|
|
News & EventsMay 3, 2013
Status Update on the CVE ID Syntax Change As initially announced in the January 24, 2013 article "Call for Public Feedback on Upcoming CVE ID Syntax Change," due to the increasing volume of public vulnerability reports, the Common Vulnerabilities and Exposures (CVE) project will change the syntax of its standard vulnerability identifiers so that the CVE List can track more than 10,000 vulnerabilities in a single year as the current syntax, CVE-YYYY-NNNN, only supports a maximum of 9,999 unique identifiers per year. The initial plan called for a period of public feedback, followed by a formal vote by members of the CVE Editorial Board. That voting period has closed and resulted in a tie between Option A and Option B (for details on the three original options, please see http://cve.mitre.org/data/board/archives/2013-01/msg00011.html). SECOND VOTE NEEDED After discussion with the CVE Editorial Board, MITRE proposed dropping Option C from consideration, and offering a new selection between a slightly modified Option A and the current Option B. The proposed (new) Option A extends the available numbering space to 8 digits, as opposed to the current 4 digits, or the earlier proposed 6 digits. Together with the unchanged Option B, the new options for consideration are: Option A (Year + 8 digits, fixed length, with leading zeros)
Option B (Year + arbitrary digits, no leading zeros except for IDs 1-999)
If you are interested in following the discussion, you may subscribe to the CVE-ID-Syntax-Discuss mailing list, if you have not already done so, by following the instructions below:
If you wish to have your name included in your subscription, or if you have trouble subscribing using the above, please use this alternate "Subscribe" line:
SCHEDULE FOR SECOND VOTE Public Discussion
CVE Editorial Board Voting
We will announce the results of the vote here as well as on the CVE Announce and other email lists as soon as the vote is complete and verified. Please send any comments or concerns to cve@mitre.org. MITRE Hosts CVE Booth at InfoSec World 2013 MITRE hosted a "Strengthening Cyber Defense" booth that included CVE at InfoSec World Conference & Expo 2013 at Walt Disney World Swan and Dolphin in Orlando, Florida, USA, on April 15-17, 2013. Visit the CVE Calendar for information on this and other events. CVE Mentioned in "Automating Security Compliance & Operations to Protect Critical Infrastructure" Webinar MITRE Senior Information Assurance Engineer Luis Nunez was a guest speaker on the topic of Industry Collaboration in a webinar entitled "Automating Security Compliance & Operations to Protect Critical Infrastructure" on April 9, 2013. Senior Director of Systems Engineering, Federal, at Juniper Networks Tim LeMaster was also a speaker, and Bob Ackerman, SIGNAL Magazine Editor-in-Chief was the moderator. The event was sponsored by Juniper Networks. Discussion topics for the webinar included: why automation is essential to protect critical network and computing infrastructures, cost-effective strategies for improved secure information-sharing, how to start simplifying network operations, and how network automation and orchestration are essential for seamless workflow management. Common Vulnerabilities and Exposures (CVE®) and Open Vulnerability and Assessment Language (OVAL®) were also mentioned. April 4, 2013
Photos from CVE Booth at RSA 2013 MITRE hosted a "Strengthening Cyber Defense" booth that included CVE at RSA Conference 2013 at the Moscone Center in San Francisco, California, USA, on February 25 – March 1, 2013. Strengthening Cyber Defense booth photos:
Visit the CVE Calendar for information on this and other events. March 21, 2013
CVE List Surpasses 55,000 CVE Identifiers The CVE Web site now contains 55,027 unique information security issues with publicly known names. CVE, which began in 1999 with just 321 common names on the CVE List, is considered the international standard for public software vulnerability names. Information security professionals and product vendors from around the world use CVE Identifiers (CVE-IDs) as a standard method for identifying vulnerabilities, and for cross-linking among products, services, and other repositories that use the identifiers. The widespread adoption of CVE in enterprise security is illustrated by the numerous CVE-Compatible Products and Services in use throughout industry, government, and academia for vulnerability management, vulnerability alerting, intrusion detection, and patch management. Major OS vendors and other organizations from around the world also include CVE-IDs in their security alerts to ensure that the international community benefits by having the identifiers as soon as a problem is announced. In addition, CVE-IDs have been used to identify vulnerabilities in the SANS Top Cyber Security Risks threat list since its inception in 2000. CVE has also inspired new efforts. MITRE’s Common Weakness Enumeration (CWE™) dictionary of software weakness types is based in part on the CVE List, and its Open Vulnerability and Assessment Language (OVAL®) effort uses CVE-IDs for its standardized OVAL Vulnerability Definitions that test systems for the presence of CVEs. In addition, the U.S. National Vulnerability Database (NVD) of CVE fix information that is synchronized with and based on the CVE List also includes Security Content Automation Protocol (SCAP) content. SCAP employs community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and CVE is one of the existing open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results. And in 2011, the International Telecommunication Union’s (ITU-T) Cybersecurity Rapporteur Group, which is the telecom/information system standards body within the treaty-based 150-year-old intergovernmental organization, adopted CVE as a part of its new "Global Cybersecurity Information Exchange techniques (X.CYBEX)" by issuing Recommendation ITU-T X.1520 Common Vulnerabilities and Exposures (CVE), that is based upon CVE’s current Compatibility Requirements, and any future changes to the document will be reflected in subsequent updates to X.CVE. Each of the 55,000+ identifiers on the CVE List includes the following: CVE Identifier number (read about the upcoming CVE Identifier Syntax Change); brief description of the security vulnerability; and pertinent references such as vulnerability reports and advisories or OVAL-ID. Visit the CVE List page to download the complete list in various formats or to look-up an individual identifier. Fix information and enhanced searching of CVE is available from NVD. CVE Editor’s Commentary Page Updated One new item has been added to the CVE-Specific section of the CVE Editor’s Commentary page in the CVE List section: "Context-dependent" and "User-assisted" Terminology in CVE. The CVE Editor’s Commentary page includes opinion and commentary about vulnerabilities, software assurance, and related topics by CVE List Editor Steve Christey. Posts are either Community Issues or CVE-Specific. "Automating Security Compliance & Operations to Protect Critical Infrastructure" Webinar, April 9 MITRE Information Assurance Sr. Luis Nunez will be a guest speaker on the topic of Industry Collaboration in a webinar entitled "Automating Security Compliance & Operations to Protect Critical Infrastructure" on April 9, 2013 from 1:00 pm - 2:00 pm, Eastern Daylight Time. Senior Director of Systems Engineering, Federal, at Juniper Networks Tim LeMaster will also be a speaker, and Bob Ackerman, SIGNAL Magazine Editor-in-Chief will be the moderator. The event is sponsored by Juniper Networks. Discussion topics for the webinar will include: why automation is essential to protect critical network and computing infrastructures, cost-effective strategies for improved secure information-sharing, how to start simplifying network operations, and how network automation and orchestration are essential for seamless workflow management. For more information and to register visit http://www.afcea.org/signal/webinar. March 13, 2013
MITRE to Host CVE Booth at InfoSec World 2013, April 15-17 MITRE will host a "Strengthening Cyber Defense" booth that includes CVE at InfoSec World Conference & Expo 2013 at Walt Disney World Swan and Dolphin in Orlando, Florida, USA, on April 15-17, 2013. Attendees will learn how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures. Members of the CVE Team will be in attendance. Please stop by Booth 313 and say hello! Visit the CVE Calendar for information on this and other events. CVE Editorial Board Meeting Minutes Now Available Meeting minutes from the CVE Editorial Board teleconference meeting held on January 8, 2013 are now available on the CVE Editorial Board Email Discussion List & Meetings Archive page in the CVE Community section. CVE Editor’s Commentary Page Updated Three new items have been added to the CVE-Specific section of the CVE Editor’s Commentary page in the CVE List section: "CVE and ‘weak’ crypto," "CVE abstraction choices and the Linux kernel," and "CVE Guidance for Libraries and Resource-Consumption DoS." The CVE Editor’s Commentary page includes opinion and commentary about vulnerabilities, software assurance, and related topics by CVE List Editor Steve Christey. Posts are either Community Issues or CVE-Specific. MITRE Hosts CVE Booth at RSA 2013 MITRE hosted a "Strengthening Cyber Defense" booth that included CVE at RSA Conference 2013 at the Moscone Center in San Francisco, California, USA, on February 25 – March 1, 2013. Visit the CVE Calendar for information on this and other events. February 28, 2013
ALTX-SOFT Makes Declaration of CVE Compatibility ALTX-SOFT declared that its repository of Open Vulnerability and Assessment Language (OVAL®) content, ALTX-SOFT Ovaldb, is CVE-Compatible. For additional information about this and other CVE-Compatible products, visit the CVE-Compatible Products and Services section. NetentSec, Inc. Makes Declaration of CVE Compatibility NetentSec, Inc. declared that its network application security product, Next Generation Firewall (NGFW), will be CVE-Compatible. For additional information about this and other CVE-Compatible products, visit the CVE-Compatible Products and Services section. February 7, 2013
CVE Booth at RSA 2013, February 25 – March 1 MITRE will host a "Strengthening Cyber Defense" booth that includes CVE at RSA Conference 2013 at the Moscone Center in San Francisco, California, USA, on February 25 – March 1, 2013. Attendees will learn how CVE and other information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures. Members of the CVE Team will be in attendance. Please stop by Booth 2617 and say hello! Visit the CVE Calendar for information on this and other events. CVE Editorial Board Holds Teleconference Meeting The CVE Editorial Board held a teleconference meeting on January 8, 2013 to discuss the Future of Global Vulnerability Reporting Summit at the Kyoto 2012 FIRST Technical Colloquium and the upcoming CVE Identifier syntax change. January 24, 2013
Call for Public Feedback on Upcoming CVE ID Syntax Change Due to the increasing volume of public vulnerability reports, the Common Vulnerabilities and Exposures (CVE) project will change the syntax of its standard vulnerability identifiers so that CVE can track more than 10,000 vulnerabilities in a single year. The current syntax, CVE-YYYY-NNNN, only supports a maximum of 9,999 unique identifiers per year. Since a change in the ID syntax will affect many parties including end users and vendors, the CVE project is soliciting feedback from the public before making this change. The public feedback period will continue through the RSA Conference 2013, being held February 25 - March 1, 2013, where attendees will be able to speak with CVE personnel from MITRE and members of the CVE Editorial Board. After a formal Editorial Board vote, the final selection will be made and the public will be notified, currently planned for March 2013. The syntax change is scheduled to go into effect on January 1, 2014, so that users will have enough time to change their processes and software to handle the new ID syntax. With guidance from the CVE Editorial Board, we have identified three options for a new ID syntax, summarized as follows: Option A (Year + 6 digits, with leading 0’s)
Option B (Year + arbitrary digits, no leading 0’s except IDs 1 to 999)
Option C (Year + arbitrary digits + check digit)
One of these options will be selected as the new syntax for CVE Identifiers. More details are available here: http://cve.mitre.org/data/board/archives/2013-01/msg00011.html. If you wish to comment on any of these options, you can:
Due to the high volume of replies that we expect to receive, we will not be able to respond to every email message; however, we will publish a summary of responses. January 11, 2013
MITRE Announces Initial "Making Security Measurable" Calendar of Events for 2013 MITRE has announced its initial Making Security Measurable calendar of events for 2013. Details regarding MITRE’s scheduled participation at these events are noted on the CVE Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.
Other events may be added throughout the year. Visit the CVE Calendar for information or contact cve@mitre.org to have MITRE present a briefing or participate in a panel discussion about CVE®, OVAL®, CCE™, CPE™, CEE™, CWE™, CWSS™, CAPEC™, MAEC™, CybOX™, STIX™, TAXII™, and/or Making Security Measurable at your event. |
||||
