the most complete data for each of those records when viewing them on NVD.
Many of these changes and enhancements to CVE Records are discussed in more detail in the “We Speak CVE” podcast episode entitled, “How the New CVE Record Format Will Benefit Consumers.”
We highly encourage all cybersecurity professionals to view, download, and use CVE Records from the CVE.ORG website so you can fully leverage the new CVE Record format and enjoy all its benefits.
More CVE Program Enhancements on the Way to Benefit Creators and Users of CVE Records
The CVE Program is currently working on a new version of its “CNA Rules” document that will focus on the new and optional fields in the new CVE Record format. This document, which provides guidance and best practices to CNAs on how to create and populate CVE Records, is expected to be published in 2024. Once released, it will provide clarity for CNAs, vulnerability researchers, and the wider vulnerability management community about how vulnerability data should be included within the structured fields of the new CVE Record format.
Another revolutionary development for CVE Records is that, in the near future, certain authorized entities will be eligible to add enhanced data to records that have been previously published by a CNA. Initially introduced to the community as a concept in 2021 in a We Speak CVE podcast episode entitled, “Enhancing CVE Records as an Authorized Data Publisher,” now that the new CVE Record format and automated CNA services are fully available, a pilot program for “Authorized Data Publishers (ADPs)” has begun and will continue into 2024. The types of content that ADPs could add to enrich the content of the previously published records includes additional risk scores, affected product lists, versions, references, translations, and so on. Such additions will enrich the content of CVE Records and further improve their value to consumers.
This is an exciting time for the CVE Program, its partners, and the users of CVE Records as the value and usability of the vulnerability data contained in the records improves, and more and more CNAs from around the world partner with the program to produce more quality CVE Records faster.
Share this article or comment on Medium:
CVE Website - https://www.cve.org/Media/News/item/blog/2023/10/17/CVE-Records-Keep-Getting-Better
CVE on Medium - https://medium.com/@cve_program/cve-records-keep-getting-better-and-better-864885cdf411
22 Additional Organizations Added as CVE Numbering Authorities (CNAs)
As of October 1, 2023, twenty-two (22) additional organizations from around the world have recently partnered with the program as CNAs.
- 1E Limited: All 1E products (including end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by 1E that are not in another CNA’s scope (UK)
- ARC Informatique: ARC Informatique products and services (France)
- ARCON Techsolutions Private Limited: Vulnerabilities in ARCON’s products only (India)
- ASR Microelectronics Co., Ltd.: ASR products only (China)
- Caliptra Project: Caliptra Project components and vulnerabilities that are not in another CNA’s scope (USA)
- Checkmarx: Vulnerabilities in Checkmarx products and open-source vulnerabilities discovered by, or reported to, Checkmarx, that are not in another CNA’s scope (Israel)
- DFINITY Foundation: all Internet Computer projects as found on the following GitHub pages: https://github.com/dfinity and https://github.com/dfinity-lab (Switzerland)
- EnterpriseDB Corporation: all EnterpriseDB products and vulnerabilities identified in open-source libraries used by EnterpriseDB products unless covered by another CNA’s scope (USA)
- Fortra, LLC: all Fortra products and vulnerabilities discovered by Fortra in other products not covered by the scope of another CNA. Read the Fortra news release (USA)
- HiddenLayer, Inc.: all HiddenLayer systems, services, and products, as well as vulnerabilities in third-party software discovered by HiddenLayer that are not in another CNA’s scope (USA)
- Keeper Security, Inc.: Keeper Security products and services only (USA)
- KCF Technologies, Inc.: all KCF Technologies products including base stations, repeaters, numerous sensor types, and the SMARTdiagnostics cloud software (USA)
- Lexmark International Inc.: Lexmark products only (USA)
- Libreswan Project: Libreswan software (No country affiliation)
- Network Optix: all Network Optix products, including https://www.networkoptix.com/nx-witness and https://www.networkoptix.com/powered-by-nx (USA)
- OTORIO LTD.: all OTORIO products, as well as vulnerabilities in third-party software discovered by OTORIO that are not in another CNA’s scope (Israel)
- PaperCut Software Pty Ltd: PaperCut MF, PaperCut NG, PaperCut Hive, PaperCut Pocket, PaperCut Mobility Print, QRdoc, PaperCut Views, PaperCut Multiverse, https://www.papercut.com, and all other PaperCut products and services (Australia)
- SEC Consult Vulnerability Lab: all vulnerabilities discovered in third-party hardware/software by SEC Consult Vulnerability Lab (part of SEC Consult, an Eviden business), which are not in another CNA’s scope (Austria)
- Smile CDR Inc. (doing business as “Smile Digital Health”): all Smile Digital Health products and HAPI FHIR (Canada)
- Wren Security: Wren Security maintained software (Czech Republic)
- WSO2 LLC: WSO2 products and services scoped under Responsible Disclosure Program https://security.docs.wso2.com/en/latest/security-reporting/reward-and-acknowledgement-program/#products-services-in-scope (USA)
- Yokogawa Group: Yokogawa Group companies’ products and Yokogawa Group subsidiaries’ products (Japan)
CNAs are organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
There are currently 345 CNAs (343 CNAs and 2 CNA-LRs) from 37 countries and 1 no country affiliation participating in the CVE Program. View the entire list of CNA partners on the CVE website.
OpenSSF Publishes Guide to Becoming a CNA as an Open-Source Project
The authors state: “For projects whose needs have expanded beyond what’s possible when using existing CNAs, becoming a CNA may be an answer. Some [benefits] include being able to provide high-quality CVE Records for users, encouraging researchers to disclose vulnerabilities to the project before receiving a CVE ID, and being able to assign CVEs without sharing embargoed information with other organizations.”
The guide was written by CVE Outreach and Communications Working Group (OCWG) member Seth Larson of Python Software Foundation, a CNA partner, and CVE Board Member Art Manion. Read the guide here.
Share this article or comment on Medium:
CVE Website - https://www.cve.org/Media/News/item/news/2023/12/18/OpenSSF-CNA-Guide-Open-Source-Projects
CVE on Medium - https://medium.com/@cve_program/openssf-publishes-guide-to-becoming-a-cna-as-an-open-source-project-89b7792d2673
CVE Podcast –How the New CVE Record Format Will Benefit Consumers
Specific topics discussed include how the new CVE Record format will enable more complete vulnerability information to be captured early on in the advisory process and how that will benefit consumers; the ability for CVE content consumers to streamline and more easily automate their use of CVE Records because the data format is standardized and machine-readable; the automated creation and publication of CVE Records by CVE Numbering Authorities, which means more quality CVE Records can be produced at a faster pace than ever before for use by the worldwide community; and, for the ability of official CVE Program “Authorized Data Publishers (ADPs)” to enrich the content of already published CVE Records with additional risk scores, affected product lists, versions, references, translations, and so on, (learn more about ADPs in this CVE podcast).
Vulnerability scoring methods for CVE Records are also discussed, including NVD’s use of CVSS, CISA’s Known Exploited Vulnerabilities (KEV) Catalog, and more.
The “We Speak CVE” podcast focuses on cybersecurity, vulnerability management, and the CVE Program.
Share this article or comment on Medium:
CVE Podcast - https://www.cve.org/Media/News/item/podcast/2023/09/26/How-New-CVE-Record-Format-Benefits-Consumers
CVE on Medium - https://medium.com/@cve_program/we-speak-cve-podcast-how-the-new-cve-record-format-will-benefit-consumers-596b427f378a
REMINDER: Legacy CVE Download Formats Will Be Phased Out Beginning January 1, 2024
On July 25, 2023, the CVE Program announced that major change is coming in how CVE content is provided that will affect products that consume CVE content.
As a reminder, CNA partners, tool vendors, and other parties that use CVE download files for automation or other purposes should pay particular attention to this upcoming change.
Legacy CVE Content Formats Your Products Are Using to Be Phased Out
The CVE Program has a new official format for CVE Records and downloads (see section below). As a result, the legacy CVE content download formats currently provided by the CVE Program (i.e., CSV, HTML, XML, and CVRF) will be phased out in the first half of 2024.
To assist consumers with their transition to the new format, the frequency of updates to the legacy download formats will be reduced on the following schedule:
Any tools or automation that use these old formats may no longer work once the old formats have been deprecated, so organizations should take action now.
New CVE Content Format Is Available for Use
CVE Downloads in our new official data format for CVE Records, “CVE JSON 5.0,” are hosted in the cvelistV5 repository on GitHub.com. Update frequency and other details are available in the repository ReadMe.
CVE JSON 5.0 is a richer, more structured format for vulnerability identification and description and will provide enhanced information for your customers. The schema for this new format is also available on GitHub.
Take Action Now!
We are informing the community now so that product teams will have time to update their tools to the new CVE format prior to these legacy format download files no longer being updated after June 30, 2024.
If you have any comments or concerns, please use the CVE Program Request forms and select “Other” from the dropdown menu.
Share this article or comment on Medium:
CVE Blog - https://www.cve.org/Media/News/item/blog/2023/07/25/Legacy-Downloads-being-Phased-Out
CVE Blog on Medium - https://medium.com/@cve_program/legacy-cve-download-formats-will-be-phased-out-beginning-january-1-2024-13de552c9029
Videos from the “CVE Program Workshop - Fall 2023” Are Now Available
The workshop presentation slides are also available here.
Workshop videos include the following:
- State of the CVE Program
- CVE Services
- CVE JSON 5.0 Experiences
- CVE JSON 5.0 Guidance
- Program Rules Update
- CVE Corpus Hygiene
- Closing Remarks
Share this article or comment on Medium:
CVE Website - https://www.cve.org/Media/News/item/news/2023/12/12/Fall-2023-CVE-Workshop-Videos-Now-Available
CVE on Medium - https://medium.com/@cve_program/videos-from-cve-program-workshop-fall-2023-now-available-1ea47dd048b0
Have an Innovative Idea or a New Feature Request to Enhance the CVE Program?
The CVE Program welcomes innovative ideas and new feature requests from the community in our CVE Program Ideas repository on GitHub.com. We encourage you to submit any suggestions you may have to enhance the CVE Program and help us better serve the broader community.
Submissions could include programmatic rule/policy suggestions, innovative automation features to support more efficient CVE Record publication and use, or any other ideas you might have.
Please note that this new repository will be used exclusively to receive and manage innovative idea suggestions and new feature requests for the overall CVE Program. It is not meant to replace previously established bug and issue trackers for the CVE Website-, CVE Services-, or CVE JSON 5.0 schema-related issues.
Making a Submission
Follow the steps below to submit your innovative idea or new program feature request on GitHub. You will need a GitHub account to make a submission.
- Navigate to the CVE Program Innovation Ideas and Feature Requests Issues page on GitHub.
- Click the “New Issue” button in the upper-right corner of the page to launch the “CVE Program New Automation Feature Request” page.
- Click the “Get started” button to launch the new issue template.
- In the “Title” field, enter a title that briefly describes your innovative idea or suggested feature.
- In the “Write” field, follow the instructions provided in the template to add more details.
- Once your submission is complete, click the “Submit new issue” button at the bottom of the form.
CVE Program Issue Tracker Template
Important: Please do not select any of the options in the right-hand column next to the form (not shown in above image). Those options will be used by the CVE Program to manage the submissions.
Processing of Submissions
Once your submission is received by the CVE Program, it will be reviewed by the CVE Board (or its designated working group). The disposition of all innovative ideas and new program feature requests can be tracked on the CVE Program Innovative Ideas/Feature Tracker. Questions about this initiative should be sent to the CVE Automation Working Group (AWG) at awg@cve-cwe-programs.groups.io.
We look forward to hearing from you!
Share this article or comment on Medium:
CVE Website - https://www.cve.org/Media/News/item/news/2023/08/29/CVE-Program-Idea-Tracker
CVE on Medium - https://medium.com/@cve_program/have-an-innovative-idea-or-a-new-feature-request-to-enhance-the-cve-program-ead0b7c161e2
SAVE THE DATE for CVE/FIRST VulnCon 2024 on March 25-27, 2024
The purpose of VulnCon is to collaborate with various vulnerability management and cybersecurity professionals to develop forward leaning ideas that can be taken back to individual programs for action to benefit the vulnerability management ecosystem. A key goal of the conference is to understand what important stakeholders and programs are doing within the vulnerability management ecosystem and best determine how to benefit the ecosystem broadly. All CVE community members a welcome to attend.
Registration, programming, and travel information: TBA
Share this article or comment on Medium:
CVE Website - https://www.cve.org/Media/News/item/news/2023/12/05/CVE-FIRST-VulnCon-2024
CVE on Medium - https://medium.com/@cve_program/vulncon-2024-to-be-held-march-25-27-2024-in-north-carolina-usa-6e7bf402001d
Follow us for the latest from CVE:
@CVEnew – X-Twitter feed of the latest CVE Records
@CVEannounce – X-Twitter feed of news and announcements about CVE
@CVE_Program – Mastodon feed of news and announcements about CVE
CVE Program - LinkedIn page
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE website
CVE Blog on Medium - Medium
We Speak CVE - Podcast
CVEProject - GitHub
CVE Program Channel - YouTube
CVE Announce Newsletter - Email
If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://www.cve.org/Media/News/NewsletterSignup. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).
