CVE: The Big Vote of No Confidence

Yesterday, Matt Harman, CISA Acting Executive Assistant Director for Cybersecurity, issued a statement on the CVE program. Trying to summarize the last several days and what happened is tricky, but you can read my LinkedIn posts as well as countless news articles and folks talking about.  The super tl;dr is that on April 15, a letter was sent from MITRE to the CVE Board saying that the next day…

In an eleventh-hour scramble before a key contract was set to expire on Tuesday night, the United States Cybersecurity and Infrastructure Security Agency renewed its funding for the longtime software-vulnerability-tracking project known as the Common Vulnerabilities and Exposures Program. Managed by the nonprofit research-and-development group MITRE, the CVE Program is a linchpin of global cybersecurity—providing critical data and services for digital defense and research.

The CVE Program is governed by a board that sets an agenda and priorities for MITRE to carry out using CISA's funding. A CISA spokesperson said on Wednesday that the contract with MITRE is being extended for 11 months. “The CVE Program is invaluable to the cyber community and a priority of CISA,” they said in a statement. “Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.”

MITRE's vice president and director of the Center for Securing the Homeland, Yosry Barsoum, said in a statement on Wednesday that “CISA identified incremental funding to keep the Programs operational.” With the clock ticking down before this decision came out, though, some members of the CVE Program's board announced a plan to transition the project into a new nonprofit entity called the CVE Foundation.

“Since its inception, the CVE Program has operated as a US government-funded initiative, with oversight and management provided under contract. While this structure has supported the program’s growth, it has also raised long-standing concerns among members of the CVE Board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor,” the Foundation wrote in a statement. “This concern has become urgent following an April 15, 2025, letter from MITRE notifying the CVE Board that the US government does not intend to renew its contract for managing the program. While we had hoped this day would not come, we have been preparing for this possibility.”

It is unclear who from the current CVE board is affiliated with the new initiative other than Kent Landfield, a longtime cybersecurity industry member who was quoted in the CVE Foundation statement. The CVE Foundation did not immediately return a request for comment.

CISA did not respond to questions from WIRED about why the fate of the CVE Program contract had been in question and whether it was related to recent budget cuts sweeping the federal government as mandated by the Trump administration.

Researchers and cybersecurity professionals were relieved on Wednesday that the CVE Program hadn't suddenly ceased to exist as the result of unprecedented instability in US federal funding. And many observers expressed cautious optimism that the incident could ultimately make the CVE Program more resilient if it transitions to be an independent entity that isn't reliant on funding from any one government or other single source.

“The CVE Program is critical, and it’s in everyone’s interest that it succeed," says Patrick Garrity, a security researcher at VulnCheck. “Nearly every organization and every security tool is dependent on this information, and it’s not just the US. It’s consumed globally. So it's really, really important that it continues to be a community-provided service, and we need to figure out what to do about this, because losing it would be a risk to everyone.”

Federal procurement records indicate that it costs in the tens of millions of dollars per contract to run the CVE Program. But in the scheme of the losses that can occur from a single cyberattack exploiting unpatched software vulnerabilities, experts tell WIRED, the operational costs seem negligible versus the benefit to US defense alone.

Despite CISA's last-minute funding, the future of the CVE Program is still unclear for the long term. As one source, who requested anonymity because they are a federal contractor, put it: “It's all so stupid and dangerous.”

Sometimes I see the Doctor being tetchy, arrogant, mean and/or a bit of a cunt and go "Yeah, that's them," and sometimes I'm like "The writers have lost their grasp over the character, huh/He would not fucking say that."

One's inconsistency can be pretty fairly laid at the feet of the writers not having their vision set in place yet (AKA early installment weirdness), wonky values (see: abandoning Susan being framed as "for her own good," also wonky values is always gonna be a problem because there are always writers with wonky values) and also just, character development (but that's covered under "Yeah, that's them"). However, at the end of One's run onward, the Doctor feels like they have a solid foundation.

However after Sarah Jane leaves, the Doctor starts to feel meaner again in a way that feels off. Jabs at Leela for being a savage (where he wouldn't insult Jamie, who had a similar pre industrial, rural background) and a bit of a running gag of him just not listening to people (this improves near the end of his run before he regenerates). Five gets this as well to an extent after Castrovalva and it only really reverts after Adric dies.

And like, sure, some of this I do think of as in character (see: him getting mad at Adric for wanting to go through a CVE to get home but then calming down and apologising) but some of it (see: telling Adric off for getting in the Total Survival Suit and losing control, not considering that Adric just didn't know and was doing his best) feels off.

Of course, it's difficult and subjective to decide what is in character for the Doctor in general as they do change between incarnations, but I do think that the Doctor isn't the Doctor if they aren't trying to be good, you know? Sure, they can be tetchy, mean and arrogant but they always have their hearts in the right place and try to be kind.

Also this is all very "if I recall correctly" because I don't exactly have a lot of citations off the top of my head, this is just the vibe I've got as I've been binging the series.

Russia's APT28 Cyber Espionage Group Targets Czechia, Germany Using Outlook Exploit

Czechia and Germany have exposed a long-running cyber espionage campaign conducted by the notorious Russia-linked APT28 hacking group, drawing harsh criticism from international organizations like the European Union (EU), the North Atlantic Treaty Organization (NATO), the United Kingdom, and the United States. The Czech Republic's Ministry of Foreign Affairs revealed that certain entities within the country were targeted using a critical Microsoft Outlook vulnerability (CVE-2023-23397), allowing Russian state-sponsored hackers to escalate privileges and potentially gain unauthorized access. Germany Accuses APT28 of Targeting Social Democratic Party Similarly, Germany's Federal Government attributed the APT28 threat actor, also known as Fancy Bear, Pawn Storm, and Sofacy, to a cyber attack aimed at the Executive Committee of the Social Democratic Party, exploiting the same Outlook flaw over a "relatively long period" to compromise numerous email accounts. The targeted industries spanned logistics, armaments, air and space, IT services, foundations, and associations located in Germany, Ukraine, and other European regions. Germany also implicated APT28 in the 2015 cyber attack on the German federal parliament (Bundestag). Widespread Condemnation of Russia's Malicious Cyber Activities NATO stated that Russia's hybrid actions "constitute a threat to Allied security," while the Council of the European Union condemned Russia's "continuous pattern of irresponsible behavior in cyberspace." The UK government described the recent APT28 activity, including targeting the German Social Democratic Party, as "the latest in a known pattern of behavior by the Russian Intelligence Services to undermine democratic processes across the globe." The US Department of State acknowledged APT28's history of engaging in "malicious, nefarious, destabilizing and disruptive behavior," and reiterated its commitment to upholding a "rules-based international order, including in cyberspace." Disruption of APT28's Criminal Proxy Botnet Earlier in February, a coordinated law enforcement action disrupted a botnet comprising hundreds of SOHO routers in the US and Germany believed to have been used by APT28 to conceal their malicious activities, such as exploiting CVE-2023-23397 against targets of interest. Cybersecurity researchers warn that Russian state-sponsored cyber threats, including data theft, destructive attacks, DDoS campaigns, and influence operations, pose severe risks to upcoming elections in regions like the US, UK, and EU, with multiple hacking groups like APT28, APT44 (Sandworm), COLDRIVER, and KillNet expected to be active. Securing Critical Infrastructure from Pro-Russia Hacktivist Attacks Government agencies from Canada, the UK, and the US have released a joint fact sheet to help critical infrastructure organizations secure against pro-Russia hacktivist attacks targeting industrial control systems (ICS) and operational technology (OT) systems since 2022, often exploiting publicly exposed internet connections and default passwords. The recommendations include hardening human-machine interfaces, limiting internet exposure of OT systems, using strong and unique passwords, and implementing multi-factor authentication for all access to the OT network. Read the full article

独立行政法人情報処理推進機構（IPA）および一般社団法人JPCERT コーディネーションセンター（JPCERT/CC）は12月8日、Apache Struts 2における外部からアクセス可能なファイルの脆弱性が存在すると「Japan Vulnerability Notes（JVN）」で発表した。　The Apache Software Foundationが提供するApache Struts 2には、外部からアクセス可能なファイルの脆弱性（CVE-2023-50164）が存在する。影響を受けるシステムは次の通り。・Apache Struts 2.5.0から2.5.32・Apache Struts 6.0.0から6.3.0　この脆弱性は、ファイルアップロード時のパラメータ操作によってパストラバーサルが発生し、悪意のあるファイルをアップロードすることが可能となる。悪用されると、攻撃者によって細工されたファイルをアップロードされ、結果として任意のコードが実行される可能性がある。　JVNでは開発者が提供する情報をもとに、最新版にアップデートするよう呼びかけている。この脆弱性は、次のバージョンで修正されている。・Struts 2.5.33 およびそれ以降・Struts 6.3.0.2 およびそれ以降

Apache Struts 2 に任意のコードを実行される脆弱性 | ScanNetSecurity

Strengthen Your Cyber Defense with risikoMonitor.com GmbH: A Leader in IT Security Monitoring and Risk Detection

In an era where cyber threats evolve by the hour, modern businesses need more than just antivirus software and firewalls. Proactive, intelligent security measures are essential for safeguarding digital assets and sensitive data. risikoMonitor.com GmbH rises to meet this challenge with its advanced IT security monitoring, vulnerability scanning, and real-time security risk detection capabilities.

As a trusted cybersecurity partner for organizations across Europe and beyond, risikoMonitor.com GmbH provides a robust vulnerability management platform that empowers businesses to identify, manage, and mitigate threats—before they can cause harm.

The Rising Tide of Cyber Threats

From ransomware attacks on hospitals to data breaches at global retailers, no business is immune to cybercrime. The attack surface is growing rapidly as companies digitize their operations, rely on cloud platforms, and enable remote work environments. Each device, server, and application connected to your network is a potential entry point for attackers.

This is why continuous IT security monitoring is no longer optional—it's a necessity. risikoMonitor.com GmbH delivers the tools and expertise to help you monitor, analyze, and act on security threats with precision and speed.

IT Security Monitoring: Real-Time Vigilance

IT security monitoring is the foundation of any robust cybersecurity strategy. It involves the continuous collection, analysis, and alerting of system activities to identify signs of malicious behavior or vulnerabilities.

With risikoMonitor.com GmbH, businesses benefit from:

24/7 real-time monitoring across networks, endpoints, servers, and applications

Anomaly detection using behavioral analytics and AI-powered engines

Instant alerts to suspicious activities like brute force attempts, unauthorized access, and data exfiltration

Compliance-ready logging for audits and investigations

Our IT security monitoring services go beyond basic oversight. We help businesses gain full visibility into their security posture, reducing detection time and accelerating incident response.

IT Vulnerability Scanning: Find Weaknesses Before Hackers Do

Cybercriminals are always searching for weak links—and often find them in outdated software, unpatched systems, or misconfigured networks. IT vulnerability scanning is a proactive way to identify these flaws before attackers exploit them.

At risikoMonitor.com GmbH, our scanning tools thoroughly inspect your systems for:

Outdated software versions

Missing security patches

Misconfigured firewalls or access controls

Known vulnerabilities listed in CVEs (Common Vulnerabilities and Exposures)

Unlike traditional scans, our intelligent tools prioritize vulnerabilities based on risk level, business impact, and exploitability—so your security teams can focus on what matters most.

Security Risk Detection: Acting Before It's Too Late

Delays in identifying threats can lead to devastating breaches. With risikoMonitor.com GmbH, you’re equipped with a system designed for real-time security risk detection. This means faster recognition of threats like:

Unauthorized access to sensitive data

Suspicious user behavior (like login attempts at odd hours or from unfamiliar IPs)

Malware downloads and network anomalies

Lateral movement within the network

By integrating behavioral analytics, machine learning, and global threat intelligence feeds, our detection capabilities offer faster, more accurate identification of both known and zero-day threats.

Vulnerability Management Platform: Centralized and Scalable Security

Finding vulnerabilities is only part of the solution—the real challenge is fixing them efficiently and effectively. That’s why risikoMonitor.com GmbH offers a comprehensive vulnerability management platform that helps businesses:

Prioritize risks based on severity and asset importance

Track remediation efforts and assign tasks to IT teams

Automate patch management and policy enforcement

Generate detailed reports for compliance (GDPR, ISO 27001, etc.)

Our platform centralizes your security processes into one intuitive dashboard, enabling collaboration between IT, security, and compliance teams. It’s scalable for businesses of all sizes—from startups to multinational enterprises.

Why Choose risikoMonitor.com GmbH?

What sets risikoMonitor.com GmbH apart from other cybersecurity providers is our commitment to proactive, tailored solutions. We don’t just sell tools—we provide a full spectrum of services built around your unique needs, industry standards, and compliance requirements.

 Customizable monitoring and scanning schedules

Risk scoring and impact analysis

Dedicated support team and regular threat briefings

Cloud and hybrid environment compatibility

Affordable pricing for SMEs and enterprise clients alike

Whether you’re looking to strengthen your digital infrastructure or respond to regulatory demands, we help future-proof your cybersecurity operations.

Secure Your Future—Today

The cost of cyber negligence is too high—from financial penalties to lost customer trust. With rising threats and tighter compliance requirements, there’s never been a more urgent time to invest in complete, proactive cybersecurity.

Let risikoMonitor.com GmbH be your partner in defense. With real-time IT security monitoring, powerful IT vulnerability scanning, advanced security risk detection, and an all-in-one vulnerability management platform, we equip your business with the tools it needs to stay ahead of cyber threats.

Greetings folks! Why whenever i take a break from internet there is another catastrophe happens? No really... Fırst COVID then Crowdstrike and now literally SHUTDOWN OF THE ENTİRE CVE PROJECT!!!

I know i know its more of a backend IT thing but also it WİLL EFFECT as user! So let’s unpack what really happened and why it matters shall we?

So, CVE — or Common Vulnerabilities and Exposures — is basically the universal naming system for software bugs. It’s what lets security pros, software vendors, and even governments speak the same language about security holes. Every time a new vulnerability is found, it gets a CVE ID, like CVE-2025-12345, so everyone knows exactly what they’re talking about.

Sounds stable, right? Well, in April 2025, the organization that runs CVE, MITRE, hit a major funding snag. Their government contract expired and for a while, no new money came through. Result? For several weeks, no new CVEs were assigned. Vulnerabilities piled up without official names, and everyone scrambling to keep up got left hanging. (bkz..)

This might sound like an administrative mess, but the consequences were pretty serious. Without timely CVEs, EDR vendors and vulnerability scanners couldn’t update their detection rules properly. Threat intel feeds stalled. Some researchers even held back disclosures because they couldn’t get official CVE numbers assigned.

And of course, attackers noticed. They started exploiting those untracked vulnerabilities, quietly, while defenders had no clear radar.

What did the community do? The response was actually impressive. Security teams stopped relying solely on CVEs and started pulling data from other sources like VulDB, GitHub advisories, and the CISA Known Exploited Vulnerabilities list. Some vendors rewrote their pipelines to focus more on behavior analytics and heuristics instead of just signature-based detection.

Meanwhile, the CVE program itself got a last-minute contract extension — but just a temporary fix. MITRE signaled plans to move CVE governance to a nonprofit foundation to make it less dependent on government whims. Whether that’s enough to prevent future disruptions remains to be seen.

Even the security guru Bruce Schneier summed it up well, calling the whole mess a wake-up call about how fragile our digital infrastructure really is when it depends on a single, centralized system.

So, the shutdown wasn’t just a bureaucratic hiccup — it forced the entire industry to rethink how vulnerabilities are tracked and how defenses are built. It accelerated a shift towards more decentralized, resilient, and behavior-focused security models.

And that, folks, is why keeping an eye on just CVEs won’t cut it anymore.

That’s it for today — until next time, stay curious and stay secure.

And.. see you in next one :P

Sources:

https://industrialcyber.co/threat-landscape/mitre-warns-of-potential-cybersecurity-disruptions-as-us-government-funding-for-cve-cwe-programs-set-to-expire/

https://www.infosecurity-magazine.com/news/cisa-cve-program-mitre-contract/

https://www.schneier.com/blog/archives/2025/04/cve-program-almost-unfunded.html

https://thehackernews.com/2025/04/us-govt-funding-for-mitres-cve-ends.html

https://www.nextgov.com/cybersecurity/2025/04/cisa-extends-mitre-backed-cve-contract-hours-its-lapse/404601/

https://cyberscoop.com/cve-program-funding-crisis-cve-foundation-mitre/

Wired https://www.wired.com/story/cve-program-cisa-funding-chaos

https://www.theverge.com/news/649314/cve-mitre-funding-vulnerabilities-exposures-funding

2025年05月20日 19時00分 フランスが「国連オープンソース原則」を支持する最初の中央政府となり19の組織も加わる 国際連合(国連)が採択したオープンソースに関するガイドライン「国連オープンソース原則」に、フランス政府が中央政府として初めて支持を表明しました。フランス政府が支持を表明するのと同時に、クリエイティブ・コモンズやメルセデス・ベンツ・グループなど19の組織も国連オープンソース原則に賛同しています。 France Becomes First Government to Endorse UN Open Source Principles, Joined by 19 Organizations | Le Bureau de L'informatique et des Communications https://unite.un.org/fr/news/france-becomes-first-government-endorse-un-open-source-principles-joined-19-organizations フランス政府の省庁において、情報通信システム分野の連携・調整を勧めるデジタル省庁間総局(DINUM)のFOSSプロジェクト・code.gouv.frが、2025年5月19日のMastodonへの投稿で、「フランスが国連オープンソース原則を支持する初の政府となり、19の組織が参加しました」と報告しました。 国連オープンソース原則とは、デジタルおよびテクノロジー分野での協力を促進する国連機関・Digital Technology Network(DTN)により採択された、国連内および世界規模でのオープンソース技術の協力と採用を促進するためのガイドラインです。DTNによって設立された実践コミュニティであるOpen Source Unitedは、国連の機関・基金・プログラム全体でオープンソース技術を進歩させるために活動しているとのこと。 国連オープンソース原則は以下の8項目で構成されています。 1：デフォルトでオープン……オープンソースをプロジェクトの標準的なアプローチにする。 2：貢献して返す……オープンソースへの積極的な参加を奨励する。 3：セキュア・バイ・デザイン……すべてのソフトウェアおよびプロジェクトでセキュリティを優先する。 4：包括的な参加とコミュニティ構築の促進……オープンソースへの多様で包括的な貢献を可能にし、促進する。 5：再利用性を考慮した設計……さまざまなプラットフォームやエコシステム間で相互運用可能なプロジェクトを設計する。 6：ドキュメントの提供……エンドユーザーや組織の責任者、開発者向けに徹底したドキュメントを提供する。 7：RISE(認識・インセンティブ・サポート・エンパワーメント)……個人やコミュニティが積極的に参加できるようにする。 8：持続可能性と規模拡大……国連システム内外における、進化するニーズを満たすソリューションの開発を支援する。 フランス政府と同時に、クリエイティブ・コモンズやメルセデス・ベンツ・グループ、WordPress財団、ゼンケンベルク自然史協会など19の組織も国連オープンソース原則に賛同しています。 フランスによる国連オープン���ース原則の支持は、ソーシャルニュースサイトのHacker Newsでも大きな話題となっています。 France Endorses UN Open Source Principles | Hacker News https://news.ycombinator.com/item?id=44024759 あるユーザーは2年間にわたり、フランス国内すべての建物にIDキーを作成・配布して管理する政府のプロジェクトに取り組んできたと述べています。このプロジェクトではデータをオープンにして政府機関や都市、企業、市��が直接レジストリに書き込めるようにして、データベースの相互運用性を向上させることが目標となっているそうです。 別のユーザーは、「これは見せかけのものであり、実体がついてきません」と述べ、フランス政府がオープンソースを誓ったのは今回が初めてではないものの、依然として公的資金の大部分は独占的なソフトウェアに費やされていると指摘。このコメントに対しては同意する意見もあれば、ゆっくりだが着実にオープンソースのツールが採用されつつあると擁護する意見もありました。 この記事のタイトルとURLをコピーする ・関連記事 スイスは政府機関が政府向けに作ったソフトウェアをすべてオープンソースにするよう義務づけている - GIGAZINE オープンソースプロジェクト「Easyjson」はロシアで開発されているとの指摘、アメリカ国防総省などでも使われており国家安全保障上のリスク大 - GIGAZINE MicrosoftがWindows Subsystem for Linux(WSL)をオープンソース化してコードをGitHubに公開 - GIGAZINE オープンソースエコシステムに投資された金額は2024年の1年間で1兆2000億円超 - GIGAZINE オープンソースAIを定義する「OSAID」のバージョン1.0が公開、MetaのLlamaはオープンソースAIに合致せず - GIGAZINE GitHubがオープンソース開発にまつわる8400件のアンケート結果を公開、セキュリティを重視しAI利用が増加 - GIGAZINE ゼロから立ち上げてコミュニティから高く評価されたオープンソースプロジェクトがMicrosoftによってフォークされ自信喪失した開発者の話 - GIGAZINE 国連がAIに関する初の世界決議を全会一致で採択、個人情報の保護・AIのリスク監視など - GIGAZINE 国連のAI諮問機関が「人類のためのAI統治」に関する7つの提言を発表 - GIGAZINE ・関連コンテンツ 国連がAIに関する初の世界決議を全会一致で採択、個人情報の保護・AIのリスク監視など ドイツ新政権が「公共の場での生体認証による監視の禁止」を発表、監視の規制が欧州全体に広がる可能性も 脆弱性管理を担うCVEプログラムの運営資金が2025年4月16日で失効することが明らかに トランプ政権による政府公式ウェブサイトの削除や変更はGitHubでリアルタイムで監視可能 日本やアメリカなど18カ国がAIの安全開発ガイドラインを共同発表 スイスは政府機関が政府向けに作ったソフトウェアをすべてオープンソースにするよう義務づけている 「税金で作ったソフトウェアのコードは公開されるべき」という主張に3万人以上が賛同、日本からも署名可能 Linux Foundationが「オープンなメタバース」を支援する団体「Open Metaverse Foundation」の設立を発表

フランスが「国連オープンソース原則」を支持する最初の中央政府となり19の組織も加わる - GIGAZINE

【CVE-2025-31650・CVE-2025-31651】2つの重大な脆弱性修正を含む最新安定版「Tomcat 11.0.6」へのアップデートのススメ

2025年4月29日、Apache Software FoundationからApache Tomcatに影響する2つの重要な脆弱性（CVE-2025-31650およびCVE-2025-31651）に対するセキュリティアップデートが公開されました。 多くの企業や組織でJavaアプリケーションの実行環境として利用されているTomcatの脆弱性は、システムとデータの安全性に直接影響します。 この記事では2つの脆弱性の詳細、影響範囲、そして最新の安定版「Tomcat 11.0.6」へのアップデート方法について解説します。 Apache Tomcatの脆弱性概要と最新情報 Apache…

#ばばさん通信ダイジェスト : CVE Foundationが発足。脆弱性に固有の番号を付与するCVEプログラムの長期的な安定性、独立性を確保

賛否関わらず話題になった/なりそうなものを共有しています。

CVE Foundationが発足。脆弱性に固有の番号を付与するCVEプログラムの長期的な安定性、独立性を確保

https://www.publickey1.jp/blog/25/cve_foundationcve.html

CVE Foundation Emerges From Stealth to Rescue CVE Program

The rapid defunding and refunding of the CVE Project is just another sign of the destabilization our government is currently experiencing.

CVE Foundation Emerges From Stealth to Rescue CVE Program

Archive Links: ais

CISA Funding, CVE Foundation, Twitter, More: Thursday ResearchBuzz, April 17, 2025

TWEAKS AND UPDATES Bleeping Computer: CISA extends funding to ensure ‘no lapse in critical CVE services’. “CISA says the U.S. government has extended funding to ensure no continuity issues with the critical Common Vulnerabilities and Exposures (CVE) program.” CVE Foundation: CVE Foundation Launched to Secure the Future of the CVE Program. ” The CVE Foundation has been formally established to…

Apr 16, 2025

The U.S. government funding for non-profit research giant MITRE to operate and maintain its Common Vulnerabilities and Exposures (CVE) program will expire Wednesday, an unprecedented development that could shake up one of the foundational pillars of the global cybersecurity ecosystem.

The 25-year-old CVE program is a valuable tool for vulnerability management, offering a de facto standard to identify, define, and catalog publicly disclosed security flaws using CVE IDs. The program has listed over 274,000 CVE records to date.

UPDATE — CISA Extends CVE Program Contract Amid Funding Crisis

CISA has stepped in to extend funding to ensure the continuity of the CVE program, the agency said....

Coinciding with the news of the potential CVE shutdown, the European Union Agency for Cybersecurity (ENISA) has also launched a European vulnerability database (EUVD), which "embraces a multi-stakeholder approach by collecting publicly available vulnerability information from multiple sources."

The Computer Incident Response Center of Luxembourg is also developing a "decentralized" system for identifying and numbering vulnerabilities called the Global CVE (GCVE) allocation system.

独立行政法人情報処理推進機構（IPA）および一般社団法人JPCERT コーディネーションセンター（JPCERT/CC）は10月11日、Apache Tomcatにおける複数の脆弱性について「Japan Vulnerability Notes（JVN）」で発表した。影響を受けるシステムは以下の通り。・CVE-2023-45648、CVE-2023-44487、CVE-2023-42795Apache Tomcat 11.0.0-M1から11.0.0-M11までApache Tomcat 10.1.0-M1から10.1.13までApache Tomcat 9.0.0-M1から9.0.80までApache Tomcat 8.5.0から8.5.93まで・CVE-2023-42794Apache Tomcat 9.0.70から9.0.80までApache Tomcat 8.5.85から8.5.93まで　The Apache Software Foundationでは、それぞれ下記のような影響を受ける可能性があるApache Tomcatの脆弱性に対するアップデートを公開した。・HTTP Trailer headerを正しく解析しな��問題（CVE-2023-45648）→ Tomcatをリバースプロキシの背後に配備している場合、意図しないリクエストを受け付ける・HTTP/2プロトコルを採用するサーバに大量のリクエストのキャンセルによりサーバリソースを消費する問題（CVE-2023-44487）→サービス運用妨害（DoS）状態にされる・内部オブジェクトを次のリクエスト/レスポンスで再利用する前にリサイクル処理をする場合、エラーが発生する問題（CVE-2023-42795）→現在のリクエストおよびレスポンスの情報が漏えいする・Tomcatで利用しているCommons FileUploadにアップロードされたファイルのストリームを閉じることが出来ない問題（CVE-2023-42794）→サービス運用妨害（DoS）状態にされる　JVNでは、開発者が提供する情報をもとに最新版へアップデートするよう呼びかけている。なお本脆弱性は、下記のバージョンで修正されている。・CVE-2023-45648、CVE-2023-44487、CVE-2023-42795Apache Tomcat 11.0.0-M12Apache Tomcat 10.1.14Apache Tomcat 9.0.81Apache Tomcat 8.5.94・CVE-2023-42794Apache Tomcat 9.0.81Apache Tomcat 8.5.94

Apache Tomcatに複数の脆弱性 | ScanNetSecurity