NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    NIST Confusion Continues as Cyber Pros Complain CVE Uploads Stalled

    Cyber Security News
    2
    1
    30
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย NCSA_THAICERT

      • A recent rise in software vulnerability exploits has come as the US National Vulnerability Database (NVD), the world’s most comprehensive vulnerability database, experiences its most significant crisis in history. After experiencing a vulnerability enrichment slowdown in mid-February 2024, experts working in software security have told Infosecurity that the database run by the US National Institute of Standards and Technology (NIST) stopped showing new vulnerabilities since May 9. Cybersecurity professionals from the public and private sectors are trying their best to document the three-month-long vulnerability backlog and fill the gaps where they can. Since issues with vulnerability enrichments first emerged on February 12, NIST has analyzed only 4524 of the 14,286 common vulnerabilities and exposures (CVEs) received so far this year. Having so many unanalyzed vulnerabilities means attackers have an opportunity to exploit them. Speaking to Infosecurity at the RSA Conference, Immanuel Chavoya, CEO and Founder of RiskHorizon.ai, said he observed that vulnerabilities that have not yet been fully processed by the NVD were being actively exploited in the wild. Infosecurity has spoken to many experts who noticed that no new vulnerabilities have been uploaded on the NVD for a few days. Software security professionals shared internal Slack conversations from within their community with Infosecurity. The Slack messages between these cybersecurity specialists, including some from within government agencies, show discussions confirming that no new CVEs have been added through the NVD application programmable interface (API) since May 9. Andrey Lukashenkov is head of revenue at Vulners, a website that provides information on security vulnerabilities and exploits. He told Infosecurity that the Vulners website shows that the last fully formed CVE was added by the NVD processing robot on May 9. Infosecurity has contacted NIST about the alleged CVE uploading halt. A NIST spokesperson denied any disruption in vulnerability processing. The issues were due to the NVD migrating to the new CVE JSON format. In March, the NVD program manager, Tanya Brewer, announced at VulnCon that NIST would establish a consortium to address challenges in the NVD program. However, Brewer and the NVD have remained vague about the cause of the disruption. At the time of writing, the consortium has not been officially launched, and its mention has been removed from the NVD website. In the meantime, many software security professionals, including Garrity and Chavoya, have been trying to keep track of the vulnerability backlog by publishing regular updates on the number of unanalyzed vulnerabilities.

      ที่มาแหล่งข่าว
      https://www.infosecurity-magazine.com/news/nist-cve-stop-questioned/

      a6cc1e33-cd48-4bf4-9b7b-8f868fa8e47a-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post