[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Microsoft CNA assignment issues for April

I apologize for the delay in the update. I had it drafted, but I never hit send.


We confirmed that CVE-2017-3447 has not been assigned by Oracle. It has been rejected.


Microsoft has updated their Security Update Guide <https://portal.msrc.microsoft.com/> such that:

What was 2017-3347 is now ADV170005.

What was 2017-2605 is now ADV170004.


We haven't see a response from the folks at Jenkins. But if Red Hat can please send us an update for the CVE entry for CVE-2017-2605 so we can publish it, we can add a note to that entry indicating the error to reduce further confusion.







From: <owner-cve-editorial-board-list@lists.mitre.org> on behalf of jericho <jericho@attrition.org>
Date: Wednesday, April 19, 2017 at 20:39
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: Microsoft CNA assignment issues for April




Now that we've had a week to digest this, we have seen dozens of

mainstream news articles use 2017-3447 and 2017-2605 specifically as CVE

identifiers. Has MITRE determined if these are a collision, or if they can

and will be REJECTed in advance?


I exchanged several emails with MSRC last week about this, and it

concluded with them saying they would pass along my feedback and

suggestion to use a more distinct ID scheme. Hopefully, we'll see

something different for May.




On Tue, 11 Apr 2017, jericho wrote:


: All,


: Microsoft has assigned a single CVE to cover "all April Adobe Flash updates"

: apparently:



:    April Flash Security Update           2017-3447



: Further, there is a single ID to cover "defense-in-depth" updates for a

: product:


:    Defense-in-Depth Update for Microsoft Office      2017-2605


: Which links to


: I am fairly confident that 2017-3447 is not a proper assignment and does not

: follow the CNA guidelines, about assigning IDs to another vendor's products

: (and that vendor happens to be a CNA themselves). We've seen this done in the

: past with Oracle as well.


: I'd also be surprised if a single ID assignment for multiple defense-in-depth

: enhancements meets the criteria of a CVE ID, since DiD enhancements generally

: do not mean there is a crossing of privilege boundaries, and therefore not

: vulnerabilities.


: Could Microsoft and MITRE chime in on these please?


: Brian



Page Last Updated or Reviewed: April 20, 2017