[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Rough Drafts of CVE Counting Documents

To: Kurt Seifried <kseifried@redhat.com>, "Coffin, Chris" <ccoffin@mitre.org>
Subject: Re: Rough Drafts of CVE Counting Documents
From: Pascal Meunier <pmeunier@cerias.purdue.edu>
Date: Thu, 25 Aug 2016 12:02:16 -0400
Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=cerias.purdue.edu;mitre.org; dkim=none (message not signed) header.d=none;
Cc: cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Delivery-date: Fri Aug 26 07:49:23 2016
In-reply-to: <CANO=Ty3mY3jaqageLisSnwnCxSb_38PHjEZA0beJ_add2BYgfg@mail.gmail.com>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <DM2PR09MB03834392794BA8193D08D9B3A10D0@DM2PR09MB0383.namprd09.prod.outlook.com> <MWHPR09MB148530E101F21770B9435687A1EA0@MWHPR09MB1485.namprd09.prod.outlook.com> <CANO=Ty3mY3jaqageLisSnwnCxSb_38PHjEZA0beJ_add2BYgfg@mail.gmail.com>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
Spamdiagnosticoutput: 1:2
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Icedove/45.2.0

On 08/24/2016 04:54 PM, Kurt Seifried wrote:

Some feedback:

A vulnerability in the context of the CVE program, is code that can be
exploited, resulting in a negative impact to confidentiality, integrity,
and availability, and that requires a code change to mitigate or 
address.

Some vulns are internal to the protocol and the only code change that
"fixes" it is to remove the code/functionality altogether. Could we add
"typically requires" instead? I'm worried about the intersection of
software/API vulns that will become increasingly common (more instances 
of
this, and people will start looking for them).

Indeed there have been CVEs issued against protocols (e.g.,CVE-2014-3566 against SSLv3) so that's not even code per se. However, Ithink "typically" would make the definition impractical for deciding ifa particular instance is a vulnerability or not. I suggest:

"A vulnerability in the context of the CVE program, is indicated by codethat can be exploited, resulting in a negative impact toconfidentiality, integrity, OR availability, and that requires a codingchange, specification change or specification deprecation to mitigate oraddress."

INC4: can we better define public/private? E.g. what if a medical device
maker plans to use a CVE for an issue that they will then inform ever 
user
of directly? Ditto for aerospace/SCADA/etc.

I'm not sure I understand what you would like to have happen. Limiteddiffusion? As a customer, I'd be confused to receive a notice referringto a CVE I couldn't lookup on a public web site, if that's what youmeant. If you meant embargoed issues, doesn't the CVE do that already?


INC5: "CVE IDs are assigned to products that are customer-controlled or
customer-installable." what about on premises solutions that are locked
down? I know many medical devices, high end manufacturing, etc you buy 
it,
but you don't touch it, the company tech services it. Ditto for other
regulated items like elevators (contractually most elevator maintenance
involves a "if anyone but us touches it, your warranty is totally 
void").

I'm guessing the intent of INC5 is to determine if a customer can patchor mitigate the vulnerability. However, I would think it is equallyuseful to be able to track if the provider of a managed solution hasapplied the patches or mitigated the vulnerabilities, so I'd be in favorof a wider use of CVEs. This applies regardless of whether it's an opensource solution someone manages on your behalf or something else likefirmware or an entirely closed solution.


Pascal

Follow-Ups:
- Re: Rough Drafts of CVE Counting Documents
  - From: Kurt Seifried <kseifried@redhat.com>

References:
- RE: Rough Drafts of CVE Counting Documents
  - From: "Coffin, Chris" <ccoffin@mitre.org>
- Re: Rough Drafts of CVE Counting Documents
  - From: Kurt Seifried <kseifried@redhat.com>

Prev by Date: Re: Rough Drafts of CVE Counting Documents
Next by Date: Re: Rough Drafts of CVE Counting Documents
Previous by thread: Re: Rough Drafts of CVE Counting Documents
Next by thread: Re: Rough Drafts of CVE Counting Documents
Index(es):
- Date
- Thread