[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Question about CVE to vendor mappings

Hash: SHA1

I have to agree with Russ on this...I would consider SP4 to be a
"safeguard" or "fix" albeit not always a "sure" fix {8>).  SP4 would
be the safeguard rollup, if you will, for the CVEs that affected MS NT
prior to SP4. SP4 would subsume the hotfixes issued to fix the
individual vulnerabilities.  So in this case multiple CVEs would still
exist but would hopefully be patched by applying SP4.  
The additional in-house discovered "vulnerabilities" that MS slips
fixes for into the SPs would have to be addressed as CVEs as we see

It is early, last night was late....hope this makes sense
- -mike

- -----Original Message-----
From: Russ [mailto:Russ.Cooper@rc.on.ca]
Sent: Tuesday, June 29, 1999 5:07 PM
To: 'afrech@iss.net'; CVE Review List
Subject: RE: Question about CVE to vendor mappings

I wouldn't be thinking of, e.g., SP4 as a CVE. If you read the readme
files that come with each SP, they list out the individual entries in
the MS Knowledgebase that were addressed by the SP. These are not
duplicated (unless further issues arose with something previously
like TCPIP.sys), and would be the closest thing to an individual
vulnerability. So SP4 would incorporate a list of all previous CVE
numbers that previous service packs address, plus, any new ones.

Of course a bigger issue, in the case of MS SPs, is the fact that
are quite a few fixes in an SP which are not documented in

Russ - NTBugtraq Editor

FYI...I have not been actively discussing these issues due to a lack
time right now. My conference starts tomorrow and, well, I'm still
trying to locate my underwear.

- -----Original Message-----
From: Andre Frech (ISS) [mailto:afrech@iss.net]
Sent: Tuesday, June 29, 1999 5:57 PM
To: CVE Review List
Subject: Question about CVE to vendor mappings


During a recent debate on how we're going to fit the CVE into our
database structure, one of the DBAs commented on how a specific
vulnerability might not just have one CVE index, but several. Up to
this group has discussed the potential of one CVE mapping to zero or
more records of a VDB, but the opposite has not been discussed before;
namely, a many-to-many relationship.

For example, "Windows NT 4.0 prior to Service Pack 4" involves many
potential CVEs, possibly subsuming the CVEs in SP3, 2, and 1. How
a vendor handle these, considering that it is probably out of the
of the CVE to reconcile these entries?

I envision this question raising several points:
- - Can a vendor go about assigning multiple CVEs to a vulnerability or
check outside of the framework of the CVE?
- - Who verifies that the vendor is doing correct assignments?
- - Do CVE indices get subsumed in later patches (for example NT SP3 is
subsumed in SP4)? (My opinion on this one is 'no, they do not,' but
- - Can almost everything in a VDB get a CVE? I know there are rules on
what a 'vulnerability' is, but the draft CVE is a lot less stringent
about the definition than, say, the Common Criteria (CC).

I would appreciate your thoughts on this matter.
Andre Frech
X-Force Security Research

<?color><?param 0000,0000,ffff>
<?/color>Internet Security Systems, Inc.
678.443.6241 / fax 678.443.6479

Adaptive Network Security for the Enterprise

Version: PGP 6.0.2


Page Last Updated or Reviewed: May 22, 2007