[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issues for configuration problems in the CVE

Gene Spafford wrote:

>[Three examples with questions as to whether each one is a bug, or
> an operator error.]
>
>In each case, " The configuration problem exists because of something
>a user did, regardless of how the user did it or why they did it," so
>I would assume you would classify them all as operator errors.
>However, all three are also vulnerabilities that are in some sense
>"built in" by the vendor.

This is where different uses of the word "vulnerability" comes into
play.  From the CVE perspective, I don't need to classify them.

A "CVE vulnerability" does not discuss the cause of how a computing
system is left open to attack, except to clarify which problem it is.
The definition of "CVE vulnerability" is focused more towards the
state in the computing system itself (here's the sysadmin bias:
"what's wrong with my computer that can allow somebody to do something
they shouldn't?")  As a reminder, the high-level definition is as
follows:

    "A CVE vulnerability is a state in a computing system (or set of
     computing systems) that can help an entity to conduct
     unauthorized activities on the system(s)."

Thus configuration problems (within the CVE) are descriptions of
states in a computing system.  Whether it's an operator error, a bug,
or poorly written documentation, it results in a state that is being
recorded in the CVE.

- Steve
Page Last Updated or Reviewed: May 22, 2007