[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Regarding CVE assignments on oss-sec mailing list



So earlier today I assigned a CVE on the oss-security mailing list:

Original request:
http://www.openwall.com/lists/oss-security/2015/11/24/11 
Date: Tue, 24 Nov 2015 09:19:33 -0800

My CVE reply:
http://www.openwall.com/lists/oss-security/2015/11/26/1 
Date: Wed, 25 Nov 2015 20:14:56 -0700

so just over a day after it was requested. The reason I assigned one is that the request explicitly stated they needed it within 24 hours, and had previously asked MITRE (9 days ago). Additionally the CVE request was well formed and simple (single issue, link to original source, link to security advisory) and the requestee was David Jorm (formerly of Red Hat, also my manager at Red Hat for about a year before he left so I know him quite well), he's extremely familiar with CVE requests, having found a dozen+ issues, and handled security response for several dozens if not hundreds while he worked at Red Hat so I felt it was a relatively safe assignment (e.g. it is a security vulnerability, it does not need CVE SPLIT/MERGE, it is contained to the ONOS code base, etc.). 

Having said that it was pointed out to me that I should not have assigned one as 

"Just as a reminder, there's currently no agreement in place between
the MITRE CVE team and Red Hat that would let Red Hat assign a CVE ID
for a public report in this way."

I don't actually know who sent that email as it came from the generic cve-assign@ address and was simply signed "CVE assignment team, MITRE CVE Numbering Authority" but I assume it's legitimate (in the sense that it's the official MITRE view). 

I know some requests can be poorly requested/communicated (my all time favorite "here's some random fuzzer crash cases, can you analyze each one and assign CVEs?") and can take a bit of back and forth (I've had several cases that have taken a dozen emails to sort out exactly what is going on when people come to Red Hat with vulns in our stuff) but that doesn't appear to have been a problem in this case.

So my question is what do we do to handle these situations in future, or even more ideally what can we do to prevent them (e.g. people request a CVE from MITRE, nothing happens, they then ask publicly, nothing happens). I'm willing to back fill CVE assignments on oss-security, but that would leave the original problem (requests to MITRE going unanswered) and wouldn't work very well for issues that need to be embargoed. 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Page Last Updated or Reviewed: November 27, 2015