[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Microsoft CNA assignment issues for April

Microsoft, any update?

RBS has received one customer support ticket asking about the 2017-3447 
assignment, suggesting that we made a mistake. Obviously, I find that 
offensive given that I was likely the first to point out Microsoft's 
mistake in this assignment.

Between the 'rollup' assignment, Microsoft likely stepping on RedHat's 
pool to assign the 2017-2605 ID, and entirely changing the way 
delivers advisory information, which made many of your customers 
scramble... I believe it is pretty clear where the errors originate.

This is very clearly a big issue in the world of disclosure, 
related to CVE ID assignment. This has a real-world impact on multiple 
companies, two that I am directly involved in, and a third via support 
ticket. I am sure I will wake up to additional support tickets via one 
those roles, essentially asking the same question re: 2017-2605 and/or 


On Tue, 11 Apr 2017, Elizabeth Scott wrote:

: There is an error on the page and we are working to resolve that as 
soon as possible
: Thanks,
:   Elizabeth
: -----Original Message-----
: From: owner-cve-editorial-board-list@lists.mitre.org 
[mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of 
: Sent: Tuesday, April 11, 2017 11:35 AM
: To: CVE Editorial Board <cve-editorial-board-list@lists.mitre.org>
: Subject: Microsoft CNA assignment issues for April
: Importance: High
: All,
: Microsoft has assigned a single CVE to cover "all April Adobe Flash 
updates" apparently:
:     April Flash Security Update       2017-3447
: Which links to
: Further, there is a single ID to cover "defense-in-depth" updates for 
: product:
:     Defense-in-Depth Update for Microsoft Office      2017-2605
: Which links to
: I am fairly confident that 2017-3447 is not a proper assignment and 
does not follow the CNA guidelines, about assigning IDs to another 
vendor's products (and that vendor happens to be a CNA themselves). 
We've seen this done in the past with Oracle as well.
: I'd also be surprised if a single ID assignment for multiple 
defense-in-depth enhancements meets the criteria of a CVE ID, since DiD 
enhancements generally do not mean there is a crossing of privilege 
boundaries, and therefore not vulnerabilities.
: Could Microsoft and MITRE chime in on these please?
: Brian

Page Last Updated or Reviewed: April 20, 2017