[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE/CNA coverage

To: "Coffin, Chris" <ccoffin@mitre.org>, "Williams, Ken" <Ken.Williams@ca.com>, Kurt Seifried <kseifried@redhat.com>
Subject: Re: CVE/CNA coverage
From: "Adinolfi, Daniel R" <dadinolfi@mitre.org>
Date: Thu, 30 Mar 2017 14:42:23 +0000
Accept-language: en-US
Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=mitre.org;
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Delivery-date: Thu Mar 30 10:50:47 2017
In-reply-to: <MWHPR09MB1485BFD992439E8AF2BF9448A1340@MWHPR09MB1485.namprd09.prod.outlook.com>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <CANO=Ty3WGuytedsYHitNimJxu3b3_WzZqsZOHN4eZyrrmBY0hA@mail.gmail.com> <MWHPR01MB22370F9A616887FEF644ECDFF1350@MWHPR01MB2237.prod.exchangelabs.com> <CANO=Ty0T5s4ruD17emwsLGR9uPVFSjkw2-ypd6ETix+0VykdDQ@mail.gmail.com> <MWHPR01MB223710C4ADCA5F38D7A1AA6BF1350@MWHPR01MB2237.prod.exchangelabs.com> <MWHPR09MB1485BFD992439E8AF2BF9448A1340@MWHPR09MB1485.namprd09.prod.outlook.com>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
Spamdiagnosticoutput: 1:2
Thread-index: AQHSqL/7Gui0xNFp302siJy4Bq+zJ6GsMU4AgAABcICAAAPTAIABN5UA///E+QA=
Thread-topic: CVE/CNA coverage
User-agent: Microsoft-MacOutlook/f.20.0.170309

FYI,

I have added this issue to the "Suggested Rules Changes" document in GitHub.

https://github.com/CVEProject/docs/blob/cna-documents/cna/CNA%20Rules/CNA%20Rules%20Development/Suggested%20Rules%20Changes

This document can be edited by anyone, so if you have other ideas for rules changes, or want to comment on what is already there, please do so.

Thanks.

-Dan

From: <owner-cve-editorial-board-list@lists.mitre.org> on behalf of "Coffin, Chris" <ccoffin@mitre.org>
Date: Thursday, March 30, 2017 at 10:13
To: "Williams, Ken" <Ken.Williams@ca.com>, Kurt Seifried <kseifried@redhat.com>
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: RE: CVE/CNA coverage

Kurt,

It’s not clear to me whether Oracle would consider this within their scope. FYI… a quick search doesn’t find any previous CVEs for GlassFish Open Server. I think the safest thing to do is to redirect them to Oracle. In the meantime, we will also send a note to Oracle about the issue. We will also ask the question as to whether all “Sponsored” products should be considered within the scope of Oracle, or if there would be exceptions. If there are exceptions then I would agree, we need to push for lists that provide CNA scope information or all CNAs.

Should we consider this a discussion point for becoming a CNA Rule? For example, a rule that states a CNA must provide a page on their web site which lists the products for which they accept vulnerability reports.

Chris

From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Williams, Ken
Sent: Wednesday, March 29, 2017 2:38 PM
To: Kurt Seifried <kseifried@redhat.com>
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: RE: CVE/CNA coverage

You raise a good point that also probably applies to a number of other Sun/Oracle projects with vulnerabilities, like: Java Mail, JAXB, JMS, JNDI, MySQL.

The CVE answer appears to be clear only if you’re talking about the commercially supported versions of these projects.

https://www.oracle.com/technetwork/topics/security/alerts-086861.html

Regards,

From: Kurt Seifried [mailto:kseifried@redhat.com]
Sent: Wednesday, March 29, 2017 2:25 PM
To: Williams, Ken <Ken.Williams@ca.com>
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: CVE/CNA coverage

That is Oracle GlassFish Server which is different than the GlassFish Open Source one (as I understand it), e.g.:

https://blogs.oracle.com/GlassFishForBusiness/entry/difference_between_glassfish_open_source

On Wed, Mar 29, 2017 at 1:19 PM, Williams, Ken <Ken.Williams@ca.com> wrote:

They’ve previously issued CVE identifiers for it.

Ex. http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixFMW

Regards,

kw

From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Kurt Seifried
Sent: Wednesday, March 29, 2017 2:08 PM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: CVE/CNA coverage

So somebody asked for a CVE for Glassfish open server

https://glassfish.java.net/

Project sponsored by Oracle. Traditionally I've taken the "sponsored by" to mean quasi who "owns" it (e.g. a lot of Red Hat sponsored stuff that we do CVEs for because we're heavily involved). By that logic this would make this open source project fall into Oracle's space, so I guess my question is:

Does Oracle want this project to fall within their CNA/coverage, or do they consider "sponsored by" to be more arms length perhaps?

If Oracle doesn't want to be the CNA for it, then the DWF would be the next in line (being Open Source), If Oracle does want to be the CNA I'll redirect the request to them.

And in general should we apply this logic? I think one thing that would help here is having the CNAs declare explicitly what they cover where possible so reporters don't have to guess/hunt.

--

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

References:
- CVE/CNA coverage
  - From: Kurt Seifried <kseifried@redhat.com>
- RE: CVE/CNA coverage
  - From: "Williams, Ken" <Ken.Williams@ca.com>
- Re: CVE/CNA coverage
  - From: Kurt Seifried <kseifried@redhat.com>
- RE: CVE/CNA coverage
  - From: "Williams, Ken" <Ken.Williams@ca.com>
- RE: CVE/CNA coverage
  - From: "Coffin, Chris" <ccoffin@mitre.org>

Prev by Date: Re: CVE-2017-7269 and abandonware
Next by Date: RE: CVE-2017-7269 and abandonware
Previous by thread: RE: CVE/CNA coverage
Next by thread: CVE-2017-7269 and abandonware
Index(es):
- Date
- Thread